Building a Higher Order of Security Intelligence 2: Cybercrime Trends

Francis deSouza enumerates here the new trends affecting the entire cyber threat landscape, including multi-flank attacks, “bulletproof” hosting providers, etc.

So, what are the new trends we’re seeing across those stages?

Multi-Flank Attacks

Well, in the last year we’ve seen a growth in the number of campaigns that use what we call multi-flank attacks. What that is – is that the attacking group will run multiple attacks against an organization with the intent of confusing or distracting the security teams from the real purpose of that attack.

In one campaign we saw recently that attackers were running against a set of European regional banks, what the attackers did was they’d run a denial-of-service attack against the bank at around 5 o’clock on a Friday, and while the security teams in that bank were focused on dealing with the bandwidth starvation, the compute starvation that was happening and trying to keep their online site alive, the attackers then had a spear phishing led attack that got them into the enterprise, and they were really focused on stealing account information, credit card information, and debit card information.

Outcomes of the multi-flank attack

Outcomes of the multi-flank attack

So we’re seeing the growth in the number of these multi-flank attacks. What the attackers in that case did then was they created fake ATM cards, and then they went to an outsourced provider of money mules: individuals that took those ATM cards and went to ATMs around the world and drained bank accounts.

Those money mules weren’t working for the attacking group; they were part of an outsourced team. They, in fact, had no idea about the end-to-end operation. And in this case the attackers specified that they wanted money mules with lower than average IQ with the idea that not only would they not know about the rest of the attack, but the attackers wanted to make sure they were stacking the odds and they wouldn’t figure out the rest of the attack.

Evolving Cybercrime Ecosystem

Now, this is part of a bigger trend that we’re seeing. We’re seeing the evolution of a pretty robust ecosystem to provide the services associated with the various stages of an attack. It is now possible, for example, to contract out the development of sophisticated cyber weapons to developers in Europe, and it’s also possible to hire unskilled money mules to launder money and carry it though international airports.

Next, we’re seeing a big trend around the rising sophistication of the backend infrastructures that run these environments. In fact, it’s an interesting question, right? How do you run a large data center that gives you the compute power, the storage power and the bandwidth to run these large-scale operations when you have a lot of the law enforcement agencies of the world chasing you: the FBI, Interpol?

And what we’re seeing, in fact, to address that need is the growth of “bulletproof” hosting operations. What’s a bulletproof hosting operation? Well, it’s a sophisticated backend infrastructure, can be housed across multiple countries, and the countries are chosen such that they have a softer regulatory and enforcement environment. And then the operators will layer in many layers of obfuscation, such that it’s hard for the enterprise that’s targeted, or for law enforcement, to actually figure out who and where the attack is coming from.

Now, we’ve seen a lot of growth in the number of these “bulletproof” hosting providers over the last year, and in fact the growth has been so dramatic that it’s caused the offering to become commoditized, and actually caused a drop in the prices associated with this capability.

Forums offering 'bulletproof' hosting service

Forums offering ‘bulletproof’ hosting service

Typically, these vendors will price their offering by bandwidth and by the level of commonality, basically, of the content of the operation that you’re trying to run.

If you look here, for example (see right-hand image), you’ll see a forum posting, where they’re actually offering a bulletproof operation for anything you want except child pornography, and the pricing is $85 a month. So you can see how prices have dramatically dropped around this capability, because we’ve seen demand grow so much.

Malware Targeting Non-Traditional Systems

Another big trend that we’re tracking is the growth of malware that targets non-traditional environments, so, not PCs. You hear a lot of talk about mobile malware and certainly that’s a big trend we’ve been watching over the last year. But we’re also seeing a trend around malware that targets water utilities, power plants, lots of systems that are non-traditional systems.

It’s clear that this Internet of things has bad things in it too, and it’s attracting the activities of criminals and hacktivists. And we were reading over the last year that a leading electric car company, for example, did its first over-the-air software update. Now, that’s mostly a good thing, but it also means that we need to be more thoughtful going forward.

Rising Warfare Powers

A few dozen countries used to be capable of running cyber warfare operations

A few dozen countries used to be capable of running cyber warfare operations

Another big trend we’re seeing is what we’re calling sort of the rising powers. Now, even as late as two years ago, there was a very strong correlation between a country’s ability to conduct kinetic warfare – so, bombs and planes, and their ability to conduct cyber warfare. The reality was – it was really the top two dozen countries that were capable of running a cyber warfare operation.

Now, that’s changed dramatically over the last two years. Most countries now have a cyber command, and in fact, with the emergence of contractors that are capable of producing cyber weapons, or, in a lot of cases, repurposing existing cyber weapons, most countries also now have access to very sophisticated cyber weapons.

In fact, it’s interesting that a small country today can disrupt the operation of a country that is 1000 bigger than it in GDP over cyber warfare in the way that they, frankly, could never over kinetic warfare.

Not only are we seeing more countries enter the threat landscape, but we’re seeing organized criminals act in a more sophisticated way. A lot of their operations are becoming military grade because they have the resources, and now they have access to the same set of weapons.

And as the number of actors in the landscape increases, the motivations and the targets have become more diversified. What was a preparation for war, or, in some cases act of war, now can also be an act of espionage, an attempt to move currencies, or rig markets.

Read previous: Symantec’s Francis deSouza on Building a Higher Order of Security Intelligence

Read next: Building a Higher Order of Security Intelligence 3: The Role of Situational Awareness

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: