Cybercrime in the UK is a booming business, with more and more individuals turning to the dark web to exploit lucrative, illegal, activities. According to the latest stats from the Office of National Statistics, nearly two million cybercrime incidents were recorded in the UK in the year ending September 2016, with this number only expected to go up year-on-year.
As with any crime, the focus is on authorities and businesses to detect, trace, monitor and apprehend the crook. However, the cyber criminal is a new type of lawless individual which requires a whole new set of rules.
Those who may know me are aware that I am a huge fan of procedural crime dramas – having watched so many that I now consider myself a fully-qualified FBI profiler. As all profilers know, you must understand the criminal, before you can catch the criminal. As such, I sat down with Gunter Ollmann, CSO at Vectra Networks, to understand how to catch a cyber criminal and fight cybercrime.
EB: What percentage of cybercrimes are detected?
GO: The percentage of electronic crimes detected is highly variable. Depending upon the nature of the crime and its severity, detection may be high or low. The first point to note with cyber crime is that you must have the tools to detect the crime in the first place. Many classes of threat require specialised detection systems. Without the apparatus to detect, then the probability of the crime going undetected is 100 per cent.
For example, an organisation that doesn’t monitor their network traffic for SQL data and hasn’t enabled auditing on their database servers will have no detection capability to discover who has accessed their customers’ personal information and what was stolen. The problem is exacerbated in residential networks – where there is typically no detection technology deployed – and all crimes go undetected until the consequences of the loss are stumbled upon e.g. bank statement through the mail shows fund transfers.
EB: Is there such as thing as a perfect cybercrime?
GO: The perfect cybercrime would require the physical destruction of all evidence of the electronic crime – assuming the expectation is that the attacker was never identifiable. If the “perfect crime” was defined as successfully acquiring the stolen funds in a way that the victim cannot recover it but is OK with eventually being discovered, then that is substantially easily.
Many software engineers and security personnel working in large financial and insurance institutes know their companies internal audit practices and know how they could extract billions of dollars in short order, and how to transfer that money to international holding accounts within the windows of time that their company is vulnerable between audit processes. That money will eventually be discovered as lost by the organisation. Ensuring that the money is unrecoverable by the victim entails rapid laundering through multiple international accounts and transference in to physical assets such as bearer bonds, artwork, etc.
EB: How is it possible to trace cyber criminals?
GO: Digital crime always leaves a trail; however, a skilled adversary can often alter and delete that trail with ease. But, when they do, they leave alternative evidence of their cover-up. There is a growing industry focused threat actor attribution – where characteristics of the attack (e.g. tools, location, pace, destination and infection vector) can help provide an electronic identity of the attacker or hacking group.
This level of attribution allows organisations to label to attacks to a group. It is much harder to label individual human beings as members of the attack group. Attribution to an individual usually requires substantial social engineering and human intelligence processing to close the noose.
EB: How can you track tools like VPN’s and Tor networks?
GO: There are multiple vectors for compromising the anonymising and cryptographic security of Virtual Private Networks (VPN) and Tor networks. The most common method is subversion of the criminal computer at the host level – before items are encrypted and sent over the wire. This is predominately done via malware or other lawful intercept agents and backdoors.
If it is not possible to subvert the host, for VPN tunnel infiltration law enforcement (or an attacker) can seek to subvert the Domain Name System (DNS) and certificate authorities and man-in-the-middle the VPN connection – and ensure that no alerts are displayed to the target (because of the DNS and CERT modifications). Such activity requires a fair amount of coordination, but is easy enough for government agencies. For Tor networks, one vehicle for law enforcement it to have visibility of network traffic of the target which will be encrypted and unreadable and to also be monitoring a high percentage of the Tor exit nodes – and to correlate the traffic requests with the traffic exiting the Tor node.
EB: What are the most common threats you are seeing?
GO: Ransomware continues to be a global scourge. Having observed the internal traffic of hundreds of corporate networks, we see ransomware being the most common malware family – some of which get dozens of new infections every day. It’s the attack vector of choice for bad actors as it provides the fastest way for an attack to monetise an attack through bitcoin.
Attacks will grow more intelligent by targeting high-value digital assets, including surveillance cameras, phone systems, security systems and other business Internet of Things (IoT) devices. In 2017 new forms of ransomware will become the biggest headache for security response teams and the business driver of growth in cybercriminal income as it automatically and rapidly extorts money from enterprises.
EB: Who are the experts who help the authorities catch the cyber criminals?
GO: Many cyber security vendors maintain threat research teams that constantly review and assess the intelligence sources they uniquely have access to. For example, we have the Vectra Threat Labs research team who take unexplained phenomena seen in customer networks and dig deeper to find the underlying reasons for the observed behaviour. When possible these research teams try to engage with law enforcement and share their attribution data. There are restrictions on source confidentiality but generally, for most vile crimes (e.g. child pornography distribution) it is easy to get consent from customers to share that data anonymously.
There are other experts that dedicate their personal time and resources to work with law enforcement in crime attribution and provide expert testimony when asked. This community of experts is relatively small but very good at what they do and generally look for new ways to help law enforcement. Some of the best work in attribution comes from experts who manage multiple underground personas and socially engineer suspects in to providing evidence of their crimes – due to boasting and attempts to monetise their stolen cyber gains.