Asia faces one of the severest security situations in the world, with spreading cyber crimes posing an unprecedented challenge for policing, the Interpol said. Cyber crime operations typically have teams dedicated to looking at open source intelligence, targets’ physical environments, weaknesses in supply chains, and potential collaborators inside target organisations to enable sophisticated, blended attacks that involve a combination of actions against a range of vulnerabilities, making them difficult to detect and defend against.
In the second quarter of 2016, cyber crime attacks continued to grow across all segments, up 50% compared with the same period, according to the latest cyber crime report by security firm ThreatMetrix. But fewer attacks are cyber equivalents of ram raider smash-and-grab type burglaries; instead they involve extensive and careful reconnaissance of the target organisations and data, according to Charlie McMurdie, senior cyber crime adviser at PwC and former head of the UK police central e-crime unit.
Like cyber criminals, many countries law enforcement are turning its attention to new and emerging technologies, working with technology companies to ensure new products and services are secure by design. They are also following the money in an attempt to shut down cyber criminal finances, depriving them of the buying power to develop ever more stealthy and resilient malware.
“Right now, crypto-currencies like bitcoin are a big area of focus for European law enforcement working groups as part of a general focus on new and emerging technology,” says McMurdie. Not only are cyber criminals using bitcoin to conduct financial transactions outside the regulated financial world, but they are also attacking exchanges, with the August 2016 theft at Hong Kong-based exchange Bitfinex believed to have netted around $66m (£51m) worth of bitcoins. “The working group is just kicking off to look at what standards and mitigations should be in place around bitcoin and other digital currencies, at how they are being used, how law enforcement could disrupt that and what opportunities there are for monitoring and seizure,” says McMurdie.
One of the challenges with digital currencies is that until recently in some countries they were not covered by legislation on the proceeds of crime, while in other countries they are still not recognized as the equivalent of cash or something that can be seized. In these countries, the law needs updating. Historically, disrupting criminal financial infrastructure has been a separate activity by a dedicated team, says McMurdie. “The UK and several European countries have tended to have a cyber team and an economic team, but increasingly they are working together to use technology to follow the money to prevent financial gain, which is an effective way of disrupting cyber criminal operations,” she says.
Bitcoin is playing a key role in ransomware attacks, where malware is used to encrypt critical data and demand payment in return for decryption keys. Ransomware has grown in popularity in 2016 and has become the most profitable malware type in history, with losses to US companies in the first quarter alone believed to have been around $200m (£150m), according to the FBI. Meanwhile, in Europe, ransomware is a top threat for EU law enforcement, with almost two-thirds of EU member states conducting investigations into this form of malware attack.
Spinning the wave
Cyber criminals operating ransomware operations typically require ransoms to be paid in bitcoin because it has historically been difficult to track. However, the tide is turning, according to Troels Oerting, group chief security and information security officer at Barclays and former head of Europol’s European Cybercrime Centre (EC3). Although the banking industry has not been hit by ransomware as much as small-to-medium sized enterprises in less regulated industries where cyber defences are typically weaker, Barclays is using bitcoin tracing software developed by a company that took part in the bank’s accelerator programme for fintech startups in partnership with incubator firm Techstars.
“Thanks to the software developed by the Chainalysis startup, we can now trace where bitcoin transactions end up, so there is hope, because bitcoin transactions are not as much of a black hole for law enforcement as they used to be,” he says. Chainalysis provides anti-money laundering systems for financial institutions that provide banking services to the blockchain industry as well as blockchain research tools for government agencies.
“We have customers among all the major US law enforcement agencies, we are partners with Europol, and for Barclays we enable them to analyze companies in the blockchain and bitcoin space they onboard as well as provide procedures for continued monitoring of their relationship,” says Michael Gronager, CEO and co-founder of Chainalysis.
The rise of ransomware does not, however mean that cyber criminal have abandoned other forms of malware. Oerting says he is concerned by the trend in the past 12 to 18 months of cyber criminals making “very aggressive” use of more advanced malware tools like Carbanak, previously associated with a single gang targeting financial institutions but now used widely. Associated with this trend, he says, cyber criminals are looking at target organisations more broadly. In banking, for example, attackers are looking at ATMs, bank-to-bank operations, Swift financial messaging services, payment platforms and bank transfers. “There have even been cases where attackers have installed video and sound recording devices to monitor those people who have privileged access to banking systems, rather than targeting everybody in a bank,” says Oerting. He adds more, “Malware is becoming much more sophisticated, and even includes the ability to detect surveillance cameras inside the banks.”
This is just a hint, he says, of the convergence between physical and cyber crime, where criminals are using all means at their disposal to get sensitive information. This means defenders in organisations and law enforcement need a more comprehensive view, says Oerting, and should not treat cyber crime and cyber security as separate from all other crime or security. “Security strategies need to consider the fact that criminals will use insiders, either wittingly or unwittingly, and gain physical access to systems either directly or indirectly through USB sticks that people pick up and plug in without thinking,” he says. For this reason, he says, it is important for organisations to ensure they have all the necessary control systems in place, including user behaviour analysis systems and protection for internal infrastructure such as surveillance cameras, and cameras built into TVs and laptops.
