12 October 2017 | Brian Hay APM
Lifecycle of Cybercrime
When Sun Tzu wrote "The Complete Art of War" he emphasised the need to "know your enemy". It's fair to then take the position of the more knowledge I have on my adversary the greater my chances of successfully defeating them or certainly resisting their attacks. That knowledge needs to be based upon information, experiential learnings of myself and other kindred spirits and this leads to intelligence - intelligence upon which I can make either evidence based business decisions or quality decisions based upon that intelligence. Fundamentally, the better the intelligence the greater is the likelihood of better decisions.
So if we look at the current and past security strategies and discussions they are absolutely dominated by technology discussions. Theses technology discussions have primarily been led by security product vendors pitching a sales spiel around the superior nature of their technology to better protect and defend the client's organisation and systems from the ever-threatening landscape. But it's essentially turned into a technological "arms race". The crooks produce an attack product and we're going to stop it with a defence product. So with this in mind it's of no surprise that many see the solution in being a new and emerging technology. And whilst we talk about acceptance that there is no "silver bullet" and single panacea for this ongoing affliction, many secretly harbour a desire that one day it will come!
But applying the logic of the "Art of War" we quickly realise that the attack technologies we so zealously guard against are simply the tools of our enemy. The means to an end…. And the purpose of that end??? It has been promulgated by many now for so many years that the cybercrime landscape encapsulates three primary sectors: Nation Sponsored attacks; Organised Crime; and Hacktivism. So if we look at which of those sectors represents the greatest day to day threat, it has been reported that Organised Crime represents nearly 90 percent of all attacks instigated. 90 percent! So, let us now ask, "What is the purpose of organised crime?" - To make money! Why did Al Capone rob banks? - Because that's where the money was! Where is the money today? - In the collective world of our cyber-connected environments. What is still somewhat extraordinary is that people only protect what they think is important…. It's what the crook thinks is important that will make you a bigger or larger target. We have to accept that data equals money. Understanding this critical point is key. I remember having a conversation with a senior doctor of medicine around the emedical crime landscape and he said to me, "Detective, Mrs Smith doesn't care if her medical file is compromised, she just wants to ensure that when she goes to a medical practitioner, they have access to her full medical history, can make an accurate medical diagnosis and can issue the appropriate medical treatment". I agreed with the doctor but then explained why Mrs Smith maybe concerned if her identity was compromised and the information contained within that medical was used against her in a variety of ways. By the time I finished, the colour had drained from his face and he said, "Detective, I never thought of it like that before", but the crooks do! Know your enemy!
So to know our enemy we need to look no further than the Dark Web. The Dark Web or Dark Markets comprises over 200 websites visited by over 200,000 people every day furiously trading 24/7 in every aspect of cybercrime, from the sale of products, services, knowledge, data in every shape and form. They offer criminal support services, crime tutorials, 24/7 technical support, escrow and money laundering services - I once described it as "The Aladdin's Cave of Criminality". My personal view that it represents the greatest aggregated effort of organised crime the world has ever seen and I expect it triple in size over the next five (5) years.
So what can this environment tell us? By scanning the forums, developing relationships, looking at the data for sale, observing the "wanted" or "for sale" postings we can actually determine a view of what our adversaries are focussing on. What they're looking to commoditise today and even tomorrow. For example, several years ago my team operating in the Dark Markets thwarted an attack against the ATM banking infrastructure in Saudi Arabia during Ramadan simply by garnering information in forum discussions and establishing the correct relationships. We immediately shared this intelligence with our colleagues and partners within the credit card industry who proactively prepared the landscape and no damage was done. That is a proactive intelligence-led security proposition! So learning from the crooks of what data they're going after, what industries they are looking at, what techniques they're adopting, where they've already attacked, we can continually build our intelligence to make better decisions around our security posture. Our security posture must be as dynamic as our adversary's attack methodologies.
Now, by applying this thinking at the micro-level in terms of specific entities and clients we can monitor the Dark Web for a specific logo, name, IP range, data content. The benefit? Fire Eye promulgates that in today's environment it is on average 206 days before a breach is detected. So where does that data end up? For sale in the Dark Web! 90 percent chance organised crime is behind the attack, the purpose of which is to make money, where is stolen data commoditised for money? The Dark Web. So by proactively scanning the Dark Web for stolen data and intelligence, we could possibly find compromised data for sale within 10 days of the breach reducing the exfiltration exposure by 196 days! How can you put a value on that???
When you hop behind the wheel of your vehicle to take your next journey, can you guarantee 100 percent that you won't have an accident? Of course not, so why do we expect that of our cyber environments? Every day we sit behind the wheel we accept the risks associated with driving on our public roads where tragically lives are lost and lives ruined daily. However, fortunately with the advent and integration of excellent safety technologies into the vehicle our chances of survival and harm minimisation are very good. Should we have an accident, we know how to respond: share personal, driver's licence and insurance company details, photograph the damage, notify authorities when and where necessary and contact your insurance company. Depending on your insurance cover, your provider may seek to have you a replacement hire vehicle within 60 minutes. So the consequence of an accident and interruption to your business maybe down to as little as 1 hour! To me this is the essence of the modern security proposition - prepared and trained for the incident to ensure the minimisation of business harm and interruption.
Then the next event to occur post-incident is resolution of the security posture. Let's assume the forensics has been completed, the vulnerability identified and the security remediated.
The next step in the chain of events in my humble opinion is Reputation Restoration - something that rarely gets spoken of in the security conversation. If we are to provide a comprehensive proactive intelligence led security proposition, I feel we would be remiss in our responsibility of not considering how we can assist our clients to restore their reputation back to where it was prior to the event occurring. Just as the vehicle comes back from the panel shop in pristine condition ready for the next journey, our client's reputation needs that care and attention.
So now we have the planting of the criminal seed, the genesis of the threat landscape by the creation of attack tools designed by our adversaries in the Dark Web, and we have the end consequence remediation at the end of the journey by the restoration of our client's reputation. To me this represents "The Lifecycle of Cybercrime".
By understanding our enemy, by migrating to a proactive intelligence-led security operation, prepared for incident response and clear strategies to restore reputation we can embark upon a holistic security strategy that focuses on business outcomes; risk management; and people.
In my mind this strategy is underpinned by three (3) distinct pillars that demand equal investment and attention: Intelligence; Security; and Culture.
These thoughts and posturing are mine alone and I know there are always individual particulars and nuances that may challenge some of this premise but I also believe this provides the foundation upon which we should go forward in a holistic proactive intelligence driven manner to produce improved business outcomes with reduced risk.
Brian Hay
Comments