MARK JOHNSON

Cybercrime: Threats and Solutions

PUBLISHED BY
III
Contents
Executive summary ............................................................................................................VII
About the author................................................................................................................XI
Part One: The cyber threat landscape in 2013
Chapter 1: Cyber criminals Profiles, motives, and techniques ........................................... 3
An interview with (ISC)
2
.......................................................................................................... 3
The Blackhole exploit kit ........................................................................................................ 6
Other exploit kits and CaaS attack tools ................................................................................. 9
Increasingly varied threats...................................................................................................... 9
A Cyber Pearl Harbor .......................................................................................................... 10
From one-to-one towards many-to-many .......................................................................... 11
The cybercrime perfect storm scenario ................................................................................ 13
Threat actors the cast of cybercrime characters ................................................................... 14
Conclusion ......................................................................................................................... 17
Chapter 2: Why cyber attacks occur ................................................................................. 19
Strategy versus operations ................................................................................................... 19
Horizontal versus vertical sectors .......................................................................................... 20
Access versus exploit ........................................................................................................... 21
Why are organisations vulnerable? ....................................................................................... 23
Awareness need not have a technical focus .......................................................................... 24
Cyber challenges facing the world in 2013 ........................................................................... 25
Conclusion ......................................................................................................................... 35
Chapter 3: The impact and cost of cybercrime .................................................................. 37
Financial ............................................................................................................................ 38
Brand, reputation, and customer confidence ......................................................................... 39
Fake online profiles ............................................................................................................. 40
Personal and social effects ................................................................................................... 41
Tracking and privacy ........................................................................................................... 41
A risk-based approach to planning ....................................................................................... 43
Conclusion ......................................................................................................................... 43
Contents
IV
Part Two: Cyber attack techniques
Chapter 4: From an army of one to the botnet ................................................................. 47
The typical stages of a cyber attack ...................................................................................... 47
Attack objectives ................................................................................................................. 48
Common tools and techniques ............................................................................................ 48
Organised crime ................................................................................................................. 50
A growing threat ................................................................................................................. 53
Chapter 5: E-crime .......................................................................................................... 55
Social engineering .............................................................................................................. 56
Phishing ............................................................................................................................. 56
Pharming ........................................................................................................................... 57
Data theft ........................................................................................................................... 57
Online fraud ...................................................................................................................... 58
Conclusion ......................................................................................................................... 58
Chapter 6: Employees and risk ......................................................................................... 59
Hostile online investigations and social media ....................................................................... 59
Unauthorised Cloud deployments......................................................................................... 60
USB sticks and other media ................................................................................................. 60
Conclusion ......................................................................................................................... 62
Part Three: The road ahead
Chapter 7: Governance .................................................................................................... 65
The evolution of cyber security and the regulatory framework ................................................. 65
Winning the argument ......................................................................................................... 68
Governance, risk, and compliance ....................................................................................... 68
Auditing vs penetration testing ............................................................................................. 69
A high level governance action plan for cyber security ........................................................... 71
Chapter 8: Assessing risks ................................................................................................ 73
Information technology and data asset inventories ................................................................. 73
Threat assessments.............................................................................................................. 76
Vulnerability assessments ..................................................................................................... 78
ICT risk registers ................................................................................................................. 79
Risk velocity ........................................................................................................................ 80
Risk tolerance and the goldilocks zone ............................................................................... 80
Cyber crisis response ........................................................................................................... 80
Conclusion ......................................................................................................................... 84
Chapter 9: Devising or updating controls ......................................................................... 85
Data classification and segmentation .................................................................................... 86
Cybercrime: Threats and Solutions
V
Encryption .......................................................................................................................... 87
Authentication .................................................................................................................... 89
Network flooding attacks ..................................................................................................... 90
Anti-malware solutions ........................................................................................................ 90
Mobile device security ......................................................................................................... 91
Cloud security .................................................................................................................... 92
Mobile payments security ..................................................................................................... 95
Machine-to-machine auditing .............................................................................................. 97
Citizen developers ............................................................................................................... 98
ISO 27001 compliance....................................................................................................... 99
Conclusion ......................................................................................................................... 99
VII
IN MARCH 2013 cyber criminals launched
an attack on a little known non-profit
organisation called Spamhaus which is an
organisation that contributes to the fight
against internet spam. The attack was then
extended to include a service provider
and the organisations network provider.
The attack, described as the largest of its
type ever seen, caused serious operational
problems at the London Internet Exchange
and affected quality of services across
several parts of western Europe. Some
informed commentators suggested that
it highlighted important vulnerabilities in
internet infrastructure.
Cybercrime, in its various guises, costs
the global economy untold sums of money
and much social and personal harm. In
February 2011 the UK Cabinet Office
sponsored a report by Detica, titled The
Cost of Cybercrime,
1
that put the financial
cost to the UK economy at 27 billion per
annum, even without factoring in issues
such as child exploitation. Although widely
challenged by many experts, the Cabinet
Office figure is useful for the insight it
provides into the seriousness with which the
UK Government views the problem.
A more refined assessment was
produced by a mixed group of experts
in 2012.
2
This broke the costs down into
three separate categories: the direct cost
of cybercrime; the social and other indirect
costs; and finally, the cost of cyber security
defences or responses to cybercrime. The
authors found that the direct losses resulting
from cybercrime and, significantly, criminal
gains from cybercrime, are far outweighed
by the other costs. One important conclusion
emerging was that expenditures on technical
defences greatly exceed recorded losses.
In late 2012 the respected European
Network and Information Security Agency
(ENISA) issued its own updated assessment
of the threat landscape.
3
In this report,
ENISA stated that of 16 top cyber threats
monitored by the Agency, 11 are increasing,
four are stable, and only one is decreasing.
Cybercrime, the assessment confirmed, is on
the rise.
It is difficult to assess the full implications
of these observations. Are the defences
working well and reducing the amounts lost?
Or are organisations over-reacting to hype
by throwing money at the problem? What
role does awareness play in either the level
of exposure to risk or in the decisions being
made about the acquisition of solutions?
A widespread lack of awareness is a major
obstacle to progress; it increases operational
risks, skews decision making, and allows
hype to dictate the direction of travel.
This report arrives at some very important
conclusions about the nature of the threat
and the requirements on organisations
in terms of a response. These can be
summarised as:
An army of one has the power
to cripple key systems and
infrastructure: The proliferation of
easy-to-use attack tools means that the
Executive summary
VIII
Executive summary
asymmetric nature of the cyber menace
is more pronounced than ever before;
Raising awareness amongst
non-technical users and leaders
should be job one: Users and their
leaders are sometimes unaware of the
perils and, without better user awareness,
attackers will always have a hefty set
of loopholes to exploit;
It is not all about China: Doubts are
starting to emerge in some quarters
about the veracity of reports blaming
China for the preponderance of reported
cyber-attacks and intrusions;
Dependency is the biggest area
of vulnerability: Because business,
governments, and citizens have such
a great dependency on cyber and
communications technologies, and
because those technologies have
converged on the internet, they now
represent a single point of failure for the
globalised system of trade and finance;
Forget hacking, poor user habits,
purpose-made exploit kits and Cloud
risks are far more substantial threats
to our cyber security: Anonymity
online, the ease with which social
engineering attacks can be executed,
and the virtualisation of key data and
systems in the Cloud all mean that
traditional hacking attacks on corporate
servers are likely to become less frequent
and significant than attacks on virtualised
platforms, as well as on employees
operating in the social spaces;
Governance of information is the
top priority for boards: In the
information age, data assumes primacy
as a business asset. Accordingly,
those responsible for the well-being,
compliance, and security of the business
are now recognising that information
security is a top priority; and
Network providers must take
responsibility for network security:
Recent attacks have demonstrated that
once malicious data have arrived
at the targeted server it may be too
late to block the attack the networks
capacity to function has already been
affected. Therefore it is the network
provider itself that must detect and
block potential attacks.
The previously mentioned lack of
awareness surrounding cyber security
may seem surprising given the plethora
of cybercrime and security reports available
from solutions vendors and government
agencies alike. However, very few of
the reports published are intended for
non-technical audiences and, in the main,
reports on cybercrime assume a certain
level of knowledge on the part of the
reader. Perhaps as a consequence, they
provide little in the way of explanations of
basic cyber security principles or simple
depictions of attack techniques.
There is increasing concern that
the cyber message is not getting across
to those who really need to hear it; to
the decision makers and senior executives
in non-technical fields who are unlikely
to take the time necessary to understand
the issues presented, or to appreciate the
impact these threats may have on their
operations, revenues, and reputations.
At the end of the day, cyber security and
IT professionals are to the enterprise as
mechanics are to motor vehicles. They
understand and can often mend problems,
but what they cannot do is to ensure
that everyone else drives carefully and
responsibly. This report is produced with
the non-technical reader in mind and is
aimed at decision makers and mid-level
managers from all organisations.
Cybercrime: Threats and Solutions
IX
References
1. See: https://www.gov.uk/government/uploads/
system/uploads/attachment_data/file/60942/
THE-COST-OF-CYBER-CRIME-SUMMARY-
FINAL.pdf.
2. Anderson, R. et al. Measuring the
Cost of Cybercrime, 2012. See:
http://weis2012.econinfosec.org/papers/
Anderson_WEIS2012.pdf.
3. ENISA Threat Landscape, Responding to
the Evolving Threat Environment, 2012.
See: www.enisa.europa.eu/activities/risk-
management/evolving-threat-environment/
ENISA_Threat_Landscape/at_download/
fullReport.
XI
MARK JOHNSON is a prominent writer, speaker, and thinker on current and emerging high
technology risks and the author of two books on the subject. Immensely proud of his complete lack
of technical education, Mark specialises in painstakingly deciphering the computer talk emanating
from conventional subject matter experts and formulating common-sense explanations, conclusions,
and recommendations for the layperson.
Mark is chairman of The Risk Management Group (TRMG) which provides consultancy and
training in several areas of high technology risk. Areas covered include cybercrime and security,
mobile payments risk and fraud, and cyber crisis response, as well as telecoms revenue assurance.
TRMG is also very active on the conference circuit and it supplies a number of free educational
resources on various aspects of risk via its website at www.trmg.biz. With its long list of blue chip
references, TRMG was recently selected by the Association of Chief Police Officers (ACPO) Data
Communications Group (DCG) Futures Group to prepare illustrated guidance for the UK Police
on emerging mobile payments technology risks and investigations.
About the author
3
Chapter 1: Cyber criminals Profiles,
motives, and techniques
AWARENESS AND concern about cyber
security are both growing and so is the
range of issues that security professionals
and data custodians share. This is evidenced
by the findings of (ISC)
2
in its 2013 Global
Information Security Workforce Study
which surveyed over 12,000 respondents
from large corporate and public sector
organisations.
1
When asked to score their
top cyber threat concerns, the survey group
provided the responses shown in Figure 1.
The responses reveal that the focus of
todays senior security professionals needs
to be very broad, covering a range of
challenges from poor employee awareness
to advanced attacks by state-grade hackers.
As the internet and its service offering
continue to evolve, it can only be expected
that these challenges will become ever
more complex.
Figure 1: Top and High concerns from the (ISC)2 2013 Global Information Security Workforce Study scoring perceived
information security risks by percentage
69
67
66
56
56
49
44
43
43
39
36
36
0 10 20 30 40 50 60 70 80
Application vulnerabilities
Malware
Mobile devices
Internal employees
Hackers
Cloud-based services
Cyber Terrorism
Contractors
Hacktivists
Trusted third parties
Organised crime
State sponsored acts
An interview with (ISC)
2
The author interviewed John Colley,
managing director of (ISC)
2
, about his
firms findings.
Author: How do you see the cyber
security landscape in general in 2013?
Colley: The security community has
become very skilled at securing the
network and the ISO (Open Systems
Interconnection) stack that connects the
4
Chapter 1: Cyber criminals Profiles, motives and techniques
underlying network layer to the topmost applications layer. Most vulnerabilities are now at the
application level, in other words at the top of the stack, or out of the stack completely at the
end-user level and this is where we see the most action today.
Author: Application vulnerabilities scored even higher than malware during your survey. How do
you account for this?
Colley: Many of the vulnerabilities we face today have actually been known for a very long
time, but security is not always considered all the way through the application or software
development lifecycle and so the lessons learned in the past are not factored into the new
designs. In many businesses, information security has only recently become involved in the
sign-off for new applications and software. This means that risk increases because security is less
pro-active than it should be.
Author: What makes mobile device and employee risks so significant?
Colley: New technology comes along all the time, but security sometimes functions reactively,
rather than being proactively engaged. It was rather obvious when mobile phones started to
become really popular that most people would ultimately prefer to use their own phone for
everything, due to the need to make personal as well as business calls. In other cases its about
using the device of choice, the one with the best feature set. With the arrival of smart phones
and the addition of business applications the pressure just increased, but neither security nor
the wider business picked up on this early enough. Another pressure point is the fact that
early adopters are likely to be senior executives and they will push through their requirements
regardless of policy and so we find ourselves in a situation where BYOD (Bring Your Own
Device) is a problem rather than an opportunity.
In some cases, the response has been to adopt thin client technologies where most data
does not reside on the device but on a backend platform. However, not all organisations
have adopted this approach. Whatever solutions are implemented, organisations need to be
responsive to user needs and preferences, carefully balancing risk, security, user satisfaction
and efficiency.
Author: State sponsored attacks get all the press coverage these days, as well as the
political attention, but this risk actually scores lowest in the survey. How do you view that
apparent contradiction?
Colley: Its important to note that the survey was conducted before many of the most recent
high profile attacks took place and so attitudes might have shifted somewhat since then.
However, state sponsored attacks do tend to be very targeted and are usually intended to gain a
commercial competitive advantage in a relatively narrow set of sectors and industries. So, these
attacks may not be a major problem for most organisations, only for a minority, depending of
course on where they operate.
Cybercrime: Threats and Solutions
5
Author: One apparently important risk that my research has uncovered, but which is not listed
in the (ISC)
2
top twelve risks, is dependency on network connectivity as a key vulnerability. In light
of the recent abortive so-called Fibre Security attack reported from Egypt, do you see internet
dependency as a risk that will receive more attention in the future?
Colley: In the past most large organisations had private networks which they either owned or
rented. While this protected them in one sense, it also made many of them incredibly dependent
on a single network that didnt always have massive redundancy. The internet, on the other
hand, is incredibly resilient, although there are indeed pinch points, but given a failure at any
one node the likelihood is always that service will continue to be delivered. While one can never
say never, I regard the risk of a wholesale internet failure as vanishingly small.
Author: How much of an effect have the App model and the activities of the citizen developer
had on risk and security?
Colley: While end users hobbyists are one form of citizen developer, many organisations also
have non-IT department people developing and supporting solutions. Sometimes this is informal
and on other occasions these shadow IT developers have been brought in from the outside
by departments that are frustrated with the official IT approach. This can exacerbate risk as
businesses become dependent on applications that are poorly supported and documented. Very
often, the external consultant leaves and it is at this stage that the official IT function is asked to
step in and support an application the existence of which is news to them. All manner of risks
arise from this kind of scenario.
Author: Unauthorised Cloud usage (and the provisioning of Cloud services without IT approval)
is thought to be a widespread practice. Does this chime with your experience?
Colley: There are in fact many examples where business critical functions have been developed
on Cloud without the normal IT process and quality controls being applied. Again, this
contributes to risk and the problem is unlikely to go away.
Author: How important is user awareness and how can organisations improve and
deepen it?
Colley: User awareness is absolutely essential to any organisation. This is not just about telling
people what to do, but rather about educating them regarding the actual risks and problems
faced in order to allow them to take an informed approach to risk.
In fact, I believe that cultural change is even more important than conventional user
awareness. For example, the safety culture in oil and gas or the customer information protection
culture in financial services are really deeply ingrained in the sinews of the business everyone
understands and conforms instinctively in a way that no awareness programme can achieve.
