cybercrime: radically rethinking the global threat
TRANSCRIPT
1 NTTI3.COM
CYBERCRIME:RADICALLY RETHINKING THE GLOBAL THREAT NTT INNOVATION INSTITUTE, INC.
2 NTTI3.COM
Cybercrime is nothing new. What is different now is the intimacy of those attacks. It is no longer only about some big name company looking foolish. Cybercrime now touches the lives of everyone in society. The enormous profit to criminals and the risk to individuals bring the scope of the evolution of cybercrime directly into every house and home – everyday, everywhere.
In the 1970s and 1980s, there were stories of individual bank teller embezzlements, ‘phone phreaks’ manipulating computerized systems in search of free long distance service, and college students breaking into Department of Defense communications systems. In the late 1990s and early 2000s, several computer viruses drew attention to expanding threats and resulted in the birth of a whole new industry of anti-virus software. And in the year 2000, there was the first documented denial-of-service (DoS) attack traced back to a 15 year old Canadian who called himself ‘mafiaboy,’ causing more than a billion dollars in damage against a number of prominent e-commerce sites.
All of this pales in size, sophistication, reach, and intent to the organized and highly sophisticated global cybercrime we have seen steadily growing over the past 15 years.
Today, cybercriminals and ‘black hat’ attackers look less like yesterday’s nerdy hackers hunched over computers in basements while harboring a vendetta against “the system.” Now they act more like Mafioso versions of sophisticated Silicon Valley startups. The digital criminal element has worked harder, become more innovative, and successfully broadened their toolset in order to compete, and outstrip, the efforts of the established enterprise security industry. They are more sophisticated and agile than
• Senior Executives – looking to protect their company against the rising risk of cybercrime, the impact to shareholders, and company assets and partners.
• The Three Percent of Internet Users – who don’t think they or their organization will be targeted.
• Strategic Business Thinkers - who need to realign their organizations due to the pervasive nature of cybercrime.
• Organizational Resource planners – who manage the proactive, reactive and ongoing defenses against cybercrime.
• The 100% of Technology users - who are intentionally targeted.
WHO NEEDS TO CARE ABOUT CYBERCRIME?
3 NTTI3.COM
the companies they attack. They are masters at taking full advantage of the cloud, crowdsourcing, open exchange of data, and technologies often untethered to any particular infrastructure.
The result of this? Hundreds of billions in losses each year. This unsettling state of affairs has created a binary world with really only two kinds of companies: those that have been hacked and admit it, and those that have been hacked and don’t admit it or don’t know it yet. Worse yet, for the vast majority of individuals, very few of us have been untouched whether we know it or not.
In order to compete with the scale and agility of modern cybercriminals, forward-thinking enterprises and security leaders must begin to relate to them as some of the most powerful and innovative digital competitors that they will ever face. Security needs to be reframed in a larger strategic context as a value-creating investment rather than a value-protecting investment.
With the move to digital ‘everything,’ cybercrime is a bigger risk now than ever before due to the sheer number of connected people and devices. The analog world is shrinking rapidly, being replaced by an always-on, always-connected digital one. It’s only going to get worse if we don’t pay attention now and rethink security strategies and technologies.
ESCALATING COST OF CYBERCRIME
2014:
$575B
2013:
$400B
2012:
$274B
2011:
$114B
1
Rich Boyer Dr. Kenji Takahashi
4 NTTI3.COM
TABLE OF CONTENTS CHAPTER 1 Evolution and Drivers of Cybercrime 5
• What is Cybercrime?
• Economic, Cultural and Social Drivers
• Technology Drivers
• Cybercrime Toolset
CHAPTER 2 The Changing Landscape of Enterprise Security 11
• Lateral Attacks
• The Perimeter Is the User
• The New IT Challenges of Agile Cybercrime
CHAPTER 3 The Need to Evolve Enterprise Security in the 21st Century 21
CHAPTER 4 New Security Approaches and Solutions 26
• Threat Intelligence
• Security as a Service
• Communities of Sharing
5 NTTI3.COM
TABLE OF CONTENTS CHAPTER 5 Questions for the Near Future of Security 32
APPENDIX 35
• About NTT Innovation Institute Inc.
• About the Authors
• Resources and Citations
6 NTTI3.COM
CHAPTER 1
Evolution and Drivers of Cybercrime
WHAT IS CYBERCRIME?
ECONOMIC, CULTURAL AND SOCIAL DRIVERS
TECHNOLOGY DRIVERS
CYBERCRIME TOOLSET
7 NTTI3.COM
While cybercrime may be simply defined as “unlawful acts wherein the computer is either a tool or target or both” – the way in which it manifests today is much more complicated and expansive than this simple definition.
Cybercrime is ultimately about leveraging flaws in security coverage in order to steal, manipulate, and monetize data. The strategy of the criminal is relatively simple - pursue a course of hacking and monetizing someone’s lack of security vision or incomplete implementation in order to maximize their own revenues or capabilities. While this is the strategy, the way individual cybercriminals pursue this varies based on the focus of each organization.
Just like in the world of physical crime, some cybercriminals are opportunistically focused on simple ‘smash and grab’ opportunities. Others are selective in biding their time and maximizing their ROI by picking their targets based on success potential and long term upside. Some cybercriminals provide products and services for others to use in monetization. Other cybercriminals simply focus on opening up opportunities. In short, if it were not for the deeply illegal nature of their activities, it would be hard to distinguish their working ecosystem from those of legitimate organizations.
Ultimately, criminal enterprises look to leverage opportunity, maximize returns, hedge their risks, and work more efficiently. Hackers track
weak and strong points in legitimate organizations and industries, and then strategize (just like other businesses do) using the same drivers for usability, cost reduction, geographical reach and go-to-market forces to shape their targets and approaches.
Just as broad social, cultural, economic and technology trends reshape legitimate global businesses, those same forces impact cybercrime. To get ahead of cybercrime and create intelligent and robust security capabilities for legitimate organizations, it is crucial to understand cybercrime from this point of view. Only then can digital security truly compete with this fast-paced and constantly evolving criminal industry.
WHAT IS CYBERCRIME?
“Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.”
- Kevin Mitnick, noted computer security consultant, former hacker, and one of the few individuals ever convicted of cybercrime.
8 NTTI3.COM
The new and powerful economic, cultural and social factors that are reshaping modern businesses are also enabling cybercrime to further pierce global borders. The result is the creation of newly empowered and agile networks of international cybercriminals.
These include:
• Digitally native hackers become mercenaries deployed against ‘good enough’ security measures in increasingly complex multi-vendor, multi-partner systems.
• Inconsistent laws across the globe make tracking and prosecuting criminals difficult and time consuming.
• The increasing value that can be extracted from the sale of raw data changes the risk-reward ratio of cybercrime.
• The ease with which malicious software can be distributed across systems and people shortens deployment time and extends the reach of cybercrime.
• The rise of the Dark Web continues to drive marketplaces for the fruits of cybercrime.
• Public sympathy for some forms of ‘hactivism’ can blur the lines between social activism and crime.
A majority of the most powerful technology drivers of legitimate business are also fueling the relentless engine of modern cybercrime. These include: cloud services, crowdsourcing, the democratization and monetization of data, unlinking of capability and infrastructure, and the pervasiveness of mobile and wireless technologies.
ECONOMIC, CULTURAL AND SOCIAL DRIVERS
“We are building our lives around our wired and wireless networks. The question is, are we ready to work together to defend them?”
- FBI
9 NTTI3.COM
The Cloud
Cloud services are abundant and widely available. Criminals use inexpensive, reliable, and publicly accessible cloud computing and network resources. This allows fast startup, usage, and abandonment. The resources that formerly required extensive efforts to establish and maintain have been transformed. Many are now available for rent, with the cost distributed across a large set of criminal entities. Cybercrime services are now called on-demand, rather than burdened upon a single entity to own, maintain, and monetize.
Crowdsourcing
Crowdsourcing is rapidly growing as a means of accessing talent, strategy, and information. Underground cybercrime enterprises create fast-to-market and innovative Software as a Service (SaaS) offerings, housed within seemingly legitimate corporations easily found on the Dark Web. A prime example of this is DDoS-for-hire, masquerading as a legitimate ‘network stressing’ service.
Democratization and Monetizationof Data
Underground brokerages and marketplaces are extensive and produce the environment to sell stolen data. This started with high-value data goods such as credit cards, personal information, and credentials. This then moved into broader intellectual property and data secrets exchanges and services to map professional capabilities to willing clients. The collection and dissemination of stolen data works just like any other resale business, including finding the right cost structure, customer research, sales, and marketing.
Mobile Technology and Wireless Networks
Widespread and pervasive use of these technologies enables criminals to work virtually anywhere and anytime - beyond enterprise perimeters. This is to their advantage, allowing them to attract top talent driven by results and verified reputation, not by the whims corporate politics.
TECHNOLOGY DRIVERS
10 NTTI3.COM
The cybercriminal’s world revolves around looking across the full stack of IT infrastructure for vulnerabilities. Those vulnerabilities are then leveraged against all attack vectors that will provide access to the desired data. Even the most meandering paths are pursued. Cybercriminals are relentlessly agile and invest heavily in new technologies and techniques. Like legitimate businesses, being nimble and effective is vitally important to their survival. This has given rise to the development, availability, and commoditization of powerful cybercrime tools and infrastructure across the Dark Web.
In the world of cybercrime, results matter and are constantly on display. If you win big and win often, you get the premiums. Just like any other business, to be successful and in demand, you just need to maintain your relevance and skills.
The cybercrime toolset can be defined as a true multi-sided, distributed digital platform that includes a full range of products and services from many vendors. There are probably a greater variety of cybercrime tools and solutions available than security products and services. These include:
• Hosted malware
• Denial of Service (DoS) as a Service
• Exploit kits for sale or rent
The cybercrime toolset can deliver a ‘soup to nuts’ capability for individual hackers or vast cybercrime organizations. Any criminal can start small and then scale to meet their needs. Any combination of technology capabilities is possible through on-demand or long-term committed talent that is available via either insourcing or outsourcing.
CYBERCRIME TOOLSET
• Malware as a service – Malware can be provided today via self-service models, and then managed, distributed and utilized to deliver specific capabilities to an attacker.
• DDOS as a service – Often masquerading as legitimate ‘network stressor’ services, they can be purchased by the minute and directed against any target in the world.
• Skill sets on demand – Individuals with specialist capabilities are able to be accessed and ‘spun-up’ on short notice. They deliver those capabilities on demand, and disappear once the task is accomplished
• Vulnerabilities for sale – New and valuable vulnerabilities and the tools to exploit them are hunted, marketed and sold on a commodity market. Values in this market are set by the vulnerability and the effectiveness of the exploit.
• Attack vectors for sale – Complete blueprints are available documenting the precise ways that hackers have successfully infiltrated an organization. Step-by-step mechanisms, with support and success guarantees, are provided.
11 NTTI3.COM
The community that has formed around the cybercrime toolset represents many users extending, integrating, and utilizing a growing number of specialized technologies from this vast distributed community. Looking in from the outside, their actions appear to be a coherent, customizable, and possessing global attack capability. Generalists use the tools already available and contribute their knowledge, updates in successful techniques, and modifications to tools. Specialists focus on their specific domains, reselling their tools and services to almost anyone.
Purchasable cybercrime services have lowered the barriers to entry and dramatically simplify the attacker’s job, while also serving as important sources of low overhead and reduced risk income. There are probably a greater variety of cybercrime tools and solutions available than
security products and services. These commoditized services have allowed a newer generation of less ‘experienced’ cybercriminals to be increasingly effective. Newcomers can now leverage, rent, or reuse the capabilities and code of other specialists to launch their own attacks, rather than investing the time to build from scratch. As hackers find markets for leveraging each other’s skillsets and code, individual hackers and small collectives can flourish alongside massive criminal organizations. Organizations grow, change, and refocus as rapidly as success and common desires are aligned and disband, or morph into new capabilities as priorities change.