“And the barriers to entry are continually getting lower,” says Oerting, as more advanced groups either develop tools for less advanced cyber criminals or simply sell their services to anyone willing to pay. In addition, he says, cyber criminals are highly responsive and adaptive. “Where we get good at dealing with banking Trojans, the criminals simply switch to more sophisticated tactics in Europe, while continuing to deploy older Trojans in other parts of the world where cyber defences are weaker, such as Asia, Africa and South America,” he says.
For this reason, Oerting believes the future of security will have to be much more intelligence-led, with defenders attempting to track criminals, anticipate where they are moving to and where attacks will come from. “A much more inclusive collaboration between financial institutions is needed now to share information to adopt a more unified response to cyber criminal organisations that look at financial institutions as a single market rather than individual institutions,” he says.
Another key cyber crime challenge is the proliferation of technologically based goods and services that provide an increasing number of opportunities for cyber criminals. “There is a working group looking at what law enforcement could be doing to reduce the vulnerabilities in emerging technology being exploited by criminals,” says McMurdie. “This is a big issue for law enforcement because there is no governance, standards or best practice regarding the cyber safety of these goods and services,” she says.
A top concern is that new technology-based products and services are typically rushed to market, with the focus mainly on function and little consideration of eliminating security vulnerabilities. “Producers are rarely addressing the cyber crime opportunities of things such as 3D printers, toys, games, drones, robots or any other internet-connected gadgets making up the fast-growing internet of things (IoT). Most developers are tasked with delivering functionality; that is what they are focused on. Security is still an afterthought, even in big projects that are part of things like initiatives to enable smart cities,” says McMurdie. Criminals will always look for the line of least resistance, says McMurdie, which is increasingly likely to be a device plugged into a network somewhere in the supply chain of the target organization.
For this reason, law enforcement in Europe and elsewhere is focusing on engaging with the people who are commissioning and designing new devices and plugging them into networks without thinking about the opportunities being creating for cyber crime. “Law enforcement is looking at what is coming on the market and how it can engage in the build stage to address the vulnerabilities so they can be designed out before they reach consumers and become an exploit,” says McMurdie. “While some of these vulnerabilities are being reported by the media and some research groups, many others are not, and these are the ones that criminals are most likely to exploit,” she says.
At present there is no legislation requiring security testing, checking and validation of technology-based products and services before they are allowed to go to market. “We will probably have to shift towards some kind of legislation requiring security testing for tech kit, and moves in that direction have been mooted,” says McMurdie.
Adding to the cyber crime opportunities of new technology, everybody is switching to mobile, with 40% of online transactions originating from mobile devices, according to the ThreatMetrix cyber crime report. Mobile banking is more popular than ever, the report says, with logins to online banking via mobile apps almost double those from desktop computers, a 500% growth in mobile transactions for financial institutions compared with the same quarter last year, and a 25% increase in mobile-only users for financial institutions compared with the previous quarter.
Device and identity spoofing are the most prevalent mobile attack vectors, the Threat Metrix report said, as fraudsters attempt to dupe businesses into believing their transaction comes from a trusted device or user. With law enforcement resources limited across Europe, organisations have to prioritise whatever is causing the most harm. But, as a result, much of this is reactive, with law enforcers waiting to see a spate of particular attacks before taking action. “They are trying to be more proactive, but there are thousands of bits of kit on the market that have vulnerabilities that cyber criminals will try to exploit. Law enforcement does not have the resources to engage will all of those different producers, so instead they are focusing on key engagements aimed at driving a security culture,” says McMurdie. This is a goal shared by PwC, she says. “When PwC is called out by organisations looking at expanding their market or changing their infrastructure, technology or governance, the PwC focus is not just on delivering on a requirement to do something such as automate a key process, but also on embedding appropriate cyber security measures.”
Safety by plan
A report on the cyber security vulnerabilities in the vehicle manufacturing industry, published in August 2016, focuses on this concept of security by design, which law enforcement sees as key to reducing the opportunities for cyber criminals. Corey Thuen, senior security consultant at IOActive and author of the report, said researchers had uncovered several “hair-on-fire” vulnerabilities that could easily be exploited at any moment. Manufacturers need to wake up to the risks they face in the connected world and realise that most cyber security vulnerabilities cannot be solved simply by using bolt-on systems, but instead relying on sound engineering, software development practices and cyber security best practices. “The most effective cyber security work occurs during the planning, design and early implementation phases of the products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” said Thuen. Failing to address security at the early development stages could be very costly in the long run, he said, leading to loss of consumer confidence or even product recalls, which some vehicle manufacturers would find difficult to recover from.