Ethical hacker and security researcher with Trustwave Nicholas Percoco keynotes at RSA Conference 2013, addressing nuances of the present-day cybercrime.
Nicholas Percoco: Thank you very much! Good afternoon! We’ll be spending the next 30 minutes or so talking about the lifecycle of cybercrime.We live in a world which has over 7 billion people. Now, if you put on the hat of a financially motivated cybercriminal and look at this population, not everybody here has information that you’d want to steal. When narrowed on that scope just a little bit, you’d run into about a billion people. These people have bank accounts, they have credit cards, they have social media accounts, they have data they store in databases online – and these are people that you may want to go after if you are a financially motivated cybercriminal trying to make money, trying to make a living. Unfortunately for the criminals, if you have to go one by one and pick off each of those individuals, it takes a long period of time. Some criminals go about doing that, but some of the large criminal gangs that are going after information – they don’t go about it that way. They instead turn and target businesses, or organizations that store, process, transmit, maintain databases that contain that information; and there’re about 25 million of those business in the world.
Another way to look at these businesses: for every one business that has databases, that has information, that has data that criminals may want to go after, there’re about 40 people that contribute to adding and put that information into those databases. And if you think about how criminals look at this situation and how they feel about going to market, running their businesses and trying to infiltrate and exfiltrate data out of organizations, there’re different ways to look at this. But I’m going to actually show you, I’m going to tell you a story about how I felt when I was about 9 years old. I’m going to draw some comparisons here.When I was 9 years old I went on a fishing trip, went off into the middle of the Gulf of Mexico, had my father and my grandfather by my side, and we were going for a Saturday fishing trip. And so, when we were going out in the boat, the boat’s going across the water, and it explained to me that we’re going to go fishing today. But you may not catch any fish. Being 9 years old, I thought this was really confusing: we’re going fishing, I have a fishing pole, we have bait – why might I not catch any fish? My father’s telling me this…But what was explained to me by my grandfather is that when you go fishing, sometimes you don’t catch anything.
So the boat stopped, they dropped anchor, and they told us we could start fishing. I’m putting a piece of squid on the hook and dropping it into the water – and within a minute I caught a fish. I looked at my father and my grandfather, saying: “Well, what’s going on? You just told me I wasn’t going to catch any fish today, and I just caught one!” And then my grandfather put bait on his hook, dropped it into the water, and within a couple of minutes he caught a fish. I was like: “Wow, this is great!”And then we were glancing on the boat, and there were other people on the ship reeling in fish, left and right. And at the end of that day of fishing, we caught about 70 fish between the three of us. So this was sort of a really strange situation for me: I was being prepped, basically, to fail here, and we end up catching 70 fish!
And so, if you are a cybercriminal, a financially motivated cybercriminal, and you are looking to target victim organizations, they are not hard to find. These victim organizations are not, you know, scattered out through the sea; you don’t have to really try to find them – they are everywhere, and we know this.We performed 450 cybercrime investigations, forensic investigations last year for businesses all over the world. And these businesses were not just in the United States; they weren’t just located in the UK or Australia. They were all over the planet, and they had many things in common. One thing they had in common, or a portion of them, is that many of them lived below of what Wendy Nather of the 451 Group had coined the “security poverty line“.
These are organizations that have very little security controls in place, or, really, an inability to defend against various attacks. Now, many of these organizations often don’t know when they’ve actually been breached. We know from our studies last year and from our investigations that the average time for an organization to actually identify a breach and start stopping the problem is about 210 days. And then even beyond that, there are some organizations, the ones that are doing a good job – it takes them about 10 days. For about 5% it takes about 10 days to identify a breach.
But in the worst case scenarios, we saw about 20% of organizations took greater than 2 years to identify when they’ve been infiltrated. And actually a small percentage of that took 3 years. So, when we get a call we go into an environment and we start looking around to identify where this data breach is happening, we’re seeing evidence that starts 3 years ago; and these organizations did not know that this activity was going on, and the criminals know that, the attackers know that.We often hear about – actually in the last couple of weeks – we’ve heard a lot about China, we’ve heard a lot about the APT, about how they’re infiltrating various organizations in the United States and maybe other places on the planet. But the mere fact for the organizations that the financially motivated criminals are targeting, and the organizations that have massive amounts of data that criminal organizations are making money from – the vast majority of those victims need not worry about China, they need not worry about the APT. And in fact, many of those organizations are not in the Fortune 100, most of those organizations are not government-related ones, and so we know by correlation of indicators of compromise, the malware that we looked at, the source IP addresses and the other information that we were able to gather throughout our investigations, that many of those attackers come from places all over the world. And in fact, as you see the maps up here, these are the top 9 locations that we identified in our studies (see image above).
So, now when we’d look at the types of methods of attacks that attackers are using, the criminals are using, we hear a lot about zero-days. And in fact, when I was walking around the show floor over the last couple of days, I’ve heard a lot of live demonstrations coming out of very loud speakers as you walk around that talked about zero-days and zero-day attacks. Just like everybody else, I’ll admit those are extremely dangerous. The fact that security researchers can go and find zero-days and turn around, sell them to a vulnerability broker, who will then in turn sell them to a government or a corporation or a criminal group – that’s extremely dangerous.What we thought was pretty interesting is that when we looked at the investigations that we performed last year, not a single one used zero-day in order to get into an environment. Why? Well, the criminals don’t have to burn zero-days in order to get into the vast majority of the businesses in the world. They use the types of attacks that you’re seeing here (see right-hand image): remote access, they literally just log in to the environment via the remote access mechanisms that the organizations have for their own employees. SQL injection – that’s been on the OWASP Top 10 for years, that’s still a problem for e-commerce and web applications. And then the third one there, legitimate account access – that’s exactly what it sounds like. The criminals didn’t use any tools, any special techniques; they literally just logged in to the organizations. And then the fourth one, we have web-based attacks – those are client-side attacks that we’ve been seeing on the rise, using vulnerabilities and things like Java, browser vulnerabilities, or even Flash vulnerabilities.