Adventures with Cybercrime Toolkits: Insights for Pragmatic Defense

When it comes to improving the state of defense in the cybercrime arms race, all too common advice is to be more proactive than reactive. However, close examination of the modus operandi of cybercriminals suggests a great deal of their pragmatism and adaptability to defensive moves. Among other blindspots, exploitable opportunities pursued by cybercriminals typically stem from flaws in the design, implementation, configuration, and deployment of systems. In essence, cybercriminals monetize these blindspots to stir the arms race in their favor.

Using a multi-faceted analysis of pre-packaged cybercrime tools called exploit kits, this talk argues and illustrates that defenders should as well be pragmatic and adaptive enough to turn the weakest links of cybercriminals into concrete opportunities to counter cybercrime. We use the exploit kit phenomenon to highlight how defenders could combine reactive, proactive, and offensive strategies towards pragmatic defense.

On the reactive front, we describe how seemingly simple yet identifying configuration and deployment artifacts are used to identify active exploit kits in the wild. On the offensive side, we illustrate how access to exploit kits source code is leveraged towards an automated infiltration and legally authorized takedown of live exploit kits. On the proactive front, we highlight how lessons learned from reactive and offensive strategies are combined toward real-time threat detection. The talk leaves the audience with key takeaways on pragmatic defense strategies in the face of an adaptive cybercriminal with motives and means.