Last year, the City of London police Commissioner at the time, Adrian Leppard, explained to SC Magazine that the force had adopted a new approach to cyber-fraud, with an emphasis on disrupting criminal activity as soon as it was identified, rather than focussing on lengthy monitoring or infiltrating to catch the perpetrators.
A research report from KPMG and BT - Taking the Offensive – Working together to disrupt digital crime – call on businesses to adopt a similarly aggressive approach. Emphasis needs to switch from defending – which is still necessary – to taking an offensive approach to disrupt cyber-criminals' activities and minimise their ability to monetise and cash out on their crimes.
At press briefing David Ferbrache, technical director, KPMG's cyber security practice, told delegates: “Cyber-crime needs a different approach. How do you take the fight to the criminals? It needs a shift in mentality of thinking, and ends with a different approach to practical steps.”
BT's global network traffic was canvassed, revealing an astonishing rise in digital crime with 97 percent of those spoken to having experienced a digital attack. Yet, as Mark Hughes, president of BT Security, BT Global Services noted, only 22 percent believed they were fully prepared for what's happening. Some 71 percent believed they had appropriate procedures and tooling but only 30 percent understood what the tools were doing and how they should be used, with Hughes emphasising that practical steps could have a dramatic change on outcomes. He commented, “It's not just a threat but the reality of what's happening.”
Ferbrache noted that criminality is the main threat, and should be seen as such, treated as a ruthless opponents unconstrained by law, regulation or morality, willing to blackmail or bribe staff. He repeated that the fight should be taken to the attackers, working in partnerships with others, developing agility and defining the role of the CISO to make it fit for purpose.
The mental model of the lone hacker also needs to change. “We're up against sophisticated organised criminality that's well resourced and efficient,” said Ferbrache. He noted how attack patterns changed, so for example, botnets were used to give DDoS attacks capacity, but now organised crime has discovered the cloud. While Ransomware has exploded, the individual cash-outs are low, but they scale. Elsewhere, criminals are moving up the pyramid, with CEO fraud more common, with criminals spending more time targeting, using social media to cultivate targets over time. Organised crime was also getting more financially savvy, so whereas they were previously technically good, two-factor authentication had been a challenge and they they now understood better where the value lay and how to access it to focus their resources.
Attackers were described as coming in three tiers – with very organised and well orchestrated groups at the top, eg the Bangladesh SWIFT attackers. Tier two is those targeting CEOs and high net worth individuals with whaling attacks, then comes commoditised high volume attacks such as Ransomware – often with complex support, effectively a help desk to help you pay/decrypt your files. Ferbrache observed, “You need to look at them as you would a competitor – how would you take them on? How would a competitor view your value? Understand the risk to your business, the financial impact. It's not a tech issue, its exposure as a business risk.”
The police Fraud Team approach was put forward as an example of how to fight this opponent, but it needs organising ourselves better. While financial services and intelligence are well developed, others are less so, and yet others have no protection, with a lack of detection and understanding of the modus operandi of potential attackers. And given that breaches will happen, get the tools and procedures in place to respond, outthink the criminals when the attack happens and interrupt their business model.
The scale of defence also needs to match that of the attackers who are increasing their R&D spend, while 60 percent of decision makers at defending organisations report that their organisation's cyber-security is currently financed by the central IT budget and half of those think it should come from a separate security budget.
Finally, the advice was to look at how the landscape is changing and what works. So the takedown of GameOverZeus imposed a cost on the organised crime groups. Look at how they make money and raise the cost of doing business to make them look elsewhere. Stop commoditised attacks. Don't just look at your key assets, but consider how they will be exploited. Take a holistic approach and link the fraud – the theft – how the stolen credentials will be use and monetised, so their block accounts. This could also include monitoring the infrastructure of criminals, their emails, exfiltration routes. Both government and law enforcement could go further.
To achieve this a different relationship is needed between business, law enforcement and government, helping business disrupt patterns of attack, stop the monetising and cashing out. Protection, detection and response should be carried out in partnership between government and industry. Attacks spotted at an early stage should be disrupted quickly. This also needs cooperation between banks, telecoms and retailers, since the banks understand payment, telcos understand the communications, and retailers understand the end usage, and those with the different parts of the picture need to collaborate and take a more fraud-centric and self-interested approach.
Consequently Hughes says, “Businesses ... should certainly work closer with law enforcement as well as partners in the cyber security marketplace.” He noted that criminals are quick to exploit vulnerabilities thus the partnerships need to be created in a way that allows rapid response, with good scenario planning, and the whole chain operating quickly, despite the fact that it would likely be complicated and need trust to be built between competitors. Surprisingly, given that government has sought to encourage such an approach, Hughes said that half of respondents said that one of the main things hampering their ability to respond is regulation. “Regulation potentially creates blocks to agile response – and more regulation could be counter-productive to tackling what's out there, [hindering] ...ability to work together. The need is to pragmatically respond to what's happening,” says Hughes.
Also 45 percent of respondents said they lacked right skills to do this - not just technical, but understand problems, how the data was monetised etc, while 38 percent had inflexible processes and 46 percent blamed legacy IT.
Hughes added that mitigating factors could include cyber-insurance, which would value the cost of attacks.
The oft heard complaint that some technically oriented CISOs don't engage with the business function was raised once again, and even the term cyber-security was viewed as getting in the way of simply balancing the risks and opportunities of digital. Digital was seen as creating opportunities by 92 percent of respondents but it always carries a cyber-risk – which needs to be evaluated early on and there needs to be a risk strategy covering fraud and business scenarios. Effectively the call was for a chief digital risk officer (CDRO) and although 26 percent of respondents had already been appointed a CDRO the title was seen as less important than agreement that the emphasis needs to be on response and recovery – what the consequences of a breach might be, and how to respond and retain customer confidence. It was seen as a different style of role, demanding flexibility and agility, and an emphasis on protection, detection, recovery – plus partnerships – with the recognition that the opponent is organised crime.