Quantcast

Criminal Education 2: The Cybercrime Ecosystem

Art Gilliland’s focus in this part of the keynote is on the analysis of why enterprises are vulnerable and how the data breach cycle typically takes place.

We are predictable to adversaries

We are predictable to adversaries

So let’s start by understanding a little bit more about us. Let’s discuss a little bit about how we are seen by the adversary. We are incredibly predictable to our adversary. We’ve defined our capabilities with a standard, whether it’s ISO 27001 or our PCI standards, or many of the other kinds of standards that we use, we’ve defined our capabilities along these standards, and we’re proud of it when we meet compliance.

And to be fair, we’ve done a phenomenal job as an industry of raising the low bar. These regulatory requirements, or these frameworks, have helped us raise the low bar. However, we should not be aspiring to the low bar, not when you’re competing with this type of adversary. And so we need to be thinking about that as we go through, this is something they count on. We’ve given them, through committing, a roadmap to our defenses.

The second thing they know about us is for us to fulfill our roadmap, for us to go along this roadmap we must behave within budgetary cycles. And so, building our capabilities slowly towards this end goal of compliance to these regulatory requirements or industry frameworks, we follow a pattern.

We are incredibly predictable to our adversary.

They know that, they can use it, they can be very disruptive to this pattern. As they innovate, they attack us in some new way that the standard is not capable of defending against. And so we rush to fix that, leaving some of the other projects behind because we can’t get to these things that we probably are still needing to do, but we rush because they’ve got this new technology attacking us in a new way, and our budgets don’t let us do both.

Stitching technologies together

Stitching technologies together

And because we’ve added all these different technologies and all these different categories, we are left to stitch those things together, partly because the technologies are different, and partly because the ways we implement those technologies are in different functional departments in our organization, whether it’s data center operations, or network operations, or others. Being able to respond quickly to see what’s going on and to remediate fast requires a much bigger audience within our organizations. And they count on that; they know it’s going to take us a long time, they know we can’t see everything. And that’s how they exploit us.

Main types of adversaries

Main types of adversaries

So let’s take a look at them and what we know, and talk about them. In our industry, and definitely in the recent past, we talk a lot about the individual actors. We talk about cyber criminals, we talk about nation state attackers, we talk about the hacktivists.

And while interesting and definitely press worthy, I think it’s a bit of a red herring for us in terms of trying to figure out how we should defend ourselves. In fact, it’s the intersection of those adversary actors that is the challenge for us. This adversary that we face is actually a market. It’s a market with a distinct process, and I’ll talk about that process in a second. But that market has a distinct process around it, and that’s the process of breaching our environments and stealing our data, for the most part.

This market does what a lot of markets do, which is, it organizes the actors, it organizes the participants. And now you have nation states and hacktivists, which hate each other, working together in a marketplace to share information.

This ecosystem is incredibly efficient at creating, sharing and acting on its security intelligence.

And in just like all markets, you make more money if you specialize. If you’re excellent at one of the steps, you can differentiate in that market, and you can make more money. And so we see massive specialization around each of the stages of this process. And what is this process really good at? And this is the killer, I think, for us; this process is really good at monetizing the sharing of information. This ecosystem is incredibly efficient at creating, sharing and acting on its security intelligence. And that’s creating a huge burden for us, because they’re way faster than we are.

What should we do about that? We’ve talked a little bit about the standard that we use and the way in which we define our capabilities. But I think the way to get more clarity around that is to look more deeply at the process they give.

So what is the process that they use to define their attack? I use a very simple one, this isn’t super sophisticated or complex; it was actually created by Lockheed Martin, I believe, about 6 years ago. Maybe I’ve paraphrased it a little bit, so forgive me if there’s Lockheed Martin people in the audience and it’s not exact.

Attackers tend to build profiles of the attacked

Attackers tend to build profiles of the attacked

What happens in this criminal market is there are experts who understand how to build profiles, profiles of the attacked. And so I’ll give you an example of how this could work: I want to attack into company X, I’m really good at building profiles, I figure out who the top executives of that organization are, I start looking at their Facebook posts, I go on to LinkedIn profiles, I create these profiles. I know who Art’s friends are, I know what kinds of things he likes to do, I can see the pictures from where he’s been, Art may even check in at restaurants when he travels around the world – I get a ton of information about Art that makes him really easy to attack, because no one else should know that data. Only people that really know me should know, so they spoof a friend and they have that.

Purchased profile getting exploited

Purchased profile getting exploited

They put their hand upon the Internet and they say: “I’ve got the profiles of the top 50 people of X Company; who would like to buy that?” And the next person in line who’s really good at breaking in says: “I’ll buy those profiles; they’re better and it’s way less time for me just to buy them than to actually build them myself.”

And they either build their own toolkits to attack you, or they use a toolkit that they buy off or rent, or they rent one of the botnets that are out there to bang away on your websites. And they break in. And then after they get enough of these locations, they may own this, and this may be why the time it takes for us to find them is 416 days – they just enter, and they sit, and then they put their hand upon the Internet and they say: “I’ve got 50 access points; who would like to buy that?”

Corporate data retrieval

Corporate data retrieval

And then the person who’s really good at using those access points, figuring out where your sensitive data is, being able to map your environment, figure out your configurations – they create this map, they stick their hand upon the Internet,
Completion of the cycle

Completion of the cycle

sell it to the next person, and so forth to get your data out, which then gets monetized and feeds this entire ecosystem (see images).

And so, that process, and I’ve named it as very specialized: are they vertically integrated bad guys? Absolutely, there are people who do all of this, nation states may do all of this. But if someone is more efficient and more effective at doing one of those stages, why wouldn’t you just buy it?

Read previous: Criminal Education: Preventing Corporate Data Breaches
Read next: Criminal Education 3: Disrupting the Adversarial Market

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: