Cyber security continues to evolve. And while the tools and techniques used by threat actors continue to change, the most important shift has been in the nature of the bad guys. In the past, many hackers were in it for thrills and political reasons. But criminal gangs and organised crime have realised cybercrime is a relatively low risk and lucrative business. Law enforcement experts MK Palmore from the FBI, Dr Ronald Layton from the US Secret Service and Michael Levin who is formerly from the Department of Homeland Security discussed this at the recent NetEvent Media and Analyst Summit.
The three speakers all bring considerable experience, having been involved in cybercrime before it was front-page news.
The discussion, lead by analyst Alan Zeichick, started by trying to identify who today’s hackers are.
Palmore said “There’s essentially four groups of cyber-threat activists that you need to be concerned with. I break them down as financially-motivated criminal intrusion, threat actors, nation states, hacktivists, and then those security incidents caused by what we call the insider threat. The most prevalent of the four that I listed, and the most impactful, typically, are those motivated by financial concerns”.
But while attribution is important when it comes to catching threat actors, Levin says the private sector is less interested in who the hackers are.
“A different perspective. I would say, for your readers and the people that you’re working with, they don’t care if it’s a nation state. They just want to stop the bleeding. They don’t care if it’s a hacktivist, they just want to get their site back up. They don’t care who it is. They just start trying to fix the problem, because it means their business is being attacked, or they’re having some sort of a failure, or they’re losing data. They’re worried about it. So, from a private sector company’s business, they may not care”.
Layton’s background in the Secret Service gives him a different perspective. The Secret Service was formed to deal with a very specific crime back in 1865; counterfeiting. At the time, as many as half the bank notes in circulation within the US were fake. Since then, although the operational mode of criminals have changed, the Secret Service remains focussed on financial crimes.
He said “The Secret Service deals almost exclusively with the financial sector, with the banks. So, several decades ago, there was a famous United States bank robber named Willie Sutton. Willie Sutton was asked, why do you rob banks? You know what his answer was? Because that’s where the money is. So, those are the people that we deal with”.
The biggest change over recent years, said Layton, is the different groups used to work in isolation. But today they all know each other. and collaborate. Typically, the use Russian as a communications modality to talk to one another in an encrypted fashion.
With the recent Equifax hack being so prominent, it was not surprising that the three experts looked at that incident to provide some insight into the modern cyber criminal.
Levin said “Well, if we look at the Equifax hack, which is so relevant in the news right now, this is a simple error that was made by not providing the right general basic security practices on a server. We’re seeing – this was a problem 20 years ago, and it’s still a problem. So, how do we get organisations to check the box, and make sure that they’re doing the right patching, and they’re doing the right updates, and they’re not being lazy when it comes to general security practices?”.
The problem, he added, is that we equip people with great technology but don’t support them with education and tools to protect themselves sufficiently. And that needs support from management – something that is still not coming universally according to the panel of speakers.
Palmore said “I talk about commitment from management or leadership, practicing the information security fundamentals, and information sharing. One of my colleagues, who has seen my talk on a few occasions, came up to me after the discussion and said, you know, in 10 years, there’s going to be some FBI agent standing in front of a group of folks talking about commitment from management, information security fundamentals, and information sharing. At first, I thought he was taking a dig at me for having the conversation, but then I realised that this message, while simplistic, frankly is not being followed by a large portion of both consumers and business owners”.
Cybercrime, said Palmore, has given organised crime a new lease of life.
“20 years ago, when I came in the FBI, we were on the heels of finishing up the dismantlement of what we then called organised crime. Now, what we look at in terms of organised crime, or a criminal enterprise, quite frankly is a global organisation, attached, quite frankly, by the apparatus that you have sitting in front of you. I mean, the ability of folks to connect, exchange information, make plans, conduct exploits, to buy and purchase things from one another using digital currency, completely changes the landscape, and it definitely makes it harder for us to align the dots and close the gap on investigations that we conduct”.
A big part of what today’s criminals rely on is the relative anonymity and protection the internet affords. And while those tools can be used by private citizens and businesses, they can be mis-used by criminals.
Inevitably, with three law enforcement experts on the state, the discussion turned to “backdoor access” being handed to governments and law enforcement agencies – something, thus far, tech companies have fought against. Layton discussed it like this.
“If you are a business or an organisation, and you’re engaged in a comprehensive security plan, or you’re doing things like updating with two-factor authentication, and doing things like strong passwords, then you create such a high barrier for the threat actors that they simply will go to the next place that has a least resistance. So, we call it a back door, but it’s just another access to the system”.
When it comes to thwarting today’s cyber criminals, I asked each of the experts for their advice and what one thing they would recomment.
Palmore said ” In any enterprise, there has to be a commitment from the leadership of the organisation to invest in cyber-security as a portion of enterprise risk-management”.
Layton added “Most successful hacks and breaches – most of them – were because low-level controls were not in place. That’s it. Patch management. Change password 123. It’s the low-level stuff that will get you to the extent that the bad guys will say, I’m not going to go here. I’m going to go somewhere else”.
Finally, Levin said “Establish a practice in your organisation that creates a sense of community for security, and security has to be just as important as being polite to customers, and something that employees are thinking about when they turn on their computer every day. If you can create a sense of community within the organisation where security is just as important as being nice to customers, then I think you’ll see a better result”.
Anthony Caruana attended the NetEvents Media and Analyst Summit in San Jose as a guest of NetEvents.