Trustwave’s Nicholas Percoco is now shifting the focus of his keynote over to phases of the cybercrime process targeting organizations for data breaches.
There are some of the other examples here that we’ll talk about, but really what I want to do is talk closely about the process. Now, these are businesses. These criminal groups run businesses, and the criminal gangs and the attackers are not just a small band of people that are sitting together in a warehouse or a basement someplace. And in fact, there are correlations of all the various investigations; we actually tie the investigations back to 6 different cyber gangs. These 6 different cyber gangs run their operations just like a legitimate business; they follow legitimate processes and have very robust procedures in order to infiltrate their victims, extract the data that they need, and then make money from doing so.So, the first step in this process starts with greed, starts with money. Many of the members of these criminal gangs have advanced degrees; they have computer science degrees, computer engineering degrees, but they live in countries where the economy is horrible, where they’re not able to get jobs in the field that they actually have their degrees in. So they go and they join various organizations so that they can actually make money, so that they can buy cars, they can buy clothes, they can buy fancy homes. And they’re drawn to these organizations because that’s the only way they can make a good living. The next phase is victim identification. We talked about how the criminals can go out and find various victims very easily; there’s basically a sea of opportunity for them, there’s no shortage of victims. They literally can identify victims and put them in their target list every single day, and for the rest of their lives they would never run out of victims in order to fuel their businesses. So, once they identify a victim and they find a victim that they want to compromise, they basically go and infiltrate them. And they use different mechanisms in order to infiltrate, the methods of attacks that we’ve talked about. They’re not burning zero-days in order to get into these organizations. They’re basically infiltrating them via low-hanging fruit type means, and once they get access, they’re diving deeper. We used to see about 5 or 6 years ago that organizations would get infiltrated and the attackers would find a database, or find a flat file, they would grab it, and they would leave, they’d never come back again. But today we see a great deal of persistency: once the attackers get into your environment, they want to propagate to other areas of the organization, they want to find various data sources, they want to latch on to those data sources and be there for a very long period of time, because the more data they can harvest out of your organization the more money they’ll make. You become, basically, a natural resource to them. Once they’re inside the environment and they’ve propagated, now they’re going to start aggregating data. We often see the criminals being very bold. As you can see in these icons here, they’re gathering data from various systems in your environment, but they’re not leaving your environment with it, at least at first. They’re extremely bold: they compromise the server, your data center or workstation someplace, and that will be the aggregation point, that will be the place where they take all the data, they dump all the data there and actually keep it there until they’re ready to exfiltrate it. We actually had a case in the last 18 months or so where an organization was infiltrated and the data was being stored on the server, it was accumulating very rapidly, and the system was running out of disk space. Well, bells and whistles went off and the IT folks came by, checked up the system and deemed that it was running low on disk space, so they added a new hard drive to the system. And that process happened 2 or 3 times until someone actually realized: there’s something going on here, and they asked for some assistance. But once they actually aggregate that data, now they’re exfiltrating it. And they’re not just sending it off in the clear at random points in time, they’re basically using advanced techniques to encrypt that data just like all of us encrypt our customer data; they encrypt it so that when they send it out to systems that they may not have really good hold on – maybe it’s another system they compromised – so it won’t be intercepted. They are very keen on protecting their loot. When they gather that information they want to protect that information as much as they can so that they can make as much money as they can when they go to sell it. Now, the next piece: when you want to sell it you have to find buyers. You may think it must be hard; if you have a whole pile of confidential data about individuals, or bank account information, it might be a little bit hard to find people who are willing to buy, people you can trust. Well, in these criminal groups they have web forums they all participate in. Inside these web forums there aren’t just 50 members, there’s thousands of members, sometimes there’s up to 10 thousand members, people there that are able to buy and sell stolen data and entrust the relationships in order to do so. Once they have identified those buyers, they want to liquidate as quickly as possible, because as long as that data sits in possession, the value then decreases. And so they want to liquidate it, collect the cash and start over again. When they’ve made their money, and that may be millions of dollars off of these attacks, they’re not going off and buying an island someplace, because this is their livelihood, this is their business, this is what they do every single day. So they’re going off and recycling it. They’re using the tools and techniques that they learned to re-implement those against new victims.