Trend Micro Study: Top Tactics to Disrupt Underground Hosting Businesses

Trend Micro

Understanding criminal operations, motivations and business models is key to dismantling the bulletproof hosting industry on which the majority of global cybercrime is built. Trend Micro’s latest study reveals top tactics to disrupt these underground hosting businesses.

In this report published by cloud security provider Trend Micro, researchers outline the infrastructure business approaches of attackers to help security teams and law enforcement agencies best recognize, defend against, and disrupt them.

“Increasingly, mature organizations have SOC and XDR capabilities, which means security teams today have moved into the realm of also being investigators,” said Robert McArdle, director of forward-looking threat research at Trend Micro. “At that level of security sophistication, you need to understand how the criminals operate to strategically defend against attackers. We hope this report provides insight into cybercriminal operations that can prove actionable for organizations and ultimately make hosting providers lose profits.”

Bulletproof Hosting Providers

According to Trend Micro’s report, bulletproof hosting providers are the root of cybercriminal infrastructure and therefore use a sophisticated business model to outlast takedown efforts. These include flexibility, professionalism and offering a range of services to cater to an array of customer needs.

The report details several effective methods to help investigators identify underground hosting providers, including:

  • Identify which IP ranges are in public block deny lists, or those associated with a large number of public abuse requests, as those may be indicative of bullet proof hosting providers.
  • Analyze autonomous system behavior and peering information patterns to flag activity that is likely associated to bullet proof hosting providers.
  • Once one bullet proof hosting provider host has been detected, use machine fingerprinting to detect others that may be linked to the same provider.

The Trend Micro report also lists methods for law enforcement agencies and businesses to disrupt underground hosting businesses, without necessarily needing to identify or takedown their servers. These include:

  • Submit properly documented abuse requests to the suspected underground hosting provider and upstream peers.
  • Add bullet proof hosting provider network ranges to well-established deny lists.
  • Increase the operational costs of the bullet proof hosting provider, to impair business stability.
  • Undermine the reputation of the bullet proof hosting provider on the cybercrime underground: perhaps via covert accounts that call into question the security of the criminal hosting provider or discuss possible collaboration with authorities.

With over 6,700 employees in 65 countries, and one of the world’s most advanced global threat research and intelligence, Trend Micro enables organizations to secure their digital assets.

To read the full report, visit the Trend Micro website here.