FIGHTING CYBER CRIME

The Internet is the new frontier for crime, and an increasingly profitable frontier at that. The average cost to a U.S. organization due to computer hacking is an astonishing $15.4 million annually, among the companies surveyed by the Ponemon Institute for its 2015 Cost of Cyber Crime study. Industry experts believe that many security incidents go unreported and the actual amount may be significantly higher. In a world where computers are used virtually everywhere and a web address is the lingua franca for global business, the mandate to protect our digital realm has never been more important.

As we think about information security within personal, organizational and national dimensions, it is important that we understand who the attackers are and how they operate so successfully in order to create solutions to counteract them.

The hacking ecosystem is breathtaking in its breadth and sophistication. It is no longer limited to rogue actors and the disaffected youth. Organized crime took notice of the opportunities in cybercrime more than 20 years ago and has built a complex, specialized economy. Some groups build the hacking tools and sell them for an exorbitant profit. Others buy the hacking tools and use them to attack organizations to steal valuable assets or blackmail the target to stop attacks and return property. Still others exist to launder stolen assets through a myriad of digital currencies. It is an economy that works very well for the bad guys.

Unfortunately, it gets worse. It isn’t just a matter of criminal organizations. Nation-states are stockpiling cyber weapons capable of disrupting power grids and banking systems, among other targets. Political activists and terrorists are also significant players in efforts to destroy their enemies through digital means.

The cybercrime economy is robust. A company recently paid $1 million for a single remotely exploitable vulnerability for the latest version of iOS. These vulnerabilities are converted into highly advanced malware that may operate in stealth for months or even years, replicating silently, draining its host, or waiting for the perfect time for a massive attack.

Cybercrime in the EU (share of malicious computer activity) Rank based on 20 countries

Germany

Share of malicious computer activity: 6%
Malicious code rank: 12
Spam zombies rank: 2
Phishing web site hosts rank: 2
Bot rank: 4
Attack origin rank: 4
 

United Kingdom
Share of malicious computer activity: 5%
Malicious code rank: 4
Spam zombies rank: 10
Phishing web site hosts rank: 5
Bot rank: 9
Attack origin rank: 3

Spain
Share of malicious computer activity: 4%
Malicious code rank: 10
Spam zombies rank: 8
Phishing web site hosts rank: 13
Bot rank: 3
Attack origin rank: 6

Italy
Share of malicious computer activity: 3%
Malicious code rank: 11
Spam zombies rank: 6
Phishing web site hosts rank: 14
Bot rank: 6
Attack origin rank: 8

France
Share of malicious computer activity: 3%
Malicious code rank: 8
Spam zombies rank: 14
Phishing web site hosts rank: 9
Bot rank: 10
Attack origin rank: 5

Poland
Share of malicious computer activity: 3%
Malicious code rank: 23
Spam zombies rank: 9
Phishing web site hosts rank: 8
Bot rank: 7
Attack origin rank: 17

Attack Origin Rank (Out of 20 countries)

1. United Kingdom: Rank 3
2. Germany: Rank 4
3. France: Rank 5
4. Spain: Rank 6
5. Italy: Rank 8
6. Poland: Rank 17 

When we consider the efforts of the good guys to mitigate the risks of these advanced threats, the task is not hopeless, but it does require information security professionals to completely rethink their strategies. When computer viruses came along at the rate of a few per year and the value of the data was relatively modest, we used to think about focusing on preventative solutions.

In a world where even cars are being attacked by hackers, the sheer number of threats overwhelms this approach. The smart money is going towards making our organizations more nimble and intelligent in responding to attacks. Detecting attacks more quickly, containing the extent of the damage and effecting a rapid recovery have great potential for improving our cybersecurity posture. Advanced organizations are becoming more proactive and are “hunting” for indicators of compromise or particular exposures and are taking action on these before they have an opportunity to manifest.

There are several evolving areas of interest for information security professionals. Detecting incidents more quickly, understanding the end goals of the attacks and finding creative solutions for survivability are gaining attention. Many companies are investing in threat intelligence, which not only provide greater insights into active hacking groups but may even predict which companies they are targeting. We are also seeing an increase in the use of Big Data to perform security analytics on virtually every computer an organization has to find correlated activities that may indicate a compromise.

One of the most promising ways to improve proactive security, and one which merits much greater use, is information sharing of security incidents.

Today, it is quite common for an organization that was hacked to remain quiet about it unless they have a specific mandated reporting requirement. The analogy of information security teams acting as private fire departments, putting out their own fires but watching the neighbor’s house burn down is apt. Sharing of incidents may not be extremely useful to the very first company attacked by a specific instance of advanced malware. However, each successive organization that received the incident information will reap an enormous windfall, as they will be able to prioritize and respond to serious problems. Those that purchase an iPhone bug for $1 million are counting on a significant half-life for that vulnerability and an ability to monetize it over the course of thousands of attacks. Incident sharing disrupts the economics of the bad guys, while providing the good guys with actionable intelligence to catch a hack in progress much sooner in its lifecycle.

The concept of incident sharing is powerful, but must be implemented in a structured way. Communities that share must have their participants vetted, and must have their identities protected.

Note

File-encrypting ransomware has eclipsed botnets to become the main threat to enterprises. During the fourth quarter of 2015, 83 per cent of all data extortion attacks were made with the use of crypto-ransomware. CryptoWall topped the list of 2015’s most notorious ransomware families, with a 31 per cent share. According to FBI statistics released in June 2015, CryptoWall managed to generate more than $18m for its creators in a little over a year. These revenues – traced by monitoring BitCoin wallets and similar techniques – provide evidence that a growing percentage of organisations affected by ransomware attacks are paying up.

Effectively dealing with cyber risk means firstly, understanding the different types of cyber criminals as well as their particular motives and preferred methods.

1. Organised crime: Organised crime groups typically look for cash or information to sell and go after credit card details or personal information. They will often target and blackmail high-level executives using spear phishing techniques. They also have been known to steal company IP and sell it to competitors
2. State-sponsored groups: They are looking for business or security information- passwords, strategic plans, pricing, M&A activity- that might advantage in their country. They might install software that sits in the background monitoring your activity or gathering data for months before it is detected.
3. Hacktivists: They use computer hacking to further their aims. This group is particularly difficult to deal with as their motivations are varied. They might haver a specific social, environmental or political agenda, or they may just be trying to be a nuisance. Typically their goal is to disrupt or disable your organisation’s digital network.
4. Internal: Internal threats are the most dangerous as your own people own the keys to the gate. And it’s not just the disgruntled or dishonest that pose a threat: crime gangs often target vulnerable employees then bribe or extort them to carry out cybercrimes from within an organisation. 

The .locky ransom virus is a new breed that poses elevated risk due to sizeable stealth, large attack surface and sophisticated money extortion tactic.

The latest extortion contrivance called the Locky ransomware demonstrates that cybercriminals are obviously in pursuit of new operational mechanisms. Said infection is out-of-the-ordinary because its spreading mode differs from the analogs, and it covers a greater scope of victim data if the attack succeeds. The most prominent signs of this onslaught include the .locky extension added at the end of encrypted files, as well as the ransom walkthroughs titled _Locky_recover_instructions.txt. The latter documents show up in all folders the contents of which underwent the detrimental impact of the virus. The user’s personal files, in their turn, take a weird shape and look similar to this: 8361F0GE9589G5F7C9B07218D472R0F5.locky, where the first 16 characters and digits reflect the unique victim identifier, and the other half is file-specific.

Of course, the user can no longer open any of these files – not because they were renamed but due to AES encryption that the ransomware applied. Locky roams through the local drive volumes, external data peripherals such as USB memory sticks or an additional HDD, and network drives. The goal is to find the bits of information with the most widespread extensions. This way, the malware can hit below the belt as it subsequently encodes one’s personal files and disregards various objects that are auxiliary in the operating system.

After the encryption job has been finished, the Trojan replaces the admin’s wallpaper with an image that provides step-by-step recommendations regarding data redemption. Replicated in the above-mentioned _Locky_recover_instructions.txt document, these directions tell the victim to follow a Tor link for further advice. The linked-to online spot is in fact the Locky Decrypter Page, where the hijacked computer user can remit the ransom of 0.5 BTC, or about $200, and download the decoding software afterwards.

The .locky file ransomware is also non-standard in the context of circulation. Rather than use exploit kits, the miscreants are mass-spamming potential victims with rogue invoices. The Microsoft Word document that goes with these emails looks innocuous, but it has got a trick in it. When a user opens the file, the text is indiscernible. However, a little prompt says this problem can be rectified by enabling macros. Unfortunately, a lot of users fall for this hype, activate known-vulnerable macros manually and thus allow the attackers to run their code on the computer. If this happens, the cyber offensive is extremely difficult to handle, but not impossible.