Cyber security needs to become a part of the culture of every organisation.
Chapter 1: Cyber criminals: Profiles, motives, and techniques
6
The Blackhole exploit kit
In what could be construed as a
demonstration of the combined effects of
application vulnerabilities and malware, the
two top-scoring risks in the (ISC)
2
report,
two Russian hackers, allegedly nicknamed
HodLuM and Paunch, developed, and
later started to offer online, an easy-to-use
kit for launching cyber attacks. The
Blackhole exploit kit became one of the
most popular and effective toolsets of its
kind and by 2012 internet security firm
Sophos was reporting that 28 per cent of
all web threats it had detected during
that year were facilitated by Blackhole as
illustrated in Figure 2.
2
Figure 2: Web attacks by type, 2011-2012. Source: Sophos Labs US
Drive-by redirect
(not blackhole)
31%
Drive-by redirect
(blackhole)
24%
Payload
(not scareware)
11%
Exploit site
(not blackhole)
8%
Other
8%
Exploit site
(blackhole)
7%
Search engine
optimisation
7%
Scareware
4%
At the same time, however, controls must not get in the way of people doing the job or
driving insecure practices such as writing long passwords down and deeply ingrained corporate
cultures are not always a good thing. Once again, its all about achieving the right balance and
having the vision and flexibility to adapt as the environment changes.
Author: In conclusion, are we keeping up with todays cyber attackers or are we falling behind?
Colley: Security is keeping up, even though the attackers are always going to be one step
ahead simply because they have a vast number of options available to them. As Ive said, the
key is for security to be able to respond quickly and effectively. This has been a consistent pattern
over the last two decades, although the pace has increased as the number of attacks increases.
This, however, is somewhat offset by the increasing number of security professionals entering the
profession and I am confident about our collective ability to counter the threat and protect our
global economy.
Cybercrime: Threats and Solutions
7
The utility of these metrics
These statistics imply that:
Drive-by attacks are currently the
predominant form of web attack.
(Drive-by attacks occur when a user visits
a malicious webpage and is infected
without taking any of the conventional
actions, such as downloading a file);
Almost half of all drive-by attacks are
facilitated by the use of the Blackhole
exploit kit; and
Developing awareness of the drive-by
risk and also ensuring that systems are
up-to-date with the latest security patches
are two key steps that organisations need
to be taking now.
How the Blackhole model works
An exploit kit is a software tool used by
attackers to get other software installed on a
victims PC. This other software can perform
a wide range of tasks, usually malicious.
So, an exploit kit such as Blackhole contains
a range of different payloads and the user
selects the ones desired and the intended
target or type of target. Blackhole then
delivers the selected payload and the
payload conducts its attack on the infected
device, as described below.
Exploit kits are sold online to anyone
who wishes to use one. The kits normally
exploit known security holes in the versions
of software installed on victims devices,
for example web browsers, to deliver the
malicious payload selected by the user
of the exploit kit. The older the browser
version, the more likely it is to contain
known holes and so updating browsers and
other software regularly is a key defence
against Blackhole-type attacks.
The person or persons who wrote the
Blackhole code are not the person or persons
who use it to attack targets. They are simply
in the business of creating and selling their
exploit kit as a service to other cybercriminals.
Exploit kit developers deliver, package, and
sell their kits in a model that is very similar
to the SaaS (software as a service) model,
and this is therefore often referred to as
CaaS (crime as a service). A would-be
cybercriminal purchases a license to use
Blackhole, or any other such exploit kit, for a
period of time. The costs and licence options
vary between different kits and some kits
even include software updates, while others
are available at a premium to include the
most modern exploits that can bypass even
up-to-date anti-malware applications.
Blackhole and other exploit kits,
therefore, represent the transfer of
weapons-grade cyber technology from the
hands of a few to the hands of the many
via a commercial channel. They empower
relatively non-technical people to perform
highly technical attacks against any chosen
target or against targets of opportunity and,
as such, they constitute a clear danger to all
aspects of online activities and services.
The five stages of a Blackhole attack
In simple terms, there are five main stages to
a Blackhole attack:
Stage 1: Initial contact with the victim;
Stage 2: Drawing the victim to an
exploit site;
Stage 3: Investigation of the
victims device and software to identify
possible exploits;
Stage 4: Delivery of the appropriate
malware to the victims device; and
Stage 5: Execution of the malware
payload. This in itself can be a
multi-stage process.
As indicated in the list above, most exploit
kit attacks start by getting a users browser
Chapter 1: Cyber criminals: Profiles, motives, and techniques
8
to point at an infected exploit site where
the malicious payloads will be downloaded
and installed without the users knowledge
or consent. Common ways of achieving
this include:
Compromising legitimate trusted web
pages or servers and infecting them
with code that re-directs visitors to the
malicious exploit site. Recently, large
networks of compromised web pages
have started to appear, all taking visitors
to the same exploit site. These networks of
infected pages are called Malnets; and
Sending Spam or targeted messages
(email, SMS, instant messaging or
social media messages) to people with
links to the malicious site included in
the message. Normally, these links are
obfuscated so that they appear to go
to non-threatening sites. A message
asking, Is it you in this photo?
circulated widely on Twitter and was
linked to a Blackhole outbreak.
Attacks might also be conducted by hiding
trojan code in file downloads, such as
popular music or games. In most of these
scenarios, user ignorance or deliberate
breaches of security guidelines are a major
contributor to the problem.
At the exploit site
Once a victim arrives at the exploit sites
landing page, the Blackhole software hosted
there carries out several tasks automatically,
such as:
Logging where the user was redirected
from; in some cases this will lead to a
payment being made to a collaborating
malicious site; and
Analysing the users device remotely
to determine its browser type and
versions, operating system, other
software types and versions (Adobe,
Java, Flash, etc.) in order to determine
which types of attack have the best
chance to succeed, based on the known
vulnerabilities in each of these software
types and versions. The Android OS,
for example, is the target of over
90 per cent of all malware attacks
on mobile devices.
3
Figure 3: The F-Secure figures for new mobile device threats, Q1 2013, suggests that over 90 per cent of new threats
focused on the Android Operating System
61
66
74
100
149
0
30
60
90
120
150
Q1
12
Q2
12
Q3
12
Q4
12
Q1
13
Total threat count
91.3%
8.7%
0%
136/149
Android OS
13/149
Symbian OS
0/149
Blackberry, iOS,
Windows mobile
Cybercrime: Threats and Solutions
9
Execution of the attack
Once its analysis is complete (and this
requires only a split second) Blackhole
determines the best available exploits and
loads up the appropriate attack tools before
directing them at the unwitting visitor.
Payloads contained within these attack tools
can include spyware that monitors users
actions, code that steals files or other data,
worms that navigate from the infected device
to other devices on the same network, and
many other attack techniques.
All of this is being controlled by the
Blackhole users, of which there can be
an unlimited number, not by the actual
developers of Blackhole. In fact, the
developers will have no specific knowledge
of how or where their toolkit is being used.
Other exploit kits and CaaS
attack tools
Blackhole is by no means the only kit of its
type available for download, with others
including the Phoenix and ZeroAccess
exploit kits, the Low Orbit Ion Cannon, and
the High Orbit Ion Cannon, all part of the
new range of easy-to-use attack tools built
by experts for deployment by less technical
followers. Each of these tools has been
widely distributed, downloaded in large
numbers and used. Exploit kits such as these
not only make the distribution of threats
easier and more diffuse than ever before;
some also represent a means for their
creators to secretly take remote control of
infected machines to create botnets robot
armies of malicious computers, sometimes
numbering in the millions and capable of
launching a variety of attacks or facilitating
illicit money making schemes.
Commenting in a 2012 report,
Verisign, a vendor of security solutions and
services said, You no longer need to be
a sophisticated hacker to commit fraud
on the internet. Anyone who is motivated
can join in, thanks to the off-the-shelf
phishing kits provided by a thriving cyber
crime ecosystem. Cyber criminals are even
migrating to a new business model known
as malware-as-a-service (MaaS), where
authors of exploit kits offer extra services to
customers in addition to the exploit kit itself.
3
Increasingly varied threats
Threats in the modern era are increasingly
diverse and sometimes unforeseeable.
Consequently, much of the emphasis within
organisations will now need to be directed
at responding to unavoidable incidents
and managing their effects, rather than at
preventing or attempting to avoid them.
A merging, during crises, of information
or cyber security, fraud control, risk
management, and disaster recovery, closely
supported by the public relations, human
resource management, and legal functions,
is projected to be one possible outcome of
these developments, implying that a complex
matrix of functions, tools, and skills will need
to be brought to bear on future cyber risks.
Disaster recovery planning is
possibly the most urgent requirement for
organisations large and small, and indeed
for individuals. Off-site data backups, hot
and cold equipment backups, redundancy
in connectivity, alternate work sites or
remote working contingency plans, manual
contingency processes, and many other
alternatives during a time of information and
communications technology crisis cannot be
devised in the saddle.
It seems clear then that the coordination
and leadership of such an interwoven set
of activities during a crisis will demand
the full attention of top management and
that no organisation should wait until
such a situation is upon them to tutor
and equip their senior staff for this task.
Chapter 1: Cyber criminals: Profiles, motives, and techniques
10
Awareness training, contingency planning,
and rehearsals at the highest levels
therefore represent a critical pillar in every
organisations risk strategy.
A Cyber Pearl Harbor
We live in a future torn from the pages
of science fiction novels, a future foretold
by the likes of Azimov, Heinlein, and
Orwell. While there are no flying cars,
there is an all-reaching worldwide network
of connectivity and communication, a
network populated by miracle workers
and miscreants, a global meeting space,
shopping space, and entertainment space, a
cyberspace ... and a battle space.
On Tuesday 14 May 2013, Gen. Keith
Alexander, head of the U.S. National Security
Agency and U.S. Cyber Command,
told a cyber-security summit sponsored
by the Reuters news agency that U.S.
computer networks are under constant
attack. The attacks take two forms,
according to Alexander:
The theft of secrets; and
Disruption or damage to networks.
Mark my words, its going to get worse,
Alexander said. The disruptive and
destructive attacks on our country will get
worse and... if we dont do something the
theft of intellectual property will get worse.
Not only are the new threats more
diverse, but they are increasing in complexity
and many are launched in a coordinated
fashion by attackers numbering in the
thousands. Social media, exploit kits and
free online training tools are all being
used to construct an advanced, diffuse
attack model, sometimes with political or
environmental drivers, which can target
major concerns at will. Attacks on the US
financial services sector in 2012 typified this
new reality, leading US President Obama
and other senior figures to speak publicly
about a cyber security threat to the global
economic system, or of a Cyber Pearl
Harbor, as Leon Panetta, then US Secretary
Figure 4: A Maturity Model summarising some of the key changes in the nature and focus of information and
communications technology over four decades
ICT Focus
Managers Workers Consumers Everyone
ICT
Maturity
Model
Mainframe
Client-server
PC
Web server
PC
Laptop
PDA
Cloud
Mobile data
BYOD
App Model
Cybernetics
1
2
3
4
Immature Mature
1980 1990 2000 2013
Cybercrime: Threats and Solutions
11
of Defence, put it at the time of
the attacks.
From one-to-one towards
many-to-many
While the old threats remain important,
new cyber attack models are also evolving
and they are taking society towards a more
complex mix of cyber threats.
One-to-one attacks
Most closely fitting the traditional image
of the Mensa-grade, pony-tailed hacker
operating from a darkened room,
one-to-one attacks also encompass
insider data thefts and many forms of
fraud, blackmail or eCrime attack. This
remains an important type of threat.
One-to-many attacks
Evolved over several decades, typical
examples of the one-to-many attack model
include Malware or viral attacks, spread, for
instance, via email. Spam and Adware are
also forms of one-to-many attack in which a
single source spews out unwanted marketing
messages to millions of recipients.
Many-to-one attacks
Typified by the Low and High Orbit Ion
Cannon attack cases, as well as by the
Botnet scenario, many-to-one attacks involve
willing accomplices or hijacked devices
launching mass attacks on a single target.
This is commonly designed to deny services
to the users of the targeted machine.
Many-to-many attacks
A cyber security nightmare, the conceptual
many-to-many attack features millions of
infected devices, or willing participants,
simultaneously launching many millions of
attacks on millions of targets, all across
the internet, thus causing congestion and
cascading internet failures.
The Low Orbit Ion Cannon (LOIC)
software used to launch the 2012 attacks
on at least 14 major US banks was made
available as a free internet download,
amply supported by how to videos on
0
1
1
0
0
1
0
1
1
1
0
0
1
0
0
0
1
0
1
1
0
0
1
0
1
1
Attacks on data
in storage or
during transmission
Systems
Systems
Attacks on the network
that allows data to
be transmitted
2
Figure 5: The scope of most cyber attacks according to US Gen. Keith Alexander
Chapter 1: Cyber criminals: Profiles, motives, and techniques
12
YouTube. One of the most popular of these
videos, uploaded in November 2010 and
still accessible at the time of writing in
mid-2013, has received over 264,000 views
to-date. Versions of this training tutorial
are also available in other languages. The
LOIC application was downloaded 34,000
times in the UK alone over a period of just
three days, according to the Metropolitan
Polices head of e-crime investigations. This
characterises the advanced nature of the
threat and an apparent eagerness on the
part of many individuals to acquire these
cyber-war-fighting capabilities that no major
body can afford to ignore.
The impact of cyber attacks on business,
government and nation states is not merely
financial. Of far greater import are the
effects that attacks can have on trust and
consumer confidence; their impact on
the brand. Whether this relates to data
loss from government computers or loss
of service for banking, online payments,
communications, utilities or any of the
myriad services exposed to such risks, the
potential harm is very serious. The very
interconnectedness of the modern enterprise
and its dependence on shared infrastructures
and resources, sometimes referred to as
entanglement by cyber warriors, merely
Scenario
One-to-one One-to-many Many-to-one Many-to-many
T
o
o
l
s
Drive-by exploits
Worms/trojans
Code injection
Exploit kits
Botnets
Malnets
Denial of service
Phishing
APTs
Spam
Social engineering
Table 2: How different cyber attack tools and techniques map conceptually across the four classes of attack scenario
Figure 6: Evolving cyber attack models are becoming ever more complex
One-to-one One-to-Many Many-to-one Many-to-many
Cybercrime: Threats and Solutions
13
serves to exacerbate the risks. In a time of
crisis, if network capacities are restricted,
shared resources can become bottlenecks
and possibly critical points of failure, while
crises in one sector or location can trigger
cascading crises in adjacent ones.
The cybercrime
perfect storm scenario
Cascading failures are not unknown in
complex modern technology-based systems.
The second most widespread power blackout
in history took place in the North-eastern
and Mid-western United States and the
Canadian province of Ontario in mid-August
2003 after trees brushed power lines during
a weather storm. Operators at the affected
power company were unaware of the need
to re-distribute electricity loads due to a
software bug in their management systems
and the resulting cascade of power outages
left 55 million people without electricity,
many for two days. The same pattern applies
to the information and communications
technology mix, of which the internet is today
a core part. An initial cause as seemingly
low grade as the digital equivalent of a
falling tree or a malicious software bug does
have the capacity to cause significant effects,
as highlighted by the Spamhaus incident
mentioned at the start of this report and
covered in more detail later.
In a complex network of systems or
processes, a cascade of cause and effect
can ripple through the entire system in such
a way that a small initial cause can have a
large and widespread set of effects. In the
cybercrime perfect storm scenario, such
impacts could be widespread.
Organisations of all sizes must continue
to secure the perimeter (diffuse as that
perimeter might now be with the multitude
of modern internet touch points) using the
conventional mix of people, processes and
technology. They also need to take a
fresh look at how data is classified
and segmented in the era of Cloud
services. Disaster recovery and business
continuity require much more attention
than ever before because it is increasingly
clear that any or all of us can be struck by
a localised cyber-crisis at some point in
the short-to-medium term, while a more
widespread failure is not beyond the bounds
of possibility. Security in the cyber age, in
other words, must embrace the inevitability
of a critical failure and, while attempting to
defer it, plan also for what comes after.
The democratisation of the cybercrime
arena, represented by Blackhole, Phoenix
and the Low Orbit Ion Cannon, has resulted
in the ever larger numbers of would-be
attackers coming onto the scene and this
in turn has led to an increased level of risk
for both corporate bodies and public sector
organisations worldwide. What enterprises
are witness to in the case of these toolkits is
evidence of a symbiotic relationship between
those with technical skills, and those lacking
such skills, but possessing a motive to act.
These are only two categories out of several
that can be used to define the community
of active or potential cyber attackers and
the type of cyber attacker and the range
of motives for their actions are many and
varied. When combined, they form a matrix
and each new cybercrime case therefore has
the potential to be unique. Nevertheless,
it is possible to provide a broad brush
description of some of the typical attacker
profiles in pen portrait form.
Threat actors The cast of
cybercrime characters
The hacker
Profile: the traditional hacker is a technical
expert, often renowned for their skill and
generally proud of it. The hacker specialises
Chapter 1: Cyber criminals: Profiles, motives, and techniques
14
in breaking into systems by breaching
security using high-tech methodologies.
They may view corporations and
governments with suspicion and will often
hold the opinion that software and data
should be free of charge and free to access
for all. Few in number, experts of this ilk
keep a low profile and use pseudonyms to
disguise their real identities.
Typical motives: the hackers motives
can be difficult to define with confidence,
particularly as Hollywood stereotypes are as
close as most people will come to meeting
a genuine one. However, those hackers
who have been apprehended in the past,
and who have agreed to speak about their
activities, have often included the love of
a technical challenge and a dislike of the
status quo as drivers for their behaviour.
Kudos or reputation is sometimes cited as an
additional motive.
The script kiddie
Profile: far more common than the
hacker is the script kiddie. Script kiddies
lack the supreme technical skills of hackers,
but have sufficient skill and interest in
the topic to be able to read or view text
and videos on the topic of hacking and
to download and execute software scripts
produced by hackers for them. Script kiddies,
therefore, represent a channel to market
for hackers who wish to reduce their risk or
increase their scope by using a multitude of
less skilled hands. Many of the prominent
denial of service attacks and code injection
attacks witnessed over the last two or three
years were almost certainly executed in large
part by script kiddies.
Typical motives: because of their
number, it is almost impossible to assign any
particular set of motives to this group, and
they include single issue extremists, bored
teenagers, would be future hackers, and
those with a grudge against a particular
organisation or brand.
The malware developer
Profile: the malware developer has a great
deal in common with the hacker and may
even be a hacker in some cases, but their
focus is on building autonomous pieces of
code that have the ability to disseminate
themselves and infect multiple systems before
executing a variety of payloads. Increasingly,
malware developers are working along
commercial lines and using their skills and
their code to generate revenue. Malware
may also be used by hackers to create entry
points in target systems.
Typical motives: early malware
developers were often motivated by a desire
to demonstrate security vulnerabilities in
software or organisations, but modern
malware developers appear to be motivated
primarily by profit.
The online social engineer
Profile: the online social engineer is the
internet version of the conman. They specialise
in understanding human behaviour and
psychology and in exploiting that to persuade
targets to either take or avoid specific
actions, often going against their better
judgement. Examples include persuading
targets to disclose personal data, bank
account information, trade or organisational
secrets, and other confidential information or
opinions, as well as data belonging to others.
Typical motives: social engineers may
seek such data for any number of reasons.
They might be hackers themselves, or
script kiddies, malware developers, internet
investigators, fraudsters and any other type
of online criminal for whom the information
obtained is valuable as a source of access
into secure areas or as a mechanism for
committing fraud.
Cybercrime: Threats and Solutions
15
The internet investigator
Profile: the internet investigator uses
online resources to gather information on
a range of targets, including individuals,
businesses, and government agencies. The
internet investigation skill, which is generally
associated with law enforcement or private
investigators, is used to equal effect by
criminals, spies, and even journalists. The
internet investigator will use a range of
online tools from search engines to fake
social media profiles in order to source and
collate data that in times past would simply
not have been accessible. Examples include
data that could suggest what the strategy of
a particular organisation might be, travel
and personal data about senior executives,
information that can be used to blackmail or
harass a victim, and personal data that can
be used to commit identity theft or fraud.
Typical motives: the internet investigator
generally falls into one of two categories;
those who are paid by a third party to
gather data on their behalf, either lawfully
or unlawfully, and those who gather data for
personal gain.
The spammer
Profile: the spammer is engaged in a
commercial activity which involves the
distribution of unsolicited messages by
any available electronic means in order
to broadcast advertising to a large target
audience. In its earliest manifestation, spam
was typically delivered via email, but as
the technology has evolved, the world has
seen the emergence of mobile phone spam,
instant message spam and, more recently,
social media spam. Although organisations
and service providers have done a great
deal to manage the impact of spam on
users and consumers, spam remains a
problem as it uses up significant amounts
of capacity in the communications network,
and at the end of the day consumers still
pay the cost of this, though they may not be
aware of the fact.
Typical motives: almost without
exception, spammers have a pure profit
motive, although some forms of denial
of service or flooding attack can have
many of the characteristics of spam, the
difference being that such attacks will tend
to be directed at a relatively small number
of targets while spam is broadcast to as
many targets as possible.
The fraudster
Profile: the online fraudster comes in many
forms, including the financial fraudster,
the e-commerce fraudster, the payment
card fraudster, the mortgage fraudster,
the insurance claim fraudster, and those
attempting to commit market abuse or
similar crimes. Indeed, there are any number
of fraudster profiles online, limited only by
the range of services, payment mechanisms
and business models offered.
Typical motives: the goal of the online
fraudster is simply to make a financial gain
or cause a financial loss through the use
of deception. Their motives are generally
restricted to either profit or revenge.
The spy
Profile: the online spy may be an agent of
the state or in the employ of a corporation.
They may also be part of a single issue,
organised crime or terrorist cell. Whatever
the nature of the organisation behind
the spy, the goals and methodologies of
spies are generally consistent; to gather
secret data for the purpose of creating
business intelligence, crime intelligence,
military intelligence, or for cyber warfare
planning. This data may include competitive
information, customer data, pricing,
intellectual property, militarily dispositions,
Chapter 1: Cyber criminals: Profiles, motives, and techniques
16
information about internet infrastructure and
systems, as well as state secrets. Spies use
many of the techniques described above,
including internet investigations, malware,
hacking, social engineering, and even fraud
to achieve their ends.
Typical motives: a majority of spies
are salaried individuals carrying out the
instructions of their employers, and in this
sense, their personal motives are largely
irrelevant. A minority of spies, for example
those engaged in terrorism or in supporting
single issue extremists, may have ideological
motives for their actions.
The cyber terrorist
Profile: a terrorist is someone who uses
violence, or the threat of violence, normally
against innocent civilians, in order to
influence the state to take an action or
to desist from specified actions. In cyber
security terms, the cyber terrorist is someone
who uses cyber technology to facilitate or
execute such attacks.
4
This might involve
the collection of information or the social
engineering of key personnel in order that
an attack may proceed, or the use of internet
communications in an unauthorised fashion
(for example, by using fake profiles) in
order to organise or coordinate the attack.
Another equally important scenario involves
the takeover of key systems such as air traffic
control, power or water via the internet in
order to do physical harm. Terrorism may
also include mere threats to cause harm
based on some demonstration of capabilities.
Recently, activists or terrorists were
caught attempting to sever critical undersea
communications cables near Alexandria in
Egypt. Dubbed Fibre Terrorists by some
media wags, both their intent and the risk
these threat actors highlighted are very
serious. The internet is heavily dependent on
such cabling and any organised cutting of
cables, for example as a military act during
wartime, at relatively few key points around
the planet would have the effect of turning
the internet off.
Typical motives: although the phrase is
loosely used, the terrorist normally has a
political motivation and has concluded that
violence is the best option for delivering
change. Some terrorists are merely
anarchists whose real purpose is simply to
attack any and all authority and others are
motivated by religion.
The naive employee
Profile: it may surprise the reader to learn
that the naive employee is often the biggest
threat to any organisation. Many cyber
attacks depend on employees being lax
in their adherence to security protocols,
giving up information to social engineers, or
posting confidential data online. A lack of
employee awareness, or a failure to adhere
to guidelines, can constitute the largest risk
for a firm or government department.
Typical motives: while a small number
of employees will always be susceptible to
being subverted by offers of financial reward,
in most cases the ploys used are more likely
to depend on promises of romance, a better
job, or simple trickery.
Conclusion
What these simplified pen portraits tell us is
that human nature, as is always the case,
throws up a complex and differentiated
mix of players, personalities, motives and
behaviours in the cybercrime space. No less
complex is the potentially bewildering list
of tools and techniques available to these
individuals and the combination of widely
differing motivations, geographic dispersion,
a multicultural or even a globalised
dimension to the story, and a rich array of
low-cost, high-tech weaponry means that
Cybercrime: Threats and Solutions
17
organisations are finding it increasingly
difficult to predict how, when and why
attacks might occur, as Table 3 illustrates.
In the next chapter, the report looks at the
question of why attacks occur and considers
some of the variables that influence their
nature and scope.
References
1. Suby, M., ISC
2
Global Information
Security Workforce Study, ISC
2
, 2013.
2. Wang, R., Malware B-Z: Inside the
Threat from Blackhole to Zero Access,
Sophos, 2013.
3. Mobile Threat Report, January-March 2013,
F-Secure, 2013.
4. Verisign iDefense 2012 Cyber Threats and
Trends, VeriSign, 2012.
Threat actors
H
a
c
k
e
r
s
S
c
r
i
p
t

k
i
d
d
i
e
s
M
a
l
w
a
r
e

d
e
v
e
l
o
p
m
e
n
t
s
S
o
c
i
a
l

e
n
g
i
n
e
e
r
s
I
n
v
e
s
t
i
g
a
t
o
r
s
S
p
a
m
m
e
r
s
F
r
a
u
d
s
t
e
r
s
S
p
i
e
s
E
x
t
r
e
m
i
s
t
s
T
o
o
l
s
Drive-by exploits
Worms/trojans
Code injection
Exploit kits
Botnets
Malnets
Denial of service
Phishing
APTs
Spam
Social engineering
Table 3: Examples of the relationships between cyber threat tools & techniques and cyber threat actors