the evolution of cybercrime
DESCRIPTION
How underground markets for stolen data and hacking tools are driving cybercrime today, and some of the possible security responses, defenses, and strategiesTRANSCRIPT
The Evolution of Cybercrime
Stephen Cobb, CISSPSecurity Researcher, ESET NA
What’s on the agenda?
• Defending IT systems and the valuable data they contain requires an up-to-date understanding of the scale and nature of security threats
• For many organizations, the greatest IT security threat is cybercrime, the nature of which is evolving (read the headlines)
• We explore the evolving cybercrime threat • Describe a layered approach to defending
your systems and data
What does cybercrime have to do with cybersecurity?
• Cybercrime is one of the main threats to the confidentiality, integrity, and availability of your data and systems
• Understanding cybercrime helps fight cybercrime and improve security
CRIMINALS
DISASTERS
EMPLOYEES
ERRORS
4 leading sources of trouble
CRIMINALS
EM
PLO
YEES
ERRORSD
ISA
STER
S
YOUR DATA &
SYSTEMS
4 leading sources of trouble
Question #1Has your organization experienced an external attack on any of its IT systems in the last 12 months?
Yes No I’m not sure I don’t work for an organization
Cybercrime today
• A global industry• A growth industry• Increasing in size and efficiency• Victimizing a broad swathe of
society• Your organization is a target• Too many people still look
surprised when they hear this, or see these…
Thanks to krebsonsecurity.com for screenshots
Elements of cybercrime operations
• Host an exploit kit on a server• Put malware on different server• Send malicious email linked to exploit kit• Find holes in visiting systems• Use holes to infect visitors with malware• Use console on command and control box• To steal, DDoS, spread more malware• Use markets to sell/rent infected systems• Use markets to sell any data you can find• E.g. Community Health Systems 4.5m
IDs
From a chart by DeepEnd Research
• Exploit Kits• Buy or rent• A few hundred
dollars to thousands
• Add new exploits over time
• Note all of the Java exploits
Cybercrime tools are readily available
Proliferation and variety of exploit kits over time
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
A market-based industry
Specialization Modularity
Division of labor Standards
Markets
Who are these people?
Different levels of participants in the underground market
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
Estimate of channels and tiers used by participants
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)
Question #2Do you think top management in your organization understands the scale and scope of cybercrime today?
Yes No Not sure I don’t work for an organization
How big is the problem?
• That is hard to say and that’s part of the problem
• Hard to solve problems you can’t even measure
• What about the government?• Don’t they
quantify crime?• Yes, but…
Cybercrime statistics
• Missing or inconsistent
• Too often rely onprivate sector• E.g. the $1 trillion loss
End of the line
Lacking in consistency
• The curve is always up• But what does
cybercrime really cost?• Gen. Alexander’s $1
trillion loss number was not from NSA or the government
• Tyler/Savage study is a more realistic number
Tyler/Savage estimate of global cost of cybercrime
• Cost of genuine cybercrime• $3.46 billion
• Cost of transitional cybercrime• $46.60 billion
• Cost of cybercriminal infrastructure• $24.84 billion
• Cost of traditional crimes going cyber• $150.20 billion
• Total = $225.10 billion
Based on 2007-2010 data, authors disinclined to aggregate
Dollar losses from computer fraud cases
IC3 report, mainly US, mainly cases referred for investigation
2003 2004 2005 2006 2007 2008 2009 2010 2011 -
2,000
4,000
6,000
8,000
10,000
12,000
14,000
7,644 7,720 6,957 7,272
6,182 6,071 6,062 5,628
5,086
$10,086
$8,268
$9,254 $9,996
$11,787
$10,198
$7,585 $7,643 $7,539
Contrast with FBI non-cyber crime stats:Fewer bank robberies, less loot
Average loot
Incidents
What do defenders need to know?
• The type of cyber crime to expect• This is one area
where we do have data
• Strategy to defend against them• A layered
defense
How do bad guys come at you?
Breaches per threat action category
2014 Verizon Data Breach Investigation Report
Not all threats are equal across sectors
• Each business needs its own risk assessment • But threats clearly vary by industry sector• Reduce risks more effectively by focusing on
the ones that impact your organization
POS intrusion
Miscellaneous errors
Insider misuse
Everything else
Cyber espionage
Theft and loss
Crimeware
0% 5% 10% 15% 20% 25% 30% 35%
7%
7%
13%
13%
13%
13%
33%
Frequency of incident patterns by sector:
Construction
2014 Verizon Data Breach Investigation Report
Different threats for different sectors
2014 Verizon Data Breach Investigation Report
POS INTRUSION
WEB APP ATTACK
INSIDER MISUSE
THEFT/ LOSS
MISC. ERROR
CRIMEWARE
CARD SKIMMER
DENIAL OF SERVICE
CYBER ESPIONAGE
EVERYTHING ELSE
POS INTRUSION
WEB APP ATTACK
INSIDER MISUSE
THEFT/ LOSS
MISC. ERROR
CRIMEWARE
CARD SKIMMER
DENIAL OF SERVICE
CYBER ESPIONAGE
EVERYTHING ELSE
Accommodation 75% 1% 8% 1% 1% 1% <1% 10% 4%
Administrative 8% 27% 12% 43% 1% 1% 1% 7%
Construction 7% 13% 13% 7% 33% 13% 13%
Education <1% 19% 8% 15% 20% 6% <1% 6% 2% 22%
Entertainment 7% 22% 10% 7% 12% 2% 2% 32% 5%
Finance <1% 27% 7% 3% 5% 4% 22% 26% <1% 6%
Healthcare 9% 3% 15% 46% 12% 3% <1% 2% <1% 10%
Information <1% 41% 1% 1% 1% 31% <1% 9% 1% 16%
Management 11% 6% 6% 6% 11% 44% 11% 6%
3 or 4 threats dominate each sector
2014 Verizon Data Breach Investigation Report
POS INTRUSION
WEB APP ATTACK
INSIDER MISUSE
THEFT/ LOSS
MISC. ERROR
CRIMEWARE
CARD SKIMMER
DENIAL OF SERVICE
CYBER ESPIONAGE
EVERYTHING ELSE
POS INTRUSION
WEB APP ATTACK
INSIDER MISUSE
THEFT/ LOSS
MISC. ERROR
CRIMEWARE
CARD SKIMMER
DENIAL OF SERVICE
CYBER ESPIONAGE
EVERYTHING ELSE
Manufacturing 14% 8% 4% 2% 9% 24% 30% 9%
Mining 25% 10% 5% 5% 5% 5% 40% 5%
Professional <1% 9% 6% 4% 3% 3% 37% 29% 8%
Public Sector <1% 24% 19% 34% 21% <1% <1% 2%
Real Estate 10% 37% 13% 20% 7% 3% 10%
Retail 31% 10% 4% 2% 2% 2% 6% 33% <1% 10%
Trade 6% 30% 6% 6% 9% 9% 3% 3% 27%
Transportation 15% 16% 7% 6% 15% 5% 3% 24% 8%
Utilities 38% 3% 1% 2% 31% 14% 7% 3%
LAYERED DEFENSE1. INFORMATION SECURITY POLICY2. AWARENESS AND TRAINING3. BACKUPS AND CONTINUITY4. PHYSICAL SECURITY5. AUTHENTICATION6. ACCESS CONTROLS
7. MONITORING8. FIREWALLS & FILTERING9. ENCRYPTION10. ANTI-MALWARE11. THREAT INTELLIGENCE12. AUDIT AND REVIEW13. INSURANCE
INFORMATION SECURITY POLICY
• You might not think of policy as a defensive layer, but in fact, a well-rounded information security policy is critical to a layered defense
• Embodies your commitment to security and guides implementation of all the other security layers
• Also protects you and may clinch business deals
AWARENESS AND TRAINING
• Security policies and defensive measures are useless if your employees don’t know what threats the organization needs to defend against
• Security awareness for all and security training for those who need cybersecurity skills
• Security is everyone’s responsibility
BACKUPS AND CONTINUITY
• Having all of your files backed up and a copy of that backup stored in a safe place can save the day when all other defensive layers have been penetrated by the forces of evil or even sheer bad luck
• Makes sure you have backup of your facilities as well as your data
• And a Business Continuity Plan
PHYSICAL SECURITY
• Important layer of defense, one that too many organizations overlook
• Physical security for your digital devices can be tricky if they are in semi-public places, like a store or restaurant but not impossible
• There are ways to reduce theft and its impact, from security cables to surveillance cameras to software
AUTHENTICATION
• Everyone using your systems should be accurately identified, preferably via multiple factors, such as a password PLUS and one time token and/or biometric
ACCESS CONTROLS
• Once granted, access to a system needs to be controlled
• All employees don’t need equal access to every piece of data
• Assign access based on job function or role
• Privileges for anyone who leaves the organization should be terminated immediately
MONITORING
• You cannot maintain the security of a system if you don’t monitor it
• Use the logs, record the actions of users based on their authentication to the system
• Don’t just turn on logging, but check the logs on a regular basis or get monitoring software that will do that for you
FILTERING AND FIREWALLS
• When your employees use the Internet via company computers you should be filtering
• Firewalls can implement rules to control user activity as well as block many different types of attack on your network and devices
ENCRYPTION
• Even if someone penetrates your layered defense and finds the folder containing your most valuable secrets, a good encryption program will prevent them from reading it
• Use encryption on all sensitive data, not only when it is being stored on a server, but on endpoints like laptops, and in transit, like email
ANTI-MALWARE
• Today’s anti-malware suites use a wide range of techniques to detect and block incoming code that is malicious
• Deploy across all platforms, from mail and file servers to desktops, laptops, tablets, and smartphones, plus removable media like CDs and USB flash drives
THREAT INTELLIGENCE
• Need to know who is trying to steal data from you and the latest techniques that such felons employ
• Stay current with the ever-shifting “threat landscape”
• Use intelligence reports and services (attend webinars)
• Make appropriate adjustments to security settings as threats evolve
AUDIT AND REVIEW
• Defense never rests• Not only do you need to respond
to emerging threats, you also have to periodically check your current layers of defense
• Hire a penetration tester to verify that everything is locked down tight
• Review security strategy in light of new threats and adjust accordingly
INSURANCE
• Leverage your layered defenses with cyber insurance policy
• These are becoming more widely available and can cover a range of potential problems
• Better premiums for better security
• Check with your business insurance agent for details
Is that all? No!
• Cybercrime is not your fault• It is committed by criminals• Government needs to do more• All the governments, in all the
countries• Arrests, extraditions, sentencing• Peace and prosperity
LAW
KNOWLEDGE
DIP
LOM
AC
Y
4 dimensions of society’s response to cybercrime
CYBERCRIME
TECHNOLOGY
DIP
LOM
AC
Y
CYBERCRIME
We need to improve in all areas to reduce cybercrime
TECHNOLOGY
LAW
KNOWLEDGE
Thank you!• www.eset.com• www.WeLiveSecurity.com• @zcobb
With special thanks to all my fellow researchers at ESET including who work on the cybercrime problem including Pierre-Marc Bureau and Alexis Dorais-Joncas
USEFUL LINKS (some are PDF)Anderson/Tyler/Savage:
Cybercrime cost paperCybercrime cost slides
RAND report on cybercrime marketsVerizon Data Breach Investigation ReportCybercrime webinar recordingKrebs on Security