0 оценок0% нашли этот документ полезным (0 голосов)
39 просмотров23 страницы
The document discusses cybercrime threats and solutions. It begins with an overview of common cybercriminal profiles, motives, and techniques such as exploit kits and distributed denial of service attacks. It then examines why cyber attacks occur and their growing impact on organizations, including financial costs, reputational damage, and privacy issues. The document outlines common attack techniques used by cybercriminals such as botnets and social engineering. It concludes by providing recommendations for governance, risk assessment, and security controls to help organizations combat cybercrime threats.
The document discusses cybercrime threats and solutions. It begins with an overview of common cybercriminal profiles, motives, and techniques such as exploit kits and distributed denial of service attacks. It then examines why cyber attacks occur and their growing impact on organizations, including financial costs, reputational damage, and privacy issues. The document outlines common attack techniques used by cybercriminals such as botnets and social engineering. It concludes by providing recommendations for governance, risk assessment, and security controls to help organizations combat cybercrime threats.
The document discusses cybercrime threats and solutions. It begins with an overview of common cybercriminal profiles, motives, and techniques such as exploit kits and distributed denial of service attacks. It then examines why cyber attacks occur and their growing impact on organizations, including financial costs, reputational damage, and privacy issues. The document outlines common attack techniques used by cybercriminals such as botnets and social engineering. It concludes by providing recommendations for governance, risk assessment, and security controls to help organizations combat cybercrime threats.
PUBLISHED BY III Contents Executive summary ............................................................................................................VII About the author................................................................................................................XI Part One: The cyber threat landscape in 2013 Chapter 1: Cyber criminals Profiles, motives, and techniques ........................................... 3 An interview with (ISC) 2 .......................................................................................................... 3 The Blackhole exploit kit ........................................................................................................ 6 Other exploit kits and CaaS attack tools ................................................................................. 9 Increasingly varied threats...................................................................................................... 9 A Cyber Pearl Harbor .......................................................................................................... 10 From one-to-one towards many-to-many .......................................................................... 11 The cybercrime perfect storm scenario ................................................................................ 13 Threat actors the cast of cybercrime characters ................................................................... 14 Conclusion ......................................................................................................................... 17 Chapter 2: Why cyber attacks occur ................................................................................. 19 Strategy versus operations ................................................................................................... 19 Horizontal versus vertical sectors .......................................................................................... 20 Access versus exploit ........................................................................................................... 21 Why are organisations vulnerable? ....................................................................................... 23 Awareness need not have a technical focus .......................................................................... 24 Cyber challenges facing the world in 2013 ........................................................................... 25 Conclusion ......................................................................................................................... 35 Chapter 3: The impact and cost of cybercrime .................................................................. 37 Financial ............................................................................................................................ 38 Brand, reputation, and customer confidence ......................................................................... 39 Fake online profiles ............................................................................................................. 40 Personal and social effects ................................................................................................... 41 Tracking and privacy ........................................................................................................... 41 A risk-based approach to planning ....................................................................................... 43 Conclusion ......................................................................................................................... 43 Contents IV Part Two: Cyber attack techniques Chapter 4: From an army of one to the botnet ................................................................. 47 The typical stages of a cyber attack ...................................................................................... 47 Attack objectives ................................................................................................................. 48 Common tools and techniques ............................................................................................ 48 Organised crime ................................................................................................................. 50 A growing threat ................................................................................................................. 53 Chapter 5: E-crime .......................................................................................................... 55 Social engineering .............................................................................................................. 56 Phishing ............................................................................................................................. 56 Pharming ........................................................................................................................... 57 Data theft ........................................................................................................................... 57 Online fraud ...................................................................................................................... 58 Conclusion ......................................................................................................................... 58 Chapter 6: Employees and risk ......................................................................................... 59 Hostile online investigations and social media ....................................................................... 59 Unauthorised Cloud deployments......................................................................................... 60 USB sticks and other media ................................................................................................. 60 Conclusion ......................................................................................................................... 62 Part Three: The road ahead Chapter 7: Governance .................................................................................................... 65 The evolution of cyber security and the regulatory framework ................................................. 65 Winning the argument ......................................................................................................... 68 Governance, risk, and compliance ....................................................................................... 68 Auditing vs penetration testing ............................................................................................. 69 A high level governance action plan for cyber security ........................................................... 71 Chapter 8: Assessing risks ................................................................................................ 73 Information technology and data asset inventories ................................................................. 73 Threat assessments.............................................................................................................. 76 Vulnerability assessments ..................................................................................................... 78 ICT risk registers ................................................................................................................. 79 Risk velocity ........................................................................................................................ 80 Risk tolerance and the goldilocks zone ............................................................................... 80 Cyber crisis response ........................................................................................................... 80 Conclusion ......................................................................................................................... 84 Chapter 9: Devising or updating controls ......................................................................... 85 Data classification and segmentation .................................................................................... 86 Cybercrime: Threats and Solutions V Encryption .......................................................................................................................... 87 Authentication .................................................................................................................... 89 Network flooding attacks ..................................................................................................... 90 Anti-malware solutions ........................................................................................................ 90 Mobile device security ......................................................................................................... 91 Cloud security .................................................................................................................... 92 Mobile payments security ..................................................................................................... 95 Machine-to-machine auditing .............................................................................................. 97 Citizen developers ............................................................................................................... 98 ISO 27001 compliance....................................................................................................... 99 Conclusion ......................................................................................................................... 99 VII IN MARCH 2013 cyber criminals launched an attack on a little known non-profit organisation called Spamhaus which is an organisation that contributes to the fight against internet spam. The attack was then extended to include a service provider and the organisations network provider. The attack, described as the largest of its type ever seen, caused serious operational problems at the London Internet Exchange and affected quality of services across several parts of western Europe. Some informed commentators suggested that it highlighted important vulnerabilities in internet infrastructure. Cybercrime, in its various guises, costs the global economy untold sums of money and much social and personal harm. In February 2011 the UK Cabinet Office sponsored a report by Detica, titled The Cost of Cybercrime, 1 that put the financial cost to the UK economy at 27 billion per annum, even without factoring in issues such as child exploitation. Although widely challenged by many experts, the Cabinet Office figure is useful for the insight it provides into the seriousness with which the UK Government views the problem. A more refined assessment was produced by a mixed group of experts in 2012. 2 This broke the costs down into three separate categories: the direct cost of cybercrime; the social and other indirect costs; and finally, the cost of cyber security defences or responses to cybercrime. The authors found that the direct losses resulting from cybercrime and, significantly, criminal gains from cybercrime, are far outweighed by the other costs. One important conclusion emerging was that expenditures on technical defences greatly exceed recorded losses. In late 2012 the respected European Network and Information Security Agency (ENISA) issued its own updated assessment of the threat landscape. 3 In this report, ENISA stated that of 16 top cyber threats monitored by the Agency, 11 are increasing, four are stable, and only one is decreasing. Cybercrime, the assessment confirmed, is on the rise. It is difficult to assess the full implications of these observations. Are the defences working well and reducing the amounts lost? Or are organisations over-reacting to hype by throwing money at the problem? What role does awareness play in either the level of exposure to risk or in the decisions being made about the acquisition of solutions? A widespread lack of awareness is a major obstacle to progress; it increases operational risks, skews decision making, and allows hype to dictate the direction of travel. This report arrives at some very important conclusions about the nature of the threat and the requirements on organisations in terms of a response. These can be summarised as: An army of one has the power to cripple key systems and infrastructure: The proliferation of easy-to-use attack tools means that the Executive summary VIII Executive summary asymmetric nature of the cyber menace is more pronounced than ever before; Raising awareness amongst non-technical users and leaders should be job one: Users and their leaders are sometimes unaware of the perils and, without better user awareness, attackers will always have a hefty set of loopholes to exploit; It is not all about China: Doubts are starting to emerge in some quarters about the veracity of reports blaming China for the preponderance of reported cyber-attacks and intrusions; Dependency is the biggest area of vulnerability: Because business, governments, and citizens have such a great dependency on cyber and communications technologies, and because those technologies have converged on the internet, they now represent a single point of failure for the globalised system of trade and finance; Forget hacking, poor user habits, purpose-made exploit kits and Cloud risks are far more substantial threats to our cyber security: Anonymity online, the ease with which social engineering attacks can be executed, and the virtualisation of key data and systems in the Cloud all mean that traditional hacking attacks on corporate servers are likely to become less frequent and significant than attacks on virtualised platforms, as well as on employees operating in the social spaces; Governance of information is the top priority for boards: In the information age, data assumes primacy as a business asset. Accordingly, those responsible for the well-being, compliance, and security of the business are now recognising that information security is a top priority; and Network providers must take responsibility for network security: Recent attacks have demonstrated that once malicious data have arrived at the targeted server it may be too late to block the attack the networks capacity to function has already been affected. Therefore it is the network provider itself that must detect and block potential attacks. The previously mentioned lack of awareness surrounding cyber security may seem surprising given the plethora of cybercrime and security reports available from solutions vendors and government agencies alike. However, very few of the reports published are intended for non-technical audiences and, in the main, reports on cybercrime assume a certain level of knowledge on the part of the reader. Perhaps as a consequence, they provide little in the way of explanations of basic cyber security principles or simple depictions of attack techniques. There is increasing concern that the cyber message is not getting across to those who really need to hear it; to the decision makers and senior executives in non-technical fields who are unlikely to take the time necessary to understand the issues presented, or to appreciate the impact these threats may have on their operations, revenues, and reputations. At the end of the day, cyber security and IT professionals are to the enterprise as mechanics are to motor vehicles. They understand and can often mend problems, but what they cannot do is to ensure that everyone else drives carefully and responsibly. This report is produced with the non-technical reader in mind and is aimed at decision makers and mid-level managers from all organisations. Cybercrime: Threats and Solutions IX References 1. See: https://www.gov.uk/government/uploads/ system/uploads/attachment_data/file/60942/ THE-COST-OF-CYBER-CRIME-SUMMARY- FINAL.pdf. 2. Anderson, R. et al. Measuring the Cost of Cybercrime, 2012. See: http://weis2012.econinfosec.org/papers/ Anderson_WEIS2012.pdf. 3. ENISA Threat Landscape, Responding to the Evolving Threat Environment, 2012. See: www.enisa.europa.eu/activities/risk- management/evolving-threat-environment/ ENISA_Threat_Landscape/at_download/ fullReport. XI MARK JOHNSON is a prominent writer, speaker, and thinker on current and emerging high technology risks and the author of two books on the subject. Immensely proud of his complete lack of technical education, Mark specialises in painstakingly deciphering the computer talk emanating from conventional subject matter experts and formulating common-sense explanations, conclusions, and recommendations for the layperson. Mark is chairman of The Risk Management Group (TRMG) which provides consultancy and training in several areas of high technology risk. Areas covered include cybercrime and security, mobile payments risk and fraud, and cyber crisis response, as well as telecoms revenue assurance. TRMG is also very active on the conference circuit and it supplies a number of free educational resources on various aspects of risk via its website at www.trmg.biz. With its long list of blue chip references, TRMG was recently selected by the Association of Chief Police Officers (ACPO) Data Communications Group (DCG) Futures Group to prepare illustrated guidance for the UK Police on emerging mobile payments technology risks and investigations. About the author 3 Chapter 1: Cyber criminals Profiles, motives, and techniques AWARENESS AND concern about cyber security are both growing and so is the range of issues that security professionals and data custodians share. This is evidenced by the findings of (ISC) 2 in its 2013 Global Information Security Workforce Study which surveyed over 12,000 respondents from large corporate and public sector organisations. 1 When asked to score their top cyber threat concerns, the survey group provided the responses shown in Figure 1. The responses reveal that the focus of todays senior security professionals needs to be very broad, covering a range of challenges from poor employee awareness to advanced attacks by state-grade hackers. As the internet and its service offering continue to evolve, it can only be expected that these challenges will become ever more complex. Figure 1: Top and High concerns from the (ISC)2 2013 Global Information Security Workforce Study scoring perceived information security risks by percentage 69 67 66 56 56 49 44 43 43 39 36 36 0 10 20 30 40 50 60 70 80 Application vulnerabilities Malware Mobile devices Internal employees Hackers Cloud-based services Cyber Terrorism Contractors Hacktivists Trusted third parties Organised crime State sponsored acts An interview with (ISC) 2 The author interviewed John Colley, managing director of (ISC) 2 , about his firms findings. Author: How do you see the cyber security landscape in general in 2013? Colley: The security community has become very skilled at securing the network and the ISO (Open Systems Interconnection) stack that connects the 4 Chapter 1: Cyber criminals Profiles, motives and techniques underlying network layer to the topmost applications layer. Most vulnerabilities are now at the application level, in other words at the top of the stack, or out of the stack completely at the end-user level and this is where we see the most action today. Author: Application vulnerabilities scored even higher than malware during your survey. How do you account for this? Colley: Many of the vulnerabilities we face today have actually been known for a very long time, but security is not always considered all the way through the application or software development lifecycle and so the lessons learned in the past are not factored into the new designs. In many businesses, information security has only recently become involved in the sign-off for new applications and software. This means that risk increases because security is less pro-active than it should be. Author: What makes mobile device and employee risks so significant? Colley: New technology comes along all the time, but security sometimes functions reactively, rather than being proactively engaged. It was rather obvious when mobile phones started to become really popular that most people would ultimately prefer to use their own phone for everything, due to the need to make personal as well as business calls. In other cases its about using the device of choice, the one with the best feature set. With the arrival of smart phones and the addition of business applications the pressure just increased, but neither security nor the wider business picked up on this early enough. Another pressure point is the fact that early adopters are likely to be senior executives and they will push through their requirements regardless of policy and so we find ourselves in a situation where BYOD (Bring Your Own Device) is a problem rather than an opportunity. In some cases, the response has been to adopt thin client technologies where most data does not reside on the device but on a backend platform. However, not all organisations have adopted this approach. Whatever solutions are implemented, organisations need to be responsive to user needs and preferences, carefully balancing risk, security, user satisfaction and efficiency. Author: State sponsored attacks get all the press coverage these days, as well as the political attention, but this risk actually scores lowest in the survey. How do you view that apparent contradiction? Colley: Its important to note that the survey was conducted before many of the most recent high profile attacks took place and so attitudes might have shifted somewhat since then. However, state sponsored attacks do tend to be very targeted and are usually intended to gain a commercial competitive advantage in a relatively narrow set of sectors and industries. So, these attacks may not be a major problem for most organisations, only for a minority, depending of course on where they operate. Cybercrime: Threats and Solutions 5 Author: One apparently important risk that my research has uncovered, but which is not listed in the (ISC) 2 top twelve risks, is dependency on network connectivity as a key vulnerability. In light of the recent abortive so-called Fibre Security attack reported from Egypt, do you see internet dependency as a risk that will receive more attention in the future? Colley: In the past most large organisations had private networks which they either owned or rented. While this protected them in one sense, it also made many of them incredibly dependent on a single network that didnt always have massive redundancy. The internet, on the other hand, is incredibly resilient, although there are indeed pinch points, but given a failure at any one node the likelihood is always that service will continue to be delivered. While one can never say never, I regard the risk of a wholesale internet failure as vanishingly small. Author: How much of an effect have the App model and the activities of the citizen developer had on risk and security? Colley: While end users hobbyists are one form of citizen developer, many organisations also have non-IT department people developing and supporting solutions. Sometimes this is informal and on other occasions these shadow IT developers have been brought in from the outside by departments that are frustrated with the official IT approach. This can exacerbate risk as businesses become dependent on applications that are poorly supported and documented. Very often, the external consultant leaves and it is at this stage that the official IT function is asked to step in and support an application the existence of which is news to them. All manner of risks arise from this kind of scenario. Author: Unauthorised Cloud usage (and the provisioning of Cloud services without IT approval) is thought to be a widespread practice. Does this chime with your experience? Colley: There are in fact many examples where business critical functions have been developed on Cloud without the normal IT process and quality controls being applied. Again, this contributes to risk and the problem is unlikely to go away. Author: How important is user awareness and how can organisations improve and deepen it? Colley: User awareness is absolutely essential to any organisation. This is not just about telling people what to do, but rather about educating them regarding the actual risks and problems faced in order to allow them to take an informed approach to risk. In fact, I believe that cultural change is even more important than conventional user awareness. For example, the safety culture in oil and gas or the customer information protection culture in financial services are really deeply ingrained in the sinews of the business everyone understands and conforms instinctively in a way that no awareness programme can achieve. Cyber security needs to become a part of the culture of every organisation. Chapter 1: Cyber criminals: Profiles, motives, and techniques 6 The Blackhole exploit kit In what could be construed as a demonstration of the combined effects of application vulnerabilities and malware, the two top-scoring risks in the (ISC) 2 report, two Russian hackers, allegedly nicknamed HodLuM and Paunch, developed, and later started to offer online, an easy-to-use kit for launching cyber attacks. The Blackhole exploit kit became one of the most popular and effective toolsets of its kind and by 2012 internet security firm Sophos was reporting that 28 per cent of all web threats it had detected during that year were facilitated by Blackhole as illustrated in Figure 2. 2 Figure 2: Web attacks by type, 2011-2012. Source: Sophos Labs US Drive-by redirect (not blackhole) 31% Drive-by redirect (blackhole) 24% Payload (not scareware) 11% Exploit site (not blackhole) 8% Other 8% Exploit site (blackhole) 7% Search engine optimisation 7% Scareware 4% At the same time, however, controls must not get in the way of people doing the job or driving insecure practices such as writing long passwords down and deeply ingrained corporate cultures are not always a good thing. Once again, its all about achieving the right balance and having the vision and flexibility to adapt as the environment changes. Author: In conclusion, are we keeping up with todays cyber attackers or are we falling behind? Colley: Security is keeping up, even though the attackers are always going to be one step ahead simply because they have a vast number of options available to them. As Ive said, the key is for security to be able to respond quickly and effectively. This has been a consistent pattern over the last two decades, although the pace has increased as the number of attacks increases. This, however, is somewhat offset by the increasing number of security professionals entering the profession and I am confident about our collective ability to counter the threat and protect our global economy. Cybercrime: Threats and Solutions 7 The utility of these metrics These statistics imply that: Drive-by attacks are currently the predominant form of web attack. (Drive-by attacks occur when a user visits a malicious webpage and is infected without taking any of the conventional actions, such as downloading a file); Almost half of all drive-by attacks are facilitated by the use of the Blackhole exploit kit; and Developing awareness of the drive-by risk and also ensuring that systems are up-to-date with the latest security patches are two key steps that organisations need to be taking now. How the Blackhole model works An exploit kit is a software tool used by attackers to get other software installed on a victims PC. This other software can perform a wide range of tasks, usually malicious. So, an exploit kit such as Blackhole contains a range of different payloads and the user selects the ones desired and the intended target or type of target. Blackhole then delivers the selected payload and the payload conducts its attack on the infected device, as described below. Exploit kits are sold online to anyone who wishes to use one. The kits normally exploit known security holes in the versions of software installed on victims devices, for example web browsers, to deliver the malicious payload selected by the user of the exploit kit. The older the browser version, the more likely it is to contain known holes and so updating browsers and other software regularly is a key defence against Blackhole-type attacks. The person or persons who wrote the Blackhole code are not the person or persons who use it to attack targets. They are simply in the business of creating and selling their exploit kit as a service to other cybercriminals. Exploit kit developers deliver, package, and sell their kits in a model that is very similar to the SaaS (software as a service) model, and this is therefore often referred to as CaaS (crime as a service). A would-be cybercriminal purchases a license to use Blackhole, or any other such exploit kit, for a period of time. The costs and licence options vary between different kits and some kits even include software updates, while others are available at a premium to include the most modern exploits that can bypass even up-to-date anti-malware applications. Blackhole and other exploit kits, therefore, represent the transfer of weapons-grade cyber technology from the hands of a few to the hands of the many via a commercial channel. They empower relatively non-technical people to perform highly technical attacks against any chosen target or against targets of opportunity and, as such, they constitute a clear danger to all aspects of online activities and services. The five stages of a Blackhole attack In simple terms, there are five main stages to a Blackhole attack: Stage 1: Initial contact with the victim; Stage 2: Drawing the victim to an exploit site; Stage 3: Investigation of the victims device and software to identify possible exploits; Stage 4: Delivery of the appropriate malware to the victims device; and Stage 5: Execution of the malware payload. This in itself can be a multi-stage process. As indicated in the list above, most exploit kit attacks start by getting a users browser Chapter 1: Cyber criminals: Profiles, motives, and techniques 8 to point at an infected exploit site where the malicious payloads will be downloaded and installed without the users knowledge or consent. Common ways of achieving this include: Compromising legitimate trusted web pages or servers and infecting them with code that re-directs visitors to the malicious exploit site. Recently, large networks of compromised web pages have started to appear, all taking visitors to the same exploit site. These networks of infected pages are called Malnets; and Sending Spam or targeted messages (email, SMS, instant messaging or social media messages) to people with links to the malicious site included in the message. Normally, these links are obfuscated so that they appear to go to non-threatening sites. A message asking, Is it you in this photo? circulated widely on Twitter and was linked to a Blackhole outbreak. Attacks might also be conducted by hiding trojan code in file downloads, such as popular music or games. In most of these scenarios, user ignorance or deliberate breaches of security guidelines are a major contributor to the problem. At the exploit site Once a victim arrives at the exploit sites landing page, the Blackhole software hosted there carries out several tasks automatically, such as: Logging where the user was redirected from; in some cases this will lead to a payment being made to a collaborating malicious site; and Analysing the users device remotely to determine its browser type and versions, operating system, other software types and versions (Adobe, Java, Flash, etc.) in order to determine which types of attack have the best chance to succeed, based on the known vulnerabilities in each of these software types and versions. The Android OS, for example, is the target of over 90 per cent of all malware attacks on mobile devices. 3 Figure 3: The F-Secure figures for new mobile device threats, Q1 2013, suggests that over 90 per cent of new threats focused on the Android Operating System 61 66 74 100 149 0 30 60 90 120 150 Q1 12 Q2 12 Q3 12 Q4 12 Q1 13 Total threat count 91.3% 8.7% 0% 136/149 Android OS 13/149 Symbian OS 0/149 Blackberry, iOS, Windows mobile Cybercrime: Threats and Solutions 9 Execution of the attack Once its analysis is complete (and this requires only a split second) Blackhole determines the best available exploits and loads up the appropriate attack tools before directing them at the unwitting visitor. Payloads contained within these attack tools can include spyware that monitors users actions, code that steals files or other data, worms that navigate from the infected device to other devices on the same network, and many other attack techniques. All of this is being controlled by the Blackhole users, of which there can be an unlimited number, not by the actual developers of Blackhole. In fact, the developers will have no specific knowledge of how or where their toolkit is being used. Other exploit kits and CaaS attack tools Blackhole is by no means the only kit of its type available for download, with others including the Phoenix and ZeroAccess exploit kits, the Low Orbit Ion Cannon, and the High Orbit Ion Cannon, all part of the new range of easy-to-use attack tools built by experts for deployment by less technical followers. Each of these tools has been widely distributed, downloaded in large numbers and used. Exploit kits such as these not only make the distribution of threats easier and more diffuse than ever before; some also represent a means for their creators to secretly take remote control of infected machines to create botnets robot armies of malicious computers, sometimes numbering in the millions and capable of launching a variety of attacks or facilitating illicit money making schemes. Commenting in a 2012 report, Verisign, a vendor of security solutions and services said, You no longer need to be a sophisticated hacker to commit fraud on the internet. Anyone who is motivated can join in, thanks to the off-the-shelf phishing kits provided by a thriving cyber crime ecosystem. Cyber criminals are even migrating to a new business model known as malware-as-a-service (MaaS), where authors of exploit kits offer extra services to customers in addition to the exploit kit itself. 3 Increasingly varied threats Threats in the modern era are increasingly diverse and sometimes unforeseeable. Consequently, much of the emphasis within organisations will now need to be directed at responding to unavoidable incidents and managing their effects, rather than at preventing or attempting to avoid them. A merging, during crises, of information or cyber security, fraud control, risk management, and disaster recovery, closely supported by the public relations, human resource management, and legal functions, is projected to be one possible outcome of these developments, implying that a complex matrix of functions, tools, and skills will need to be brought to bear on future cyber risks. Disaster recovery planning is possibly the most urgent requirement for organisations large and small, and indeed for individuals. Off-site data backups, hot and cold equipment backups, redundancy in connectivity, alternate work sites or remote working contingency plans, manual contingency processes, and many other alternatives during a time of information and communications technology crisis cannot be devised in the saddle. It seems clear then that the coordination and leadership of such an interwoven set of activities during a crisis will demand the full attention of top management and that no organisation should wait until such a situation is upon them to tutor and equip their senior staff for this task. Chapter 1: Cyber criminals: Profiles, motives, and techniques 10 Awareness training, contingency planning, and rehearsals at the highest levels therefore represent a critical pillar in every organisations risk strategy. A Cyber Pearl Harbor We live in a future torn from the pages of science fiction novels, a future foretold by the likes of Azimov, Heinlein, and Orwell. While there are no flying cars, there is an all-reaching worldwide network of connectivity and communication, a network populated by miracle workers and miscreants, a global meeting space, shopping space, and entertainment space, a cyberspace ... and a battle space. On Tuesday 14 May 2013, Gen. Keith Alexander, head of the U.S. National Security Agency and U.S. Cyber Command, told a cyber-security summit sponsored by the Reuters news agency that U.S. computer networks are under constant attack. The attacks take two forms, according to Alexander: The theft of secrets; and Disruption or damage to networks. Mark my words, its going to get worse, Alexander said. The disruptive and destructive attacks on our country will get worse and... if we dont do something the theft of intellectual property will get worse. Not only are the new threats more diverse, but they are increasing in complexity and many are launched in a coordinated fashion by attackers numbering in the thousands. Social media, exploit kits and free online training tools are all being used to construct an advanced, diffuse attack model, sometimes with political or environmental drivers, which can target major concerns at will. Attacks on the US financial services sector in 2012 typified this new reality, leading US President Obama and other senior figures to speak publicly about a cyber security threat to the global economic system, or of a Cyber Pearl Harbor, as Leon Panetta, then US Secretary Figure 4: A Maturity Model summarising some of the key changes in the nature and focus of information and communications technology over four decades ICT Focus Managers Workers Consumers Everyone ICT Maturity Model Mainframe Client-server PC Web server PC Laptop PDA Cloud Mobile data BYOD App Model Cybernetics 1 2 3 4 Immature Mature 1980 1990 2000 2013 Cybercrime: Threats and Solutions 11 of Defence, put it at the time of the attacks. From one-to-one towards many-to-many While the old threats remain important, new cyber attack models are also evolving and they are taking society towards a more complex mix of cyber threats. One-to-one attacks Most closely fitting the traditional image of the Mensa-grade, pony-tailed hacker operating from a darkened room, one-to-one attacks also encompass insider data thefts and many forms of fraud, blackmail or eCrime attack. This remains an important type of threat. One-to-many attacks Evolved over several decades, typical examples of the one-to-many attack model include Malware or viral attacks, spread, for instance, via email. Spam and Adware are also forms of one-to-many attack in which a single source spews out unwanted marketing messages to millions of recipients. Many-to-one attacks Typified by the Low and High Orbit Ion Cannon attack cases, as well as by the Botnet scenario, many-to-one attacks involve willing accomplices or hijacked devices launching mass attacks on a single target. This is commonly designed to deny services to the users of the targeted machine. Many-to-many attacks A cyber security nightmare, the conceptual many-to-many attack features millions of infected devices, or willing participants, simultaneously launching many millions of attacks on millions of targets, all across the internet, thus causing congestion and cascading internet failures. The Low Orbit Ion Cannon (LOIC) software used to launch the 2012 attacks on at least 14 major US banks was made available as a free internet download, amply supported by how to videos on 0 1 1 0 0 1 0 1 1 1 0 0 1 0 0 0 1 0 1 1 0 0 1 0 1 1 Attacks on data in storage or during transmission Systems Systems Attacks on the network that allows data to be transmitted 2 Figure 5: The scope of most cyber attacks according to US Gen. Keith Alexander Chapter 1: Cyber criminals: Profiles, motives, and techniques 12 YouTube. One of the most popular of these videos, uploaded in November 2010 and still accessible at the time of writing in mid-2013, has received over 264,000 views to-date. Versions of this training tutorial are also available in other languages. The LOIC application was downloaded 34,000 times in the UK alone over a period of just three days, according to the Metropolitan Polices head of e-crime investigations. This characterises the advanced nature of the threat and an apparent eagerness on the part of many individuals to acquire these cyber-war-fighting capabilities that no major body can afford to ignore. The impact of cyber attacks on business, government and nation states is not merely financial. Of far greater import are the effects that attacks can have on trust and consumer confidence; their impact on the brand. Whether this relates to data loss from government computers or loss of service for banking, online payments, communications, utilities or any of the myriad services exposed to such risks, the potential harm is very serious. The very interconnectedness of the modern enterprise and its dependence on shared infrastructures and resources, sometimes referred to as entanglement by cyber warriors, merely Scenario One-to-one One-to-many Many-to-one Many-to-many T o o l s Drive-by exploits Worms/trojans Code injection Exploit kits Botnets Malnets Denial of service Phishing APTs Spam Social engineering Table 2: How different cyber attack tools and techniques map conceptually across the four classes of attack scenario Figure 6: Evolving cyber attack models are becoming ever more complex One-to-one One-to-Many Many-to-one Many-to-many Cybercrime: Threats and Solutions 13 serves to exacerbate the risks. In a time of crisis, if network capacities are restricted, shared resources can become bottlenecks and possibly critical points of failure, while crises in one sector or location can trigger cascading crises in adjacent ones. The cybercrime perfect storm scenario Cascading failures are not unknown in complex modern technology-based systems. The second most widespread power blackout in history took place in the North-eastern and Mid-western United States and the Canadian province of Ontario in mid-August 2003 after trees brushed power lines during a weather storm. Operators at the affected power company were unaware of the need to re-distribute electricity loads due to a software bug in their management systems and the resulting cascade of power outages left 55 million people without electricity, many for two days. The same pattern applies to the information and communications technology mix, of which the internet is today a core part. An initial cause as seemingly low grade as the digital equivalent of a falling tree or a malicious software bug does have the capacity to cause significant effects, as highlighted by the Spamhaus incident mentioned at the start of this report and covered in more detail later. In a complex network of systems or processes, a cascade of cause and effect can ripple through the entire system in such a way that a small initial cause can have a large and widespread set of effects. In the cybercrime perfect storm scenario, such impacts could be widespread. Organisations of all sizes must continue to secure the perimeter (diffuse as that perimeter might now be with the multitude of modern internet touch points) using the conventional mix of people, processes and technology. They also need to take a fresh look at how data is classified and segmented in the era of Cloud services. Disaster recovery and business continuity require much more attention than ever before because it is increasingly clear that any or all of us can be struck by a localised cyber-crisis at some point in the short-to-medium term, while a more widespread failure is not beyond the bounds of possibility. Security in the cyber age, in other words, must embrace the inevitability of a critical failure and, while attempting to defer it, plan also for what comes after. The democratisation of the cybercrime arena, represented by Blackhole, Phoenix and the Low Orbit Ion Cannon, has resulted in the ever larger numbers of would-be attackers coming onto the scene and this in turn has led to an increased level of risk for both corporate bodies and public sector organisations worldwide. What enterprises are witness to in the case of these toolkits is evidence of a symbiotic relationship between those with technical skills, and those lacking such skills, but possessing a motive to act. These are only two categories out of several that can be used to define the community of active or potential cyber attackers and the type of cyber attacker and the range of motives for their actions are many and varied. When combined, they form a matrix and each new cybercrime case therefore has the potential to be unique. Nevertheless, it is possible to provide a broad brush description of some of the typical attacker profiles in pen portrait form. Threat actors The cast of cybercrime characters The hacker Profile: the traditional hacker is a technical expert, often renowned for their skill and generally proud of it. The hacker specialises Chapter 1: Cyber criminals: Profiles, motives, and techniques 14 in breaking into systems by breaching security using high-tech methodologies. They may view corporations and governments with suspicion and will often hold the opinion that software and data should be free of charge and free to access for all. Few in number, experts of this ilk keep a low profile and use pseudonyms to disguise their real identities. Typical motives: the hackers motives can be difficult to define with confidence, particularly as Hollywood stereotypes are as close as most people will come to meeting a genuine one. However, those hackers who have been apprehended in the past, and who have agreed to speak about their activities, have often included the love of a technical challenge and a dislike of the status quo as drivers for their behaviour. Kudos or reputation is sometimes cited as an additional motive. The script kiddie Profile: far more common than the hacker is the script kiddie. Script kiddies lack the supreme technical skills of hackers, but have sufficient skill and interest in the topic to be able to read or view text and videos on the topic of hacking and to download and execute software scripts produced by hackers for them. Script kiddies, therefore, represent a channel to market for hackers who wish to reduce their risk or increase their scope by using a multitude of less skilled hands. Many of the prominent denial of service attacks and code injection attacks witnessed over the last two or three years were almost certainly executed in large part by script kiddies. Typical motives: because of their number, it is almost impossible to assign any particular set of motives to this group, and they include single issue extremists, bored teenagers, would be future hackers, and those with a grudge against a particular organisation or brand. The malware developer Profile: the malware developer has a great deal in common with the hacker and may even be a hacker in some cases, but their focus is on building autonomous pieces of code that have the ability to disseminate themselves and infect multiple systems before executing a variety of payloads. Increasingly, malware developers are working along commercial lines and using their skills and their code to generate revenue. Malware may also be used by hackers to create entry points in target systems. Typical motives: early malware developers were often motivated by a desire to demonstrate security vulnerabilities in software or organisations, but modern malware developers appear to be motivated primarily by profit. The online social engineer Profile: the online social engineer is the internet version of the conman. They specialise in understanding human behaviour and psychology and in exploiting that to persuade targets to either take or avoid specific actions, often going against their better judgement. Examples include persuading targets to disclose personal data, bank account information, trade or organisational secrets, and other confidential information or opinions, as well as data belonging to others. Typical motives: social engineers may seek such data for any number of reasons. They might be hackers themselves, or script kiddies, malware developers, internet investigators, fraudsters and any other type of online criminal for whom the information obtained is valuable as a source of access into secure areas or as a mechanism for committing fraud. Cybercrime: Threats and Solutions 15 The internet investigator Profile: the internet investigator uses online resources to gather information on a range of targets, including individuals, businesses, and government agencies. The internet investigation skill, which is generally associated with law enforcement or private investigators, is used to equal effect by criminals, spies, and even journalists. The internet investigator will use a range of online tools from search engines to fake social media profiles in order to source and collate data that in times past would simply not have been accessible. Examples include data that could suggest what the strategy of a particular