Hi,
welcome to the next instalment of our "Knowing Your Enemy" blog
series.
This
week we are going to focus on two interlinked threat actors “The Professional”
and the “Money Mule” and what type of vulnerabilities these types of threat actors
are looking to exploit and how.
Firstly,
let’s look at the “Professional”
The
Real-Deal Black Hat
If
a hacker’s hat colour is defined by their intentions, the black hat is
straightforward bad and, in most cases, straightforward professional. The black
hat is the one responsible for that fake tech support call, that un decryptable
ransomware and those harvested banking credentials. The black hat has dedicated
all his life to cybercrime, and it’s safe to say that he knows human psychology
all too well.
Beyond
everything else, nowadays black hats are also businessmen who operate a
business model called malware-as-a-service (MaaS), or the outsourcing of
cybercrime. The worst part is that thanks to MaaS, now every wannabe is welcome
to join cybercrime’s vast family.
Ransomware-as-a-service
(RaaS), particularly, is the worst. Even though not everyone operating a RaaS
scheme is professional enough to deliver a working and sophisticated
encryption, its proliferation demonstrates the enormous income a black hat can
generate. According to security firm Trustwave, a black hat could easily make
$84,000 a month from an investment of $5,900 for the malware they need.
In
2014, Interpol diminished a crime ring operating the Blackshades malware. The
criminals behind it were so sophisticated that they had staff and were handing
out salaries! They even had a marketing director.
This
is not the first case of a cybercrime gang going fully professional. A
real-deal black hat would even hire IT experts for the very same reasons that
legal companies do. A black hat’s supply chain also needs optimization and
propagation.
So, how do these guys operate and how does
traditional penetration testing or IT health check activity usually fail to
highlight the threats and vulnerabilities associated with this type of actor.
Unfortunately, a lot of organisations only see
security testing as a stepping stone for compliance, mandated and usually
unwelcome. A request for a proposal would usually contain a rigid scope of
systems and multiple levels of constraint’s and limitations being placed over
the assessment, that performing a realistic attack simulation is not possible.
In reality, the attack vectors could surface from
multiple areas including through social engineering and phishing assessments,
USB drop’s, physical security, through public facing infrastructure and
applications.
Thoroughly testing all of these areas routinely
would be extremely expensive and time consuming, Fortunately, STAR and red team
methodologies are becoming more and more common in the industry, which allows a
client to have a better understanding of the likely threats facing their
organisation that a Professional threat actor is likely to attempt to exploit.
Therefore, allowing a security test team to perform a
Penetration test across a sampled subset of a limit number of systems is not
going to identify the risks present.
Thoroughly testing all of these areas routinely
would be extremely expensive and time consuming and wouldn’t be feasible for an
organisation to bring in a specialist 3rd party testing company to
do this or a regular basis. Some organisations are realising this and have
started to bring security testing in house and making full and thorough testing part an
internal risk management program.
Although there are issues with this, how do you keep the
internal team’s skill on the cutting edge, can you be sure you have the breadth
of skills and knowledge in a static team.
Star and Red Team testing allows a client to have a
better understanding of the likely threats facing their organisation that a
Professional threat actor is likely to attempt to exploit.
The method adopts a
process of performing a certain level of threat intelligence into the
assessment, with the aim of identifying any likely threats facing the
organisation and focusing the assessment on exploitation of those
vulnerabilities. This can be through any number of attack methodologies and
usually involves the use of custom malware or targeted social engineering
campaigns.
The Bank of England, along with CREST, have also
developed the CBEST program for the financial services industry, which is
essentially a STAR assessment and provides the level of testing required to
pragmatically deal with the real risks facing an organisation.
Looking for a security testing company that
performs Red Teaming or STAR assessments is the way forward for external
security testing. The traditional testing method is still important, especially
for internal systems and annual public facing infrastructure and application
assessments, in order to provide the defence in depth approach needed.
In
order for the “Professional” to be able to generate an income from his illicit
activity, he needs to utilise our second threat actor in this series, “The
Money Mule”
The
Money Mule
No
crime can function without mules, cybercrime included. Mules are the final link
of a successful cybercrime operation. They are the ones making the dirty money
ready-to-use and untraceable. This is often done via internet payments, money
transfers, or online auctions.
Mules
are typically motivated by greed or desperation. They often work from home,
random Internet cafés, or free WiFi hotspots to hide their activities. They are
the ones transforming the profits of Internet-based criminal activity into
untraceable cash.
Money
mules are recruited across the globe and are crucial to money laundering
schemes. In Asia and Australia, they are mostly overseas students, while in
Europe, they are usually retirees.
So
the end result of any successful attack, one that was driven by financial purposes
anyway, would be when a Professional needs to access his illicit gains
involving money mules.
There
really isn’t anything that can be done from a security testing perspective as
this is post compromise activity.
However,
proactively monitoring for potential data leakage and evidence of compromise is
a very important part risk management.
There
is a strong chance that an attack has been successful against your organisation
in some form, but it may not have been apparent to security personnel. This is
where threat intelligence is again vital, as monitoring any evidence of
exploitation of any organisational entity may only be discovered through in
depth analysis of hacker forum’s or dark web resources.
Good
internal protective monitoring is also extremely important in order to remain
informed of any attacks that either have or are currently taking place.
Links
CREST
Conclusion
During this blog series, knowing your enemy, we have had a
look at the different types of threat actors and the relationship that security
testing, as part of a balanced security and risk management program, plays in
assisting with protecting against compromise.
Unfortunately, as with any industry, there are good and
there are not so good security testing organisations out there selling
services. How is an organisation supposed to know who to turn to in order to
provide effective security assurance?
Fortunately, there are companies that are aligned to providing
effective testing services through adopting methodologies, processes and
standards set by organisations such as the CESG CHECK scheme (via the
Tigerscheme and CREST) and the Bank of England’s CBEST scheme for the financial
services industry (CREST), that have these effective and comprehensive testing
standards and methodologies in place.
These companies employ Consultants who are security cleared
to a at least SC level and have been assessed and accredited to the highest
standards of security testing. They can be trusted in order to ethically
replicate the threat actors and provide pragmatic advice and direction on how
to protect yourself against the growing threat landscape.