Unsophisticated hackers using commoditized tools are not necessarily more successful. In many cases, they simply create more noise. But this noise can be used as ongoing crowdsourced
cover for many other successful attacks and reconnaissance. While it is common in the industry to dismiss much of this noise as useless data, many retrospectives reveal evidence of iterative failed attempts within this noise well before a successful security breach.
The commoditization of cybercrime skills and tools has also made it cost-effective to attack cheaper and less lucrative targets. As a result, the criminal industry is no longer exclusively focused on traditional strongholds. They are motivated to invade easier, more accessible targets such as supply chains and tangentially associated organizations. These efforts enable them to establish backchannels into better-secured targets and enterprises. Digitization has made organizations increasingly security risk interdependent.
“In the past, cybercrime was committed mainly by individuals or small groups. Today, we are seeing criminal organizations working with criminally minded technology professionals to commit cybercrime often to fund other illegal activities. Highly complex, these cybercriminal networks bring together individuals from across the globe in real time to commit crimes on an unprecedented scale. “
- Interpol
12 NTTI3.COM
CHAPTER 2
The Changing Landscape of Enterprise Security and Attacks
LATERAL ATTACKS
THE PERIMETER IS THE USER
THE NEW IT CHALLENGES OF AGILE CYBERCRIME
13 NTTI3.COM
The state of today’s enterprise environment varies wildly in terms of the effectiveness of security practices. However, there are many common truths regardless of size, regulatory requirements and effectiveness of risk management in the organization.
Security infrastructures are by nature under-resourced and are usually the last consideration in feature and functionality-driven IT environments. The resources that do exist are often under-implemented with little ongoing consideration being given to the alignment between holistic security and effective IT functionality. Many assumptions about the effectiveness of security, even for the few well-resourced organizations, are hard
to validate with quality metrics. Even the most well-intentioned and well-funded efforts seem to focus more on taking current security capabilities forward, rather than discovering meaningful measures to identify threats and prevent attacks in the future.
Given this state of the security environment of most global enterprises, there are three key trends in cybercrime that demand a radical shift in perspective and strategy.
Lateral Attacks are on the Rise
Security breaches are originating in one organization, but spreading to partner networks as businesses become increasingly interconnected – often in unexpected ways.
Users are the New Perimeter of IT Security
The trend of bring-your-own-device combined with increased telecommuting and technology use across organizations have resulted in a dramatic increase in security vulnerabilities. This can be attributed to the behaviors of end users both inside and outside the physical walls of organizations.
Cybercrime’s Agility Presents New Challenges
The increasing speed and global resources of cybercrime innovation puts pressure on security professionals to move faster, smarter and more efficiently – if they hope to keep pace and outsmart their criminal counterparts.
14 NTTI3.COM
Most businesses have succeeded in putting the basics of ‘front door’ data security in place. This has merely driven cybercriminals to move away from direct attacks. When thefront door’ is successfully locked, they move on to alternate indirect or ‘lateral’ attack paths. These new paths lead into the organization through other organizations such as the business’ unsuspecting, and often less secure, partners.
Lateral attacks can occur in any industry. Any company with multiple outside partner relationships with little direct insight into their networks, infrastructure, and security measures is at risk. Businesses are often unknowingly at the mercy of the security practices of their external organizations.
Many organizations, especially
those farther removed from a cybercriminal’s juicy target, have the attitude of “I don’t have anything of value”. Even when that is true (and it often is not), the value they do have is, quite simply, their relationships - especially trust relationships. In 2014, the Target breach was directly related to a heating and cooling contractor who had access to the retail chain’s infrastructure. The contractor likely had very little of cyber-value, except for that access to Target. That access made all the difference to the criminals with loss estimates ranging from $250M to more than $1B for Target.
To successfully gain entrance to a company, an attacker might spend some effort attacking their vendors, suppliers, or third-party logistics network. These are considered ‘gateway’ organizations. Once they
LATERAL ATTACKS
15 NTTI3.COM
have this foothold, they will not only directly gather what valuable information they can from the partner organization, but also manipulate the trusted connections between partners to gain access to the main target.
Consider that an organization or business is composed of not only their primary technical interconnections, but also numerous social, relationship, media, manual and logical connections. With this kind of complex system, any organization of any size will have thousands of touch points that are exploitable by cybercriminals across the side or lateral boundaries.
Take the case of a large company that books corporate travel and provides concierge services to its business clients. In the course of its daily operations, large amounts of data are accessed from multiple service providers around the world. This could include destination information, weather forecasts, travel restrictions, and details about special events. The aggregation and presentation of this multi-source data is key to the company’s core business of value-add service offerings.
With so many data and service providers located in various locations around the globe – it is nearly impossible for the business to understand and manage the specifics of ownership and legitimacy of its partners. As a result, no set security controls are in place for integrating outside vendors’ and partners’ systems.
So what happens?
A team of hackers has the opportunity to quickly and quietly take control of a defunct partner, and redirect that partner to an illegitimate provider. It is then a simple task to reconstitute services to appear to be real and trustworthy, while redirecting the real business’ customers through intermediate rogue services. Their credit card information is copied ‘in-flight’ before completing transactions on legitimate services. All of this would be completely unknown to the travel company or its clientele.
This kind of problem can exist for significant periods of time before detection, resulting in significant financial losses and damaged trust and reputation
The Story of a Lateral Attack
16 NTTI3.COM
Steps – Lateral Attack
1. Attacker compromises a downstream
logistics company that has less
security than the actual target, a
manufacturer.
2. The attacker utilizes existing IT
resources to find trusted relationships
between the two companies.
3. The trusted relationship with the
actual ‘victim’ is used to gain access
into the manufacturer.
4. Data is exacted from the victim
(exploiting internal IT resources is
typically cheap and easy, once inside)
and moved back to the logistics
company.
5. The data is then extracted from the
logistics company placed into the
hands of the cybercriminals.
Attacker Company A user
Company A IT resources
Company B IT resources
STEP 1:Attack
STEP 2:Attack
STEP 3:Latral attack
exploiting trust relationship
STEP 4:Extract valuable
dataSTEP 5:Extract data
Using internal IT resources
CRM integration with trust
relationship
17 NTTI3.COM
There has been a massive increase in mobile devices and the trend towards using those devices not only at work, but at home, outside the known security measures of corporate networks. More than ever before, this has set up the untrained end user as the most desired entry point into a cybercriminals’ targeted business. This person can be anyone - a trusted long-term employee or a loosely connected service provider.
The result is that today - the end user and their device is now the new perimeter for business security.
A company and its data are only as secure as the practices of the weakest employee. Most individuals in an organization don’t adhere to a company’s security policies as strictly as they should. This is largely
a result of perceived inconvenience and the desire to get work done quickly. Unless a company has technical controls in place that force certain security measures – like a base example of automatic locking of an idle laptop and required password protection – employees will opt for the fastest and easiest route to their desired outcome.
The challenge is to protect end users against attacks no matter where they are. It is difficult enough to maintain patch levels on a single server farm, much less thousands of end-user machines. The ultimate impact is that the massive investment in onsite corporate security infrastructures is failing to protect end user systems. Consequently, they have become a critical liability as they leave the corporate security envelope and return to work with a compromised
THE PERIMETER IS THE USER
GLOBAL THREAT INTELLIGENCE REPORT 2015:
7 of the Top 10 Vulnerabilities are with end users
1. Outdated Java Runtime Environment
2. Oracle Java SE Critical Patch Update
3. Multiple Vulnerabilities In Java Web Start
4. Missing MS Windows Security Updates
5. Outdated Flash Player Version
6. Outdated Adobe Reader And Acrobat
7. Outdated Internet Explorer
8. Multiple Oracle Vulnerabilities
9. Outdated/Missing Patches Oracle DB
10. Outdated OpenSSH Version
√√√√√√√
18 NTTI3.COM
device. This device then becomes a potential gateway for attackers looking to penetrate the organization.
While many attacks are detected and blocked on the user device by onboard security, many more get through due to the varied landscape and the constant race between the cybercriminal element and security vendors. It is typical for an organization to see a significant rise of detected compromised machines after they have been out of the enterprise security envelope. This is true when machines are taken out of the office environment for the weekend. They become targeted and compromised (without the knowledge of their uers) and then are returned to the greater security detection capabilities inside the enterprise.
Detection and remediation are critical to protecting the network. It is safe to assume that the data
available to the user has a high likelihood of exposure over the course of time. A percentage of the compromise will not be revealed, even by internal enterprise security measures. NTT research studies1 have shown that approximately 50% of end-user compromise attempts are detected by onboard capabilities (anti-virus and other software) and the remainder by internal IT. That scenario may take days, weeks, months or longer for the specific problem to be identified and addressed. These figures imply that detection rates show only a limited view of security problems, and the impact of undetected compromises is nearly impossible to measure.
The ultimate impact is that the massive investment in traditional onsite corporate security infrastructures is failing to protect end user systems that are often outside of the network.
“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted”
- Kevin Mitnick
19 NTTI3.COM
Employees use a variety of cloud-based applications such as Dropbox or Google Drive to not only share files with each other, but also to make them accessible from devices they may have at home. Sometimes these files have highly sensitive information. This is where a security problem can begin, without the knowledge of the employee.
If an employee uploads a document to the cloud to access from their home computer or mobile device, and then makes changes to and saves that document back to the cloud, corporate security controls are being bypassed. Whatever bots or malware that may have been residing on the home computer can use those same channels to copy files and setup executables to run when they are back inside the corporate network. Even with security controls in place, those same services can facilitate the transfer of sensitive files that can end up in the hands of a hacker. When an organization has thousands of employees who unintentionally perform this type of insecure behavior on a daily basis, the business risks become substantial.
Most IT security is focused
on the straight-line protection
of a user accessing the
Internet. When a user moves
outside of the corporate
security environment and
is directly exposed to the
Internet, it is often the user
that becomes the last line
of cybercrime defense. The
same holds true then a
compromise occurs inside
an organization. It is typically
an untrained user who holds
security ownership, as one of
very few potentially effective
defenses.
INTERNET
No corporate security when user takes devices outside. User is mostly responsible for security
Corporate perimeter
ProxyPrevents bad site browsing
DLPDetects data leaks
WAFDetects web attacks and blocks
IDSDetects attacks and blocks them
FirewallBlocks most unwanted traffic
RouterRemoves malformed traffic
Compromised internal system
Connecting to Internet - corporate security provides perimeter
Connecting to inside resource there’s little or no perimter
The User as the Security Permieter
20 NTTI3.COM
The increasing speed and global resources of cybercrime innovation puts pressure on security professionals to move faster, smarter and more efficiently if they hope to keep pace and outsmart their criminal counterparts.
In the world of legitimate enterprise business, security has been driven by waves of products and services. Each one focused on the next big thing: anti-virus, firewalls, intrusion detection, proxies, data loss, web application firewalls, and advanced persistent threats. While these technologies are designed to address what is perceived to be the latest and most critical threat, none cover more than a fraction of the true risk that comes from the massive range of available security exploits.
When new major vulnerabilities make the news, many enterprise IT managers react with changes in their organization that are driven
by fears of that new exploit or attack vector. Big events such as Heartbleed or Shellshock caused a reset in the entire security space. In these instances, companies and security vendors focused on fixing immediate security threats, rather than taking a long-term view of effective security management. Some of this is justified, as these types of vulnerabilities are serious. Yet periods of heightened security focus do not solve the underlying problem of how to own and manage the security control process in an ongoing effective way.
While parts of the criminal element may be driven by the same cycle of awareness and focus as enterprise IT managers, they have an added advantage. They are incredibly agile. They can mount their attack on a business’ vulnerability faster than most organizations can understand, acquire, implement, and operationalize the corresponding defenses. In fact, the Dark Web
is filled with support structures for criminals to exchange and sell information, follow vendor advisories, and track researchers. All of this is in the service of discovering a new vulnerability to exploit before anyone can detect or patch it.
While agile attackers aim for new vulnerabilities, they also realize that it is much easier to target the massive quantity of persistent or legacy vulnerabilities existing in corporate infrastructure. What the industry sees and attackers exploit, is the awareness cycles that do not drive software patching initiatives in the long term. The 2015 NTT Global Threat Intelligence Report2 revealed that 76% of identified vulnerabilities were more than 2 years old, and almost 9% were over 10 years old. In fact, the biggest vulnerabilities of 2014 (Heartbleed and Shellshock) have been present in software for as many as 25 years.
THE NEW IT CHALLENGES OF AGILE CYBERCRIME
In 2014, 76% of identified security vulnerabilities were more than 2 years old, and almost 9% were over 10 years old.
21 NTTI3.COM
WATERFALL ENTERPRISE IT AGILE CYBERCRIME
WHAT DRIVES CHANGE?
Change is based on supporting past big successes and building on those to create timelines and priorities set on an annual basis and typically tied to budgeting cycle.
Change is tied to repeatable fast failure. Success is measured in tiny increments. Many small trials occur on a rapid basis, with the assumption that most, if not all, will fail. The intention is to iterate against one or many enterprises, or resources in an enterprise, until successes happen.
HOW ARE SUCCESS AND FAILURE HANDLED AND MEASURED?
Success and failure are based on measured opportunity to improve the environment, provide new capabilities while minimizing user impact so that buy-in can be achieved.
Failures represent lessons that are learned quickly, with adjustments made as quickly as possible. Knowledge of success and failure is shared on an ongoing basis. When new ideas are successful, they quickly propagate and become ingrained into cybercrime’s capabilities.
HOW IS CHANGE MANAGED?
Change tends to be very measured and stepwise so as to maintain uptime, rather than failing fast and recovering quickly as that has significant impacts on customers (end users).
Changes are immediately put into testing in real world scenarios where the point is not to get buy-in, but rather demonstrate forward momentum.
22 NTTI3.COM
CHAPTER 3
The Need to Evolve Enterprise Security for 21st Century Security Risks
23 NTTI3.COM
The challenge for today’s enterprise is in understanding that security is not the typical organization’s core business. A company can excel in their specific industry, yet have little knowledge or capability for addressing the security that it so desperately needs. The world of cybercrime is exactly the opposite. Hacking security is their core business. This makes cybercriminals the most powerful competitors that legitimate businesses face in this area.
For example, auto manufacturers do not need to provide the best tire manufacturing capabilities, HR software, or gasoline production. Rather, they acquire those from other providers. On a global scale, this is exactly what protection from cybercriminals requires organizations to do – manage complex systems with diverse components that are outside of their area of expertise, but upon which their business relies.
The Scope of the IT Security Challenge
Enterprises face complex multi-faceted security concerns due to:
1. A shortage of skilled security engineers
2. Out of date conventional security practices and technologies
3. Organizations that tap into IT resources outside their own security boundaries
4. The diversity and complexity of the modern hybrid IT environment
5. The consumption of cheap and sophisticated services outstripping the ability to create a single cohesive control model
24 NTTI3.COM
1. A shortage of Skilled Security Engineers
Companies are essentially up against cybercrime specialists and must invest without the benefit of receiving immediate bottom line ROI. When combined with a shortage of trained engineers, this impacts the organization’s ability to address threats. IT organizations must constantly invest, respond, and strategize or become targets. In effect, the global IT industry has failed to recognize and treat cybercrime as a digital business, resulting in an ineffective response to addressing the problem globally.
2. Out of Date Conventional Security Practices and Technologies
Conventional security frameworks were designed to fight a very different battle. Conventional security control is accomplished using the hierarchy of networks and products to create a ‘wall’ to protect endpoints and servers as well as valuable data and information. Often this structure fails to create a single control point between the organization and their cybercriminal competitor. Walls and barriers to entry are breached with each group of hackers progressing a little further into the defensive patchwork of technologies. They can then report and sell that information to the next criminal group.
Manufacturing companies are at huge risk of falling victim to cybercrime. This results largely from their lack of awareness of how incredibly vulnerable they are. In addition, they are often not financed to address that burden of security vulnerability.
Let’s take the example of a simple polymer manufacturer that has been in business for decades. Since the company uses processes that are largely standardized throughout the industry and have no substantial Intellectual Property to protect, they believe they have next to nothing to safeguard. The only systems with real safeguards (e.g. no Internet connections) are the physical plants themselves. Manufacturing control system vendors are now pushing to connect those plants. Consequently, they don’t invest in any sort of significant security measures or controls. This can turn out to be a fatal assumption.
While a company may not think it has specific IP to protect, it may well have massive security risks as a result of the prominence of its senior executives. Cybercriminals have the ability to create havoc through false identities that enable them to use the manufacturer’s own processes to commit bank fraud. How can that happen?
A company may have well-known senior executives who speak at many industry events, appear on news programs, and are increasingly in the public eye. Hackers can create fake emails appearing to come from senior officials in the organization. They can use those email identities to authorize fraudulent money transfers, supposedly between the company and its suppliers.
The money then ends up in offshore accounts while the company’s suppliers lose millions of dollars. Did the company have nothing at risk? Yes and no. Maybe not in the traditional “you’ll steal my intellectual property way”, but that is certainly not the only secret the company needs to protect. If a supplier loses millions, who holds the responsibility and the liability?
This particular example is fictitious. Nonetheless, it is a scenario that occurs every day, and demonstrates the need for stringent security measures – even when a company thinks it has nothing to worry about. Hence, the goal of global organizations should be to consider what secrets they do have. Anything that can be kept as a secret is something the attacker is always looking to access and monetize.
The Potential for Cybercrime in Manufacturing
25 NTTI3.COM
3. Organizations that tap into IT resources outside their own security boundaries
Organizations large and small have grown beyond their traditional physical boundaries, reaching out of local infrastructures and national borders to tap resources and capabilities around the world. This effectively creates stateless infrastructure that represents many vulnerable entry points that need to be continuously protected. Cybercriminals also reach across borders and into the same niches occupied by legitimate businesses. They are masters of applying resources in an ‘anything, anywhere, anytime’ model.
