The Anatomy of a Cyber Threat Takedown: Lessons from a Top Cybersecurity Operative

The dynamics of the cybersecurity landscape have evolved significantly over the last thirty years. Today, we see hacker groups and ransomware syndicates forming strategic alliances with each other and even with nation-states. This collaboration enables them to share intelligence and resources, aiming to more effectively target a wide array of entities including businesses, utilities, government agencies, healthcare organizations, and school districts. In a concerted effort to counter these escalating threats, cybersecurity vendors are increasingly collaborating with law enforcement agencies. This includes notable work with Europol in Europe, as well as the FBI and National Security Agency (NSA) in the U.S. These alliances are crucial in identifying malicious actors, dismantling their growing threat networks, and impairing their capacity to initiate attacks.

In a recent discussion, we had the opportunity to speak with Catalin Cosoi, Chief Security Strategist at Bitdefender. The focus of our conversation was on the specialized team he oversees — the investigations and forensics team. This collective plays a pivotal role in assisting law enforcement agencies globally. Their mission is centered around tracking, confronting, and dismantling the operations of various malicious cyber threat actors, contributing significantly to the broader fight against cybercrime.

Bitdefender (BD): We’re sure there’s a lot of critical steps that go into this, but what are the key ones involved in the process of identifying and tracking a major cyber threat group? 

Catalin Cosoi (CC): It’s really important to pick our battles, so that’s really the first step. We need to decide what groups are worth going after and where we can make the most impact—whether it’s a complete takedown or just a temporary disruption in capabilities. We then need to map the group’s threat infrastructure, trying to figure out the different actors behind these attacks. We then come together with other vendors and law enforcement agencies to make some decisions. Do we have enough actionable intelligence to make a move? What are the implications? Next is developing a coordinated plan to take down or disrupt their operations. Everyone must move together, as a single entity, to ensure groups don’t just shut down and spawn back up after everything’s quiet. We need to make sure servers are taken down at the same time law enforcement is making arrests. The goal is to destroy the trust between all the different actors. If someone thinks someone is going to squeal, they’re less likely to work together again, and you’ve disrupted that particular organization (or threat group).  

BD: What about some of the bigger challenges you face, specifically around planning and executing a takedown operation against a threat actor?

CC: Groups have gotten pretty sophisticated when it comes to operational security. They often know if they are being targeted and can make a risk assessment about whether to continue to attack or to lay low for a bit. If it gets too hot for them, they can change their infrastructure, like spinning down some servers and spinning some up in another jurisdiction. They can even lay traps for us and law enforcement agencies that tip them off. 

BD: What would you say makes an operation successful?

CC: It’s all about collecting irrefutable evidence. If we make a mistake, someone will walk. We need to make sure everything is done by the book. We have a set of step-by-step instructions that we follow to ensure we operate as cleanly and securely as possible. It’s not unusual for a single case to include up to 40 police officers, a dozen prosecutors and a group of cybersecurity vendors, service providers and consultants. Everyone has to be extremely secretive. No talking to colleagues or journalists. A single leak can jeopardize the entire investigation.

BD: So, what does collaboration with law enforcement or government bodies look like when it comes to a cyber threat takedown?

CC: Success is 99% based on trust. If there’s no trust between parties, then not enough information will be shared to take down the threat.

BD: Is there a difference between working with the DOJ in the United States and Europol in Europe?

CC: Yes, absolutely. The motivations and the processes are the same, but the roles are completely different. The purpose of Europol is to share information and collaborate among member countries. The organization itself doesn’t have the authority to arrest anyone. It can ask local law enforcement to make an arrest, but it’s really about making connections and sharing information. In the U.S., it’s a bit different. We work directly with multiple law enforcement agencies with arresting power, but coordination can be more disjointed. We really need to put all our chips on the table when deciding whether to move forward on an investigation. Thankfully, it’s getting better, and we’re seeing a lot more collaboration among agencies in the U.S. and even between U.S. agencies and Europol.

BD: Can you discuss any ethical considerations that go into deciding whether to disrupt or take down a cyber threat group? How do you balance the risks and rewards? 

CC: We have to decide whether all the hard work and time we put into these collaborations actually lead to arrests and the disruption of threat infrastructure. We may have very good intelligence on a group that is doing a lot of damage to individuals and organizations around the world, but we have to sit on it because they have very good operational security or they’re based in countries where law enforcement will not play ball. We’re going to investigate them because it’s the moral and right thing to do, and maybe the information we collect could be useful in another investigation down the road—even years later. Maybe they go on vacation to a cooperating country. Or move operations. You never know.

BD: After a successful takedown, what measures are taken to ensure the threat doesn’t simply re-emerge under a different identity or form? 

CC: If we do our the investigation consortium is successful , then the major threat actors are in jail and their infrastructure has been dismantled. Unfortunately, groups are so decentralized, so spread out, that it’s nearly impossible to take down an entire operation in one fell swoop. Ransomware affiliates can scatter and make new connections. Administrators can re-emerge under a different leader and a different name. Dark markets can be spun up fairly quickly on another server in another country. It can be frustrating, but it really puts the onus on our team to make sure our investigations lead to arrests. And that often comes down to timing. Do we move now and risk people popping up elsewhere or do we wait and gather more evidence to ensure we put people away.

BD: How much do you think the landscape for threat actors has evolved for the years? Are there any trends that we should keep top of mind? 

CC: The biggest change I’ve seen over the past several years has been on the way threat actors make the initial breach in an organization. There are those that solely focus on attempting to gain access into an organization. Once they do, they sit on it and then sell access to the highest bidder when the time is right. It doesn’t matter what the motivation is—ransom, data exfiltration, embarrassment or whatever—it all starts with an initial intrusion. If organizations can stop that, then they can make a big difference in their security posture. 

BD: Looking towards the future, what advancements in technology or strategy do you think will be game changers in the fight against these attacks? 

CC: Artificial intelligence (AI) and machine learning (ML) are game changers. I’m not talking about our side. We’ve been using AI/ML for a long time to identify and stop threats. It’s the attacker’s ability to use generative AI tools to develop better threats or more believable phishing emails and then scale that to an unbelievable level. It’s eliminating the discrepancy between an advanced threat actor and a less experienced threat actor. A complete novice can use these tools to spin up highly sophisticated attacks very quickly. It used to be easy to spot sloppy code or misspellings in a phishing email. Threats are now constantly evolving, making it increasingly difficult for us to keep up.