IP Expo Europe: They know how we operate - what cyber-crime looks like these days

In the war against cyber-crime, the security professionals are in danger of falling behind in the innovation race, James Lyne told an audience at IP Expo Europe.

James Lyne, Sophos' global head of research
James Lyne, Sophos' global head of research

Self-help advice for the cyber-criminal? James Lyne, Sophos' global head of research, talked to an eager audience on the second day of IP Expo Europe in London on the "6 habits of highly successful cyber-criminals".

In fact, there were so many people eager to hear Lyne that they filled up not one but two lecture theatres.

Lyne gave that expectant audience a lesson in weighing the gap between the assumptions of the general public and cyber-security professionals against the skill, adaptability and creativity of cyber-criminals. The former too often comes up short.

It wasn't all dour: Lyne started with an acknowledgement of his "amazement at the sheer volume of malicious code," he saw every day, and new developments in technology that allowed the "starving of the traditional mechanisms of the cyber-criminals use to distribute malware".

As ever though, the problem is escalation. While cyber-security has stepped up its game, so have those seeking to compromise it. And they're getting creative, they "evolve their models, not just their attacks", said Lyne.

It's now an all-but legitimate business, said Lyne. More and more, professionals like Lyne see the spread of crime-packs, useable hacking tools for sale.

Ahead of the game as always, the bad guys have also moved to selling services: "Cyber-criminals don't want to buy software, so they've moved to a new managed service model."

That's not where they stop acting like a legitimate business either: they collect business intelligence on how effective their malware is, they offer multiple-pricing models and sometimes even money-back guarantees.

Yet another insight Lyne has gleaned from his work is "they're not as bad at social engineering as you would think". As is so often the case in cyber-security, you can have the greatest protection possible, but the human will always be the weak link in a supposedly unbreakable chain. The 419 scams that still operate today might have been easier to spot and easier to dismiss, but the same principle is active here.

Hackers will now try and lull you into a false sense of familiarity. They send emails that look like they might have come from your company's HR department, alerting you to the fact that you are being 'investigated' for some workplace violation.

They send scams that look like VAT receipts and Amazon orders, even police incident notifications. It isn't too hard to imagine someone clicking on an 'urgent message' and finding themselves an unwitting victim.

But how to deal with this new, adapted, evolved form of adversary? We'll have to get around our "preconceived notions of cyber-criminals," said Lyne. Old tropes like "Java is the enemy" no longer apply. That particular vulnerability became obsolete once Java released a small update, yet many professionals still fear it. Now, "they've moved onto Adobe Flash."

"They know a surprising amount about how we operate", he reminds delegates.

It is often assumed, without evidence, that cyber-criminals' success is a result of the sheer volume of attacks that they launch, the assumption being they only need to get lucky one in a thousand times, but Lyne argued that they're actually more patient and targeted.

"They know we're looking for the bad stuff, " he said, so they can all the more easily decoy us. This new generation of cyber-criminal behaviour is "more future looking than we would think".

Signing off, Lyne shared with the crowd a recent experiment and a word of warning. A short while ago, he bought roughly five grand worth of Internet of Things' (IoT) products; cameras, dolls that spoke back to you and whole host of other strange networked, and thus hackable products.

He put that five grand worth of toys in a front of a room of "relatively talented penetration testers". Nothing lasted for more than twenty minutes.

So why haven't we seen more of this from malicious attackers? The real reason IoT hasn't been hacked more often is not because they can't, but because cyber-criminals haven't figured out a way to make it useful yet. We'll see if they do.