The rise of borderless capabilities often breaks the implementation of traditional security controls as organizations are faced with different control structures, implementations, policies, and capabilities across locations.
4. The diversity and complexity of the modern hybrid IT environment
The diversity of the modern hybrid IT environment widens the attack landscape, creating a dramatic increase in the complexity of managing security operations. This complexity requires management that is not just confined to the local infrastructure, but spans across the organization into many areas that may not be recognized as part of the traditional domain. This includes Shadow IT, third parties, partners, supply chains, and the mobile workforce.
Cybercriminals, on the other hand, are global, well-funded, skilled, and easily outnumber security staffers at most organizations. Hiring particular skill sets on the Dark Web often requires only a few minutes of effort in their hybrid world.
The Connected Car offers consumers many features and conveniences that allow for connectivity to the world at large – including telematics systems, satellite communications/navigation systems, USB ports, digital sound systems, onboard WiFi, streaming media, and more. Yet these same conveniences provide numerous points of entry to hackers, very much like a company with employees using multiple applications and devices outside the walls of corporate security.
In the Connected Car, everything is intertwined while originating from several disparate sources. Car manufacturers are ultimately responsible for all the various parts that come as standard or added features in their cars. They have no real way of ensuring that all these entry points are protected and secure, since they come from different providers and networks. This means that safeguarding communications and enacting strict security controls can be extremely difficult in a multi-vendor environment.
How do we need to rethink cybercrime and security in a world where these kinds of questions become real?
• What protections need to be in place to prevent the hijacking of a car, or even to provide a warning that there is tampering underway within a single system?
• As the environment around a car becomes more infused with sensors that supply real-time data to the vehicle, what happens if those systems are attacked?
The Potential for Compromised Security in the Connected Car
26 NTTI3.COM
5. The consumption of cheap and sophisticated services outstrips the ability to create a single cohesive control model
Organizations are driven by the ability to put products and services in front of the customers who demand them. Enterprise IT has historically pursued this path for its internal corporate customers. However, over the past four to five years there has been a shift brought about by the increased outsourcing of many IT capabilities as speed and cost concerns have become paramount. This has resulted in many departments and individuals outside the world of IT taking responsibility and action for acquiring services for their departments’ needs – often without an educated concern for the overall security impacts on the organization.
We need to evolve enterprise security for 21st century threats and risks
Cybersecurity threats are never static. We need to leave behind the silver bullets, perimeter defenses and ‘security-last’ mentalities of the past. Even the old trust models need to be inverted. We need change in the attitudes and platforms that we use to fight this battle. Our new approaches need to be as radical and agile as the cybercriminals themselves.
27 NTTI3.COM
CHAPTER 4
Radical New Security Approaches and Solutions
THREAT INTELLIGENCE
SECURITY AS A SERVICE
COMMUNITIES OF SHARING
28 NTTI3.COM
It has become clear that if businesses continue to pursue the same fixed security strategies of the past, they are sure to lose to the more agile cybercriminal. It will require a radical new approach to security for businesses to have a fighting chance, much less win this battle outright. Companies must begin to share what they learn about security threats with their colleagues, other companies and customers. The bad guys already readily share, and they win as a result of that shared knowledge.
Organizations cannot continue to apply the same security patterns of the past and expect different results. Those results show consistent failure to change the trajectory of cybercrime. At best, most enterprise security measures have slowed and redirected attacks - but not stopped or significantly reduced them. A persistent attacker does not look at a new technology, service or operational change and give up. They see this as a challenge to
be overcome. Once they have an opening, it is aggressively targeted until well-known mechanisms for managing the challenge are developed.
How can this kind of challenge be addressed?
It’s as if the zombies are coming and no matter how many we kill, two seem to take every fallen one’s place. It is time to do things that are radical and social in nature, and ultimately, things that are very uncomfortable to the status quo. The current path only leads to more of the same – security failure. To expect something different is foolish at best, and ultimately disastrous.
Below are three different ways we may change the trajectory of cybercrime. Each one is more radical than the last, but with the likelihood of producing a tangible result. These new approaches are: threat intelligence, security as a service, and communities of sharing.
29 NTTI3.COM
Right now, hundreds if not thousands of organizations, are rushing to put threat intelligence capabilities into the market. The premise is rather simple. The more we know about cybercriminals by gathering and correlating from vast number of sources, the better we are equipped to stop their actions. Having knowledge about enterprise security at the threat stage is not unlike shining a light to drive away the cockroaches.
On its own, threat intelligence is neither that interesting or valuable. The power to combat cybercrime comes from:
• The way it is integrated with other data sources
• How computation and analytics are applied
• How that intelligence is translated into action inside the enterprise
To derive value from threat intelligence, organizations must use the information to drive proactive
change within their IT environment. Security decisions must be informed with verified, live, and actionable data. This data must be aligned with knowledge of what is happening in the outside world and inside the infrastructure. This is no small task. Our IT infrastructures are ill-prepared to do this. Most managers of IT are adverse to turning over control and decision-making on the basis of information that is at best fragmentary, and at worse incorrect.
In the larger context – here is the task we need to do. Bite that bullet. Take that leap of faith.
We have made this kind of change many times before. The first was when we shifted our workloads away from centralized, mainframe dependent processing with massive reliability. Our organizations did not end when we moved from decentralized processing to clusters, or from virtual machines to clouds. Each of these created hurdle after hurdle for reliability, uptime and control.
THREAT INTELLIGENCE
30 NTTI3.COM
The second change was when we put a firewall in the path of the organization. Firewalls stopped traffic, blocked applications and prevented business as usual, yet the organizations thrived. Now these are standard features for the modern business.
Threat intelligence is gaining traction as the way to instantly adapt to the attacker. It holds the radical promise to do just that. This allows organizations to engage with threat intelligence as part of the corporate decision-making processes. In the past, enterprise security has been reactive in nature. To compete with the cybercrime industry, organizations must shift to a more radical approach. The focus must be on places where change addresses threats, rather than reacting to attacks and threat intelligence. If threats intelligence can meet this aspirational goal, it can be a powerful tool against cybercrime.
