Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/26/2019
02:00 PM
Jack Danahy
Jack Danahy
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Breaking the Endless Cycle of 'Perfect' Cybercrimes

A two-step strategy for creating an attack environment that is more complex, less profitable, and more likely to expose the attacker.

Regardless of their methods, hackers are constantly attempting to improve upon what is essentially a perfect crime — a crime that is simple to execute, is performed with near total anonymity, and, most of all, pays off. These have been the hallmarks of successful crimes and criminals for generations, and it's no surprise that the newest generation of criminals would embrace them as well.

That last component of the perfect crime formula, monetization, has always been the driver, because, after all, crime is almost always about the money. Whether threats take the form of malware, a social attack, or a hack, financial gain serves as the motivation for seven of 10 incidents, according to Verizon's "2019 Data Breach Investigations Report." The motivation is clearly working: the Identity Theft Resource Center reported a doubling of the number of records exposed from just under 200 million in 2017 to more than 446 million in 2018. That kind of growth qualifies as a crimewave in any category.

The perfect crime formula has been a consistent predictor of change in the threat space, as attackers apply bottom line business thinking to their strategies: Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns. As an example, when e-commerce took hold in the 1990s, criminals found ways to steal credit cards and go on shopping sprees. But when card verification codes were introduced to complicate this strategy and reduce the value of stolen cards, ransomware emerged as the go-to option for hackers. The complexity of the crime had gone up, so there needed to be a new, easier attack, and commoditized ransomware fit the need.

Ransomware was a new threat, compromising organizations of all sizes, but with such obvious and catastrophic effects that public notification became common. Ransomware-as-a-service providers arose, attack tools were shared and customized, and widespread attacks became commonplace. When organizations realized the danger, they invested to improve their capacity to recover. As a result, they became less likely to pay the ransom. This reduced the profitability of the crime, and so a newer, more persistent but less obvious attack was needed.

What followed was unauthorized cryptomining (or cryptojacking), which grew 19-fold from March to December 2018 according to Cisco. Since then, interest appears to be on the decline, as sharp decreases in cryptocurrency value have made the crime far less profitable, leading to public events like the shutdown in March of cryptocurrency miner provider Coinhive.

What's next? Criminals will inevitably come up with something else, and there are several candidates already in play: credential and IP thefts, a resurgence in phishing attacks, and business email compromises, in which cybercriminals impersonate C-suite executives and arrange for fraudulent wire transfer payments. In many of the new attacks, social engineering plays a huge role.

Breaking the Cycle
If the perfect crime formula remains the same regardless of the actual crime committed, so does the fact that hackers are exploiting persistent weaknesses and blind spots within the enterprise. If organizations moved faster to identify and respond to these exposures, they'd create an attack environment that was more complex, less profitable, and more likely to expose the attacker. Here are two classic flaws — and recommendations on fixing them.

Classic Flaw No. 1: A Susceptibility to Dwell Time
Dwell time measures the delay between when a breach begins and when it is discovered. According to the Ponemon Institute and IBM, this currently takes a mean time of 197 days. Attackers are exploiting systems and exfiltrating data for more than half of a year before they are noticed, much less contained.

The Fix: Continuous, Ubiquitous Monitoring
Obviously, preventing breaches in the first place is best, but history repeatedly teaches the punishing lesson that some attacks will get through. To detect and contain these attacks, continuous vigilance is necessary, and continuous obviously means 24/7/365. Blind spots are also prime targets, so visibility carries premium value. Ubiquitous monitoring describes the need to watch over everything. Enterprise protection is like home security in this respect: If cameras are only turned on at night, then robbers will wait until daytime to break in. If cameras can only see what's happening at our entrances, then criminals will use the back door. Through round-the-clock, pervasive visibility, cybercriminals have no go times or places to hide their crimes.

Classic Flaw No. 2: Ignoring the Unprotected End User
The end user now ranks as the "weakest security link" within a company, according to survey findings from Tech Pro Research. That's because these systems tend to be less well-protected, and these users tend to be less aware of the dangers. Security teams have traditionally applied themselves to protecting high-value assets and networks, focusing on servers, data centers and the traditional, internal network. Today's users present a much simpler attack vector because of the growth in the use of cloud technology, mobile devices, and telecommuting, as well as bring-your-own-device and bring-your-own-app programs. Through their activities, end users (whether employees, contractors, supply chain partners, etc.) increase enterprise exposure as adversaries leverage social engineering to exploit them.

The Fix: Expanding Protection to Wherever the End Users Are
To elaborate upon the home security analogy, we can’t solely concentrate on our front and back doors anymore. We need to make sure end users and their systems are safe, wherever they happen to be. This requires improvements in our protection of their systems, 24/7/365 monitoring/visibility of all endpoints, and even user behavior analytics to detect and block unusual or threatening activity from a potentially breached end user account or system.

Fortunately, in the real world, few crimes are perfect. Criminals are tripped up by accomplices and random events. In the cyber world, the bad guys are having more success, given the more deterministic nature of the attack vectors and the victims. Through continuous monitoring, total visibility, and improved end user protection, we can close the gaps that adversaries are seeking to exploit, and break the endless cycle of threats to the enterprise. Protection will never be perfect, but these kinds of improvements will make cybercrime less of a perfect option for criminals.

Related Content:

As SVP, Security, Jack Danahy engages with customers and the industry on company product strategy. Danahy is an innovative security technology leader with proven success creating, delivering, and promoting new security technologies and practices to address critical needs. He ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 3:46:27 PM
Root cause of the problem
I think it is much easier than that:
  • The money divide between the have's and have not
  • People have been killed (drone strikes and war) and the individuals who want revenge
  • Nation-states have sent viruses and teams to spy on other nation-states (i.e. Stuxnet, Nitro-Zeus, Pegasys, NSA-TAO teams, China's Red-teams, Prism, Thinthread, Trailblazer, etc)
  • CONUS and Abroad Governments want to control and extend their reach

This is based on four historic things:
  • Revenge
  • Money/Greed
  • Spying/Warefare
  • Control

Once we identify the root-cause of the problem (Greed Money and Power) and address it from a morality standpoint (stop putting emphasis on the dollar and more on human life); the hacks and security concerns will be reduced to a thing of the past. Once people begin to see life as the most important currency and start treating each other with higher levels of respect then we will start to see the changes but until then, we will remain in a revolving cycle of turmoil.

Todd
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.