Hi and welcome to our first blog post, in this weeks blog post we are going to take a high level look at the current state of Cybercrime and how traditional risk management can fail and leave your company assets exposed.
The following information in italics has been taken from a recent report posted by Tripwire, titled the state of security. The full report can be accessed by clicking the link at the end of this post.
The following information in italics has been taken from a recent report posted by Tripwire, titled the state of security. The full report can be accessed by clicking the link at the end of this post.
Cybercrime today is the biggest threat to companies and organizations. Its unprecedented success proves that classical cyber-protection approaches fail more often than not, and that threat actors and attack initiators are frequently found within an organisation.
Does traditional Penetration testing techniques and
methodologies adequately cover the true risk to an organisation?. It is
unlikely, especially when the assessments are tailored and scoped to focus on
specific systems and not the environment as one, interconnected technical
eco-system.
According to the 2013 Europol Serious and Organized Threat Assessment, the total global impact of cybercrime has jumped to $3 trillion, making it more lucrative than the global trade in marijuana, cocaine and heroin combined.
So who do we need to be worried about, from both within and outside
of the organisations that we are paid to protect?. (the following threat actor
descriptions have been included in italic and have been copied from an online
article, links at the end of this blog)
The HacktivistThe hacktivist chooses to target his enemies with data theft, reputational damage, and the defacement of websites and denial-of-service attacks. Hacktivism is a real challenge to international affairs and is a powerful instrument. The very fact that hacktivism is a form of protest it a double-edged knife.Today’s hacktivists are found all over the world, supporting all sorts of causes. And even though hacktivism attacks are not directly related to money loss, there is often something bigger going on behind website defacement or denial-of-service attacks. Eventually, however, it all leads to money leakage.
This is where your typical vulnerability assessment scope
would provide cover, looking for basic entry points within networks,
applications, that could allow a Hacktivist a foothold. It would usually be a
web application with a vulnerability that would allow for web site defacement,
we will cover of these techniques in a future blog post.
The Privileged Employee, or the InsiderThe name speaks for itself. The insider, often an employee with privileged access to sensitive data, may willingly or unwillingly be part of a cybercrime operation.The insider may compromise the company they work for on purpose through sloppiness or through external influence. Alternatively, they may have been a victim of a scam or blackmail.This ambiguity of his nature often makes insiders the hardest to foresee and counter. In other words, cyber-defences should start with the insider.
This is where traditional, black hat or assessments very
stringent defined scopes (CHECK ITHC) fail. Even authenticated network security
assessments, web application assessments are usually to focused on specific
systems and do not allow for the assessment to flow through the environment in
the way that a privileged insider threat actor would. We will cover how to
perform a more pragmatic type of internal insider threat assessments in a
future blog post.
The Money MuleNo crime can function without mules, cybercrime included. Mules are the final link of a successful cybercrime operation. They are the ones making the dirty money ready-to-use and untraceable. This is often done via internet payments, money transfers, or online auctions.Mules are typically motivated by greed or desperation. They often work from home, random Internet cafés, or free WiFi hotspots to hide their activities. They are the ones transforming the profits of Internet-based criminal activity into untraceable cash.Money mules are recruited across the globe and are crucial to money laundering schemes. In Asia and Australia, they are mostly overseas students, while in Europe, they are usually retirees.Let’s take the Cerber ransomware campaign.Cerber operators not only demanded Bitcoin payments but also ran the currency through multiple Bitcoin wallets. This is what a Bitcoin money laundering scheme looks like, a form of money laundering to ensure the safety and gain of cybercriminals.In the case of Cerber, security researchers observed thousands of victims’ Bitcoin wallets transferred into one. From there, the money was relocated to tens of thousands of other wallets. This is called a mixing service, and it’s pretty standard for Bitcoin. This also explains why and how ransomware has become cybercriminals’ favourite tool for online extortion.
This is where an organisation really needs to adopt a
program of threat intelligence for their entities. Monitoring any potential
data leak, threat actor or suspicious activity, particularly within the dark
web, is a must. Intelligence is the key to protecting your assets, if your
organisation has been the victim of any kind of breach or fraudulent activity,
having this level of threat intelligence monitoring is essential.
By allowing a security consultancy or MSSP proactively
perform OSINT against an organisation on a regular basis is crucial, not just
as part of any STAR or CBEST type of individual engagement, but a proactive
program, similar to internal protective monitoring (GPG19 etc)
The Real-Deal Black HatIf a hacker’s hat colour is defined by their intentions, the black hat is straightforward bad and, in most cases, straightforward professional. The black hat is the one responsible for that fake tech support call, that un decryptable ransomware and those harvested banking credentials. The black hat has dedicated all his life to cybercrime, and it’s safe to say that he knows human psychology all too well.Beyond everything else, nowadays black hats are also businessmen who operate a business model called malware-as-a-service (MaaS), or the outsourcing of cybercrime. The worst part is that thanks to MaaS, now every wannabe is welcome to join cybercrime’s vast family.Ransomware-as-a-service (RaaS), particularly, is the worst. Even though not everyone operating a RaaS scheme is professional enough to deliver a working and sophisticated encryption, its proliferation demonstrates the enormous income a black hat can generate. According to security firm Trustwave, a black hat could easily make $84,000 a month from an investment of $5,900 for the malware they need.In 2014, Interpol diminished a crime ring operating the Blackshades malware. The criminals behind it were so sophisticated that they had staff and were handing out salaries! They even had a marketing director.This is not the first case of a cybercrime gang going fully professional. A real-deal black hat would even hire IT experts for the very same reasons that legal companies do. A black hat’s supply chain also needs optimization and propagation.
Ok, so this is very real and these guys are readily
available to sell their services on the Dark web, accessible via the Tor
network. It’s very similar to buying something of Amazon, there is no dark mystical
art in being able to obtain these services.
So how does standard Penetration testing deal with this type
of threat. Well, a Professional penetration testing company should perform the
OSINT then tailor an assessment based on the most likely threats faced to an
organisation, using the skills of a Professional and well trained ethical
hacker to replicate the typical actions of a black hat hacker and then provide
a concise a Professional report.
Does this happen as standard?
This is a major cause of concern within the industry, in a
future blog post I will share a document written by a former colleague who
highlighted his concerns with the state of the industry, and how he feel’s
organisations are being let down by what would seem reputable companies providing
a very poor service and charging an absolute fortune to do so.
In my next blog post’s, I will focus on each of these threat
actor’s and discuss the typical approaches that companies are taking and
failing to handle the threats, and make suggestions and how better to deal with
these threats in an up to date, pragmatic approach.
Links:
