Analysis: Mark Hughes, Security CEO at BT, and David Ferbrache, Technical Director at KPMG, on the new criminal entrepreneur.
Recently I wrote about ‘Hackers Incorporated: The enterprise which is your new competitor in business’, with HPE Chief Cyber & Security Strategist Tim Grieveson detailing how hackers are forming criminal organisations which mimic legitimate businesses with HR, R&D, Sales & Marketing and Operations.
Today, that message was reiterated by Mark Hughes, Security CEO at BT, and David Ferbrache, former Head of Cyber and Space for the Ministry of Defence and now Technical Director at KPMG.
At the assembled roundtable to discuss findings from the joint ‘Taking the Offensive – Working Together to Disrupt Digital Crime’ report, the key message was clear – ruthless criminal entrepreneurs, driven by a vast criminal dark market, are creating a constantly evolving threat to businesses. This constantly evolving market and constantly changing attack methods require a change in thinking from legitimate businesses. The figures from the joint research support such a call for a change in thinking.
97% of respondents had experienced a cyber attack, with half of them reporting an increase in the last two years. Despite this, just 22% said they were fully prepared to combat security breaches perpetrated by organised crime.
BT and KPMG called for the rethink to go beyond simply defending systems, but to focus on managing risk and being prepared to and recover from attacks. Both Hughes and Ferbache called for organisations to rethink the digital security threat, with a key point being to think like an attacker. But in order to think like a criminal you must first understand the criminal and the world in which he or she operates.
Trying to define the criminality facing legitimate businesses today, Ferbrache said:
"I have a problem with the word hacker. Not so much the word itself, sometimes not even the people, but actually what carries with it as a mental model. A lot of the people that we are up against are not casual hackers, some of them are, but for the bulk of the firms I deal with they’re not. We are up against quite sophisticated, organised criminality. Well-structured, real businesses, very efficient and very effective."
Ferbache went on to highlight how organised crime had discovered the cloud, moved away from old techniques such as botnets and had created a veritable ransomware explosion in the market. This all goes against the traditional opportunistic stereotype of a hacker, giving way to threat we face today – that of financially savvy, sophisticated enterprise.
Not only has sophisticated criminality changed the threat facing businesses today, but it has also given rise to three distinct tiers to the cyber underworld, as defined by their targets. At the top level, there are the high-end targeted assaults on financial systems – such as the one on the Bangladesh central bank. The second tier sees more regular attacks on businesses and high net worth individuals, while the third tier sees targets of us all. Commoditised attacks against everyone sees campaigns target hundreds of millions of victims who could lose anything from $100 to $10,000. Just like any business, in each of these tiers, criminals map the risks against the payout – it’s all about return on investment.
But what of the criminals operating in these cyber underworld? Hughes and Ferbache were keen on reiterating the fact that these criminals were best likened to a ruthlessly efficient entrepreneur of CEO, making a trade in the rapidly evolving dark market. So how is the criminal CEO running his business and who do they employ?
Ferbache said: "Think of it as a federated business model. So will you find a kingpin at the heart of it? Well, yes you absolutely will because they are the ones with the ideas in terms of the exploitation routes, what they are going to target and how they are going to monetise.
Under this kingpin, Ferbache said, there will be numerous groups of people with specific jobs. There will be people developing vulnerabilities and exploits to order, while others will be providing attack surfaces like DDoS by the hour. Others in the criminal enterprise will sort out the money mules and how to cash out or launder the money, while others in the organisation will be tasked with recruiting, setting up and running the call centres.
"The model you are getting is a phenomenally federated structure." Ferbache said.
"The way you have to look at these organised crime groups is that most of them are running a portfolio of operations – it’s a little bit like the old days in the mafia. You are running a whole series of operations – doing drugs potentially, you would certainly engage in fake pharmaceuticals, you would probably be running gaming sites, you might even be running your own bitcoin exchange. Oh and still stealing and monetising information – the whole thing become a big organised crime cartel.
"There is not one single group, it’s a federated model. Think black market, think very efficient economy and think transnational."
For Hughes, hackers have upped their game and created these sophisticated ecosystems because "people are aware of the threat.Oganisations have been doing a lot to protect themselves, so these organisations therefore have to morph and change the way in which they go about doing things."
But businesses have to fight back, adapt and evolve like the criminals, with Hughes calling for businesses to interrupt and disrupt the business model of the cyber criminal enterprise.
"With cyber-crime continuing to escalate, a new approach top digital risk is needed – and that means putting yourself in the shoes of attackers. Businesses need to not only defend against cyber attacks, but also disrupt the criminal organisations that launch those attacks." Hughes said.
One method of disruption, as detailed in the KPMG-BT joint report, is for businesses to gain an upper hand over criminals by participating in the ‘ransomware arms race.’ Using the Locky ransomware as an example, hackers and security professionals were engaged in a tug-of-war, with the polymorphic design of Locky foiling anti-virus tools. An effort to reverse-engineer the malware stopped it for a short time, but then Locky was adjusted to beat these measures.
This is just one way in which the cyber crime business model can be disrupted, but for Ferbache, ultimately businesses need to "look at the model of how organised crime groups make money and think about how you make it more difficult for them, raise the costs of them doing business and make them look elsewhere and sometimes even put them out of business. That’s a different mindset."
While organisations need to accept, as Hughes put it, "that there is no absolute protection", there does need to be plans and exercises in place for when breaches do happen. Anticipate the more sophisticated attacks and create a closer working relationship between security and fraud control teams to block patterns and detect cyber fraud. Businesses also need to see where they place value in their organisation, what needs to be protected? What would a criminal target? What’s the most likely attack scenario – play it out and plan, prepare.
In a similar way in which a business would measure a competitor in the market, businesses need to understand the threat they are facing. Ruthless criminal gangs, operating without the burden of regulation and ethics, are looking for the best return on investment. The question is, can you think like the bad guy and put them out of business?