Cyber criminals are always likely to be better resourced than law enforcement. Now, national and regional police forces in Europe are switching tactics to even the odds.
Under-resourced law enforcement needs a smarter approach as cyber crime becomes increasingly prevalent and sophisticated, backed by the money and expertise of organised crime groups set up and run as well-resourced and efficient professional business organisations.
Cyber crime operations typically have teams dedicated to looking at open source intelligence, targets’ physical environments, weaknesses in supply chains, and potential collaborators inside target organisations to enable sophisticated, blended attacks that involve a combination of actions against a range of vulnerabilities, making them difficult to detect and defend against.
In the second quarter of 2016, cyber crime attacks continued to grow across all segments, up 50% compared with the same period, according to the latest cyber crime report by security firm ThreatMetrix.
But fewer attacks are cyber equivalents of ram raider smash-and-grab type burglaries; instead