ThreatSensors
IntelligenceVendors
ManagedPlatform
AnalyticsOpenIntelligence
NTT Search EngineThreat Intelligence
NTT Global IPNetwork StreamingAnalytics
IntelligenceDashboards
LocalizedThreatFeeds
Global API/Local API
Caching Proxy
DeviceOrchestration
(RSE)
COLLECT
ANALYZE
DELIVER
GLOBALDATASOURCES
LOCALCONTROL
1. Threat information is collected from a wide range of threat sources including:
• Sensors that are targets for bad guys to attack and watch them
• Multiple Intelligence Vendors of security capabilities across the industry
• Managed platform analytics and services for monitoring enterprise infrastructure from a security perspective
• Open intelligence from sources on the Internet
• Search engine intelligence
• IP network streaming analytics reflecting the data of a collection of attacks reflected in traffic numbers on core nodes of the Internet
2. The data is analyzed and additional non-security (but related) data is added. This data is examined for mistakes and duplicates. It is then correlated with other data with human analysts identifying the individuals and groups behind the attacks.
3. The data is delivered to a customer based on the context they have specified for action. These include:
• Via API – direct interaction at the programmatic level
• Via feeds – one way threat identification and notifications
• Dashboards – user interactive dashboards
• Device orchestration – automatic applying of security controls across the enterprise
PROACTIVE THREAT PROTECTION
31 NTTI3.COM
An even more radical concept is security as a service. In its base form, this is an extension of managed security services, which move the management of security infrastructure out of organizations that are not security experts, and into the hands of qualified third parties. The solution of managed services is that security as a service is outcome driven, rather than event or technology driven. It addresses the question:
“Do you want a vendor or do you want to define a set of results?”
Typically, internal security teams in enterprise organizations simply do not have enough capability, tools or processes to see and respond to all vulnerabilities and attacks, or to manage the issues that they face daily. The concept of security as a service is to blackbox security
technologies and processes, and wrap the service as a capability. It answers the question:
“When an event happens, do you want to be informed of the event or do you want it to be automatically resolved under a specific set of agreed upon parameters?”
The issue with this approach is that an enormous amount of trust is given to the security vendor to know how to do the right thing and manage the outcome. The promise of Security as a Service (SECaaS) is that it offers enterprise software and hardware tools as an on-demand solution. They are then managed with corporate governance standards to achieve the desired outcome. SECaaS combines diverse, modular capabilities that overlap, require different skill sets, and address different parts of the
security landscape. IT organizations within the enterprise control the policy they want to implement. Using agile iterative mechanisms, they can add capabilities or implement functionality on a continuous integrated basis, supported and substantiated by the platform.
The vendor takes the risk of doing the right things and providing the appropriate tools, processes, and trained personnel. This approach is in essence no different in outsourcing the brakes on a car to a brake manufacturer. It is their job to know the right thing and do it. They are the specialist, not the auto manufacturer.
SECURITY AS A SERVICE
32 NTTI3.COM
Communities of sharing are the most radical, and likely the most effective, of the ideas suggested here. The concept is based on a very simple premise - one that is perhaps difficult to swallow. The cybercrime community succeeds because they collaborate in a way unlike any other industry in the world. Ideas, data and capabilities move rapidly and seamlessly from organization to organization, individual to individual. This is always done with cash flow, or at least a palatable return on investment (if only in credibility), attached.
Until the legitimate community can match the velocity of the cybercrime community, it will be difficult not to continually be at a severe disadvantage.
The radical ideas we need to embrace are to:
• Open up our organizations
• Expose our vulnerabilities
• Be upfront on our breaches and attacks
• Show our weaknesses to each other
We need to do this both knowing and being comfortable with the concept that information will be leaked to cybercriminals. Indeed, this is a radical theory on first glance, yet it holds logic. Give it some thought. A vulnerability only exists while it is unknown and/or unaddressed. By opening up or stretching out, we force three important social changes:
1. Accountability for our weaknesses and vulnerabilities. Once exposed, it’s all hands on deck to stop exposure.
2. Drive to change processes which are ‘too entrenched’ to address the rapid evolution of putting new solutions in place. The excuse of “You’ll break existing processes and stop the business” is no longer acceptable.
3. Move security to the forefront of corporate culture. “My disease may make someone else sick; therefore, I need to wear a surgical mask to protect society.”
COMMUNITIES OF SHARING
33 NTTI3.COM
CHAPTER 5
Questions for the Near Future of Security
34 NTTI3.COM
To stay competitive and prepare for the future of cybercrime innovation, security professionals and enterprise leaders need to ask themselves and their partners the following question: What’s next for strategy and architecture?
Let’s start the conversation with 3 important questions.
1. While new technological advances are introduced and legislative measures enacted, cybercriminals continue to have the upper hand. No matter how much money or resources a company throws at the problem, success continually falls on the wrong side of the law. Given this, what options do organizations really have?
In order to have any sort of profound impact on cybercrime, we need to first follow the example of regulated industries, which understand better than any other that revenue generation is a nefarious organization’s first priority. This means they’ll stop at nothing to succeed. Failure puts them out of business. Once we accept that and change our actions to halt cybercrime efforts as our first priority, we can begin to see the baseline of criminal activity decelerate. This is difficult, as it is not our core business. Yet ultimately it needs to be.
‘Good enough’ security and ‘we have nothing of value’ are the vulnerable gateways into our infrastructure.
Second, we need to change our approach from security being merely an afterthought and have it become the primary decision for new business objectives and changes. Otherwise ‘too little, too late’ will continue to be the status quo when it comes to any efforts to prevent the upward trend in cybercrime.
We need to focus significant efforts on educating individual users about the importance of consistently following standard security practices. It can no longer be acceptable to give them free rein to break protocol and opt for what’s fast and personally convenient. Only when security measures are followed by all employees, can we really start to make a significant impact in this area.
35 NTTI3.COM
2. What steps should organizations take to protect themselves when they have little to no control over what security measures their partners and suppliers have in place, or how strongly they enforce them?
The first step is purely contractual. Any third parties and partners must understand that strict security standards are non-negotiable and that they (the company) hold their business partners to the same standards as they do their own employees.
Organizations need to clearly understand the various points of contact and information exchange
between each other, and limit those points of exchange to very specific data and capabilities. These are the vulnerable points of entry for cybercriminals. Any company that makes security a top priority should have the power to review, enforce and even stop or change any security policies between themselves and other organizations. This must be true even if it means ending the business relationship until such time as measures are correctly enacted.
3. How can we convince our own companies to allocate more dollars and resources towards protecting our data from a fierce competitor – cybercriminals – when the organization doesn’t even realize how great the threat really is?
The most important thing to do is know what data, capabilities or connections are in danger of falling into the wrong hands within the organization, even if the general perception in the company is that there is nothing at risk. A calculation can then be made to estimate the cost to the company if data, capability, or connection do indeed fall into the wrong hands.
It may be necessary to work with external organizations to find the types, quantities and details of any company information that is already vulnerable, or worst case, already being sold on the “Dark Web.” It is critical to demonstrate to company officials the expense related to these efforts compared to the total cost or liability if the data is hacked and stolen for financial gain.
36 NTTI3.COM
APPENDIX
ABOUT NTT INNOVATION INSTITUTE, INC.
ABOUT THE AUTHORS
OTHER BOOKS FROM NTT INNOVATION INSTITUTE, INC.
RESOURCES AND CITATIONS
37 NTTI3.COM
NTT Innovation Institute, Inc. is the Silicon Valley-based, open innovation/applied research and development center of NTT Group. NTT i3 builds platforms that are transforming today’s enterprises into the digital businesses of the future. Our platforms help clients engage with customers and markets in exciting new ways by pushing the boundaries of cloud computing, information security, machine learning, and the Social Network of Things. NTT i3 builds on the vast intellectual capital base of NTT Group, which invests more than $2.2 billion a year in R&D, with an extensive network of technology partners, engineers, and scientists.
NTT i3’s Core Platforms for Agile IT
In order to build the agile and hybrid IT systems required by the emerging digital generation of insurance companies, robust and well-designed technological and strategic platforms must be put into place, often inareas outside of the traditional IT domain. Legacy systems must be modified and integrated in a way that acknowledges complex privacy, speed, and reliability needs that were inconceivable at the time of their original design. And all of these IT systems need to be integrated and orchestrated in a way that makes the management of a dynamic hybrid information environment possible.
NTT i3 offers three platforms to help IT departments tackle these challenges:
Cloud Services Orchestration Platform that allows IT departments to understand their application portfolios, migrate the most suited applications to the cloud and provide a seamless way to manage this new hybrid environment.
Global Threat Intelligence Platform that brings real-time data-driven insights into the identification and understanding of cyber-security threats and needs.
An Elastic Services Infrastructure that leverages network function virtualization (NFV) to push virtual network functions (VNF) to the edge of the enterprise’s network, bringing agility, security, and flexibility into the infrastructure.
ABOUT NTT INNOVATION INSTITUTE, INC.
38 NTTI3.COM
About the Authors
Rich BoyerChief Architect, Security
At NTT Innovation Institute, Inc. Rich Boyer is the Chief Architect for Security. He has over 25 years of experience in security and network technology across a variety of global organizations. Currently Rich is designing and implementing the Global Threat Intelligence Platform (GTIP) in support of NTT’s global security strategies around threatintelligence, analytics, identity and access management and response and recovery. He is part of the analysis team for NTT’s GlobalThreat Intelligence Report. Before building the Global Threat IntelligencePlatform, Rich held many security positions in large international enterprise organizations both as a senior executive and consultant. He has performeda wide range security services roles including managing security strategy, security infrastructure design, operationalization of organizations, development of GRC processes and embedding security processes at the executive level. Rich has a diverse IT background outside of securityincluding infrastructure, coding, networking, security, risk management, and systems development. Rich has a BA in Computer Science from the College of Wooster.
Dr. Kenji TakahashiVice President, Product Management, Security
Kenji has over 29 years of experience in Research and Development on information and communication technology for NTT Group in both US and Japan. Currently Kenji is leading the development of Global Threat Intelligence Platform (GTIP) through open innovation with the global ecosystem consisting of clients, partners, academia and open source communities. Previously Kenji was President and CEO of NTT Multimedia Communication Laboratories, Inc. (NTT MCL) in Silicon Valley. At NTT MCL, he successfully launched and led open source, open standard-based cloud and SDN projects, which resulted in the world first OpenFlow based global network service offering by NTT Communications. Prior to this, Kenji led many projects at NTT R&D in Japan, including cloud computing, software engineering, digital identity management, collaboration environment, and ubiquitous computing. He is one of the pioneers of federated identity management, which provides users with secure, easy to use, and privacy-friendly experiences across organizational and geographical borders. Kenji received BS, MS, and Ph.D. in Computer Science from Tokyo Institute of Technology. He was also a visiting scientist at the College of Computing at Georgia Institute of Technology.
39 NTTI3.COM
The following books can be found at: www.NTTI3.com/publications
Digital Business Transformation
The Social Network of Things
Agile IT: Today’s IT for Tomorrow’s Solutions
The Automotive Industry as a Digital Business
Insurance as a Digital Business
OTHER BOOKS FROM NTT INNOVATION INSTITUTE INC.
40 NTTI3.COM
CITATIONS
1 2014 - http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
2013 - http://www.mcafee.com/us/resources/reports/rp-economic-impact–cybercrime.pdf
2012 - http://us.norton.com/cybercrimereport
2011 - http://www.symantec.com/about/news/release/article.jsp?prid=20110907_022 NTT Group 2014 Global Threat Intelligence Report. https://nttgroupsecurity.com/articles-content/articles/download-the-2014-report3 NTT Group 2015 Global Threat Intelligence Report. https://nttgroupsecurity.com
Page 13 Ken Wolter / Shutterstock.com
PHOTO CREDITS