organisation might be, travel and personal data about senior executives, information that can be used to blackmail or harass a victim, and personal data that can be used to commit identity theft or fraud. Typical motives: the internet investigator generally falls into one of two categories; those who are paid by a third party to gather data on their behalf, either lawfully or unlawfully, and those who gather data for personal gain. The spammer Profile: the spammer is engaged in a commercial activity which involves the distribution of unsolicited messages by any available electronic means in order to broadcast advertising to a large target audience. In its earliest manifestation, spam was typically delivered via email, but as the technology has evolved, the world has seen the emergence of mobile phone spam, instant message spam and, more recently, social media spam. Although organisations and service providers have done a great deal to manage the impact of spam on users and consumers, spam remains a problem as it uses up significant amounts of capacity in the communications network, and at the end of the day consumers still pay the cost of this, though they may not be aware of the fact. Typical motives: almost without exception, spammers have a pure profit motive, although some forms of denial of service or flooding attack can have many of the characteristics of spam, the difference being that such attacks will tend to be directed at a relatively small number of targets while spam is broadcast to as many targets as possible. The fraudster Profile: the online fraudster comes in many forms, including the financial fraudster, the e-commerce fraudster, the payment card fraudster, the mortgage fraudster, the insurance claim fraudster, and those attempting to commit market abuse or similar crimes. Indeed, there are any number of fraudster profiles online, limited only by the range of services, payment mechanisms and business models offered. Typical motives: the goal of the online fraudster is simply to make a financial gain or cause a financial loss through the use of deception. Their motives are generally restricted to either profit or revenge. The spy Profile: the online spy may be an agent of the state or in the employ of a corporation. They may also be part of a single issue, organised crime or terrorist cell. Whatever the nature of the organisation behind the spy, the goals and methodologies of spies are generally consistent; to gather secret data for the purpose of creating business intelligence, crime intelligence, military intelligence, or for cyber warfare planning. This data may include competitive information, customer data, pricing, intellectual property, militarily dispositions, Chapter 1: Cyber criminals: Profiles, motives, and techniques 16 information about internet infrastructure and systems, as well as state secrets. Spies use many of the techniques described above, including internet investigations, malware, hacking, social engineering, and even fraud to achieve their ends. Typical motives: a majority of spies are salaried individuals carrying out the instructions of their employers, and in this sense, their personal motives are largely irrelevant. A minority of spies, for example those engaged in terrorism or in supporting single issue extremists, may have ideological motives for their actions. The cyber terrorist Profile: a terrorist is someone who uses violence, or the threat of violence, normally against innocent civilians, in order to influence the state to take an action or to desist from specified actions. In cyber security terms, the cyber terrorist is someone who uses cyber technology to facilitate or execute such attacks. 4 This might involve the collection of information or the social engineering of key personnel in order that an attack may proceed, or the use of internet communications in an unauthorised fashion (for example, by using fake profiles) in order to organise or coordinate the attack. Another equally important scenario involves the takeover of key systems such as air traffic control, power or water via the internet in order to do physical harm. Terrorism may also include mere threats to cause harm based on some demonstration of capabilities. Recently, activists or terrorists were caught attempting to sever critical undersea communications cables near Alexandria in Egypt. Dubbed Fibre Terrorists by some media wags, both their intent and the risk these threat actors highlighted are very serious. The internet is heavily dependent on such cabling and any organised cutting of cables, for example as a military act during wartime, at relatively few key points around the planet would have the effect of turning the internet off. Typical motives: although the phrase is loosely used, the terrorist normally has a political motivation and has concluded that violence is the best option for delivering change. Some terrorists are merely anarchists whose real purpose is simply to attack any and all authority and others are motivated by religion. The naive employee Profile: it may surprise the reader to learn that the naive employee is often the biggest threat to any organisation. Many cyber attacks depend on employees being lax in their adherence to security protocols, giving up information to social engineers, or posting confidential data online. A lack of employee awareness, or a failure to adhere to guidelines, can constitute the largest risk for a firm or government department. Typical motives: while a small number of employees will always be susceptible to being subverted by offers of financial reward, in most cases the ploys used are more likely to depend on promises of romance, a better job, or simple trickery. Conclusion What these simplified pen portraits tell us is that human nature, as is always the case, throws up a complex and differentiated mix of players, personalities, motives and behaviours in the cybercrime space. No less complex is the potentially bewildering list of tools and techniques available to these individuals and the combination of widely differing motivations, geographic dispersion, a multicultural or even a globalised dimension to the story, and a rich array of low-cost, high-tech weaponry means that Cybercrime: Threats and Solutions 17 organisations are finding it increasingly difficult to predict how, when and why attacks might occur, as Table 3 illustrates. In the next chapter, the report looks at the question of why attacks occur and considers some of the variables that influence their nature and scope. References 1. Suby, M., ISC 2 Global Information Security Workforce Study, ISC 2 , 2013. 2. Wang, R., Malware B-Z: Inside the Threat from Blackhole to Zero Access, Sophos, 2013. 3. Mobile Threat Report, January-March 2013, F-Secure, 2013. 4. Verisign iDefense 2012 Cyber Threats and Trends, VeriSign, 2012. Threat actors H a c k e r s S c r i p t
k i d d i e s M a l w a r e
d e v e l o p m e n t s S o c i a l
e n g i n e e r s I n v e s t i g a t o r s S p a m m e r s F r a u d s t e r s S p i e s E x t r e m i s t s T o o l s Drive-by exploits Worms/trojans Code injection Exploit kits Botnets Malnets Denial of service Phishing APTs Spam Social engineering Table 3: Examples of the relationships between cyber threat tools & techniques and cyber threat actors