How We Win

At White Ops, we’re taking on bots and botnets in a big way. We don’t know how to prevent people from breaking into computers, which remains an unsolved problem after decades of effort. But we believe we can make the Internet more secure by making cybercrime less attractive. When we maximize the cost, increase the risk and lower the profits of cybercrime, we can have an exponential effect on the whole ecosystem, since those profits motivate and fund cybercriminal innovation.

The variety of cybercrime is infinite, but there is a much smaller number of cybercrimes that really scale. Our focus is on the profit models of mass exploitation: the compromise of thousands, or even millions, of devices at once. Right now, we are particularly focused on ad fraud, because it is the best way for our adversaries to make money with the thousands or millions of compromised devices under their control.

Naturally, the most capable cybercriminals gravitate to the most profitable schemes. Since we are taking on the most profitable, most scalable cybercrimes, our adversaries are really, really good at what they do.

In a way, we’re engaged in an intellectual arms race with these cybercriminals. They’re trying to outwit us, we’re trying to outwit them, and both sides are learning from and adapting to each other.

On top of their smarts and their resources, cybercriminals have equal, if not better, motivation to succeed. Every day that we win, we get to keep our jobs. Every day that they win, they collect more profits! So, what works to stop them today will not necessarily stop them tomorrow. They have a lot of motivation to work very hard to overcome any barrier.

How can we win an arms race against an adversary that is just as smart as us (or smarter!), with many varied and surprising resources, and a huge incentive to succeed? Winning is not just about what we can bring to bear today. It’s all about what we can wield tomorrow, next month, next year, in the face of an opponent who can reverse-engineer our efforts and adapt to overcome them.

To win, we have to tip the playing field in our favor. Years ago, our founding technical breakthroughs gave us our first advantages. We did not aim to build a system that is undefeatable. Instead, we built a system that costs more to defeat than the profits that can be gained. We have achieved that with:

  • Slow feedback loops. These raise the risk to our adversaries, because they cannot tell if they have been caught fast enough to evade the consequences.
  • Fast adaptation cycles. We keep minimizing the profit window in which an adversary can realize an ROI from defeating us before they have to spend resources defeating us again.
  • A large parameter space of unique detection techniques. This reduces the cost and harm to us when one of our techniques is bypassed or burned.

Together, these three achievements raise the cost and risk to our adversaries’ side of the arms race, decrease their profits, and decrease our costs. Bam: playing field tilted.

The Department of Justice’s announcement about their work against the 3ve and Methbot operators illustrates the extraordinary power of slow feedback loops. White Ops fought off Methbot and 3ve on behalf of its customers in a crafty way that did not leak back to the adversaries in real time. This is the cyberwarfare equivalent of getting inside the adversary’s OODA loop: our detection and defense adapt faster than the feedback loop to the adversary. As a result, the adversaries cannot tell exactly when they have been beaten, or how.

Many, many years ago now, the legendary Paul Vixie warned the world about the rise of Internet Superbugs. Taking down C2 and cleaning infections can feel good in the moment, but if the perpetrators themselves don’t face consequences, we are all worse off in the long run, as the perpetrators evolve. When working against online fraud, the defender’s challenge is often likened to Whac-A-Mole: whack one mole, and another one pops up. One of the implications of that analogy is that the game is not really winnable.

Our work against 3ve and Methbot marks a different path, I hope. The game may require ongoing diligence, but there is a way to win. If we all keep pushing down the profits to be had, and if we raise the costs and the risk of going after those profits – as the DOJ just did – then the cost and risk eventually outweigh the potential payoff of cybercrime operations. That’s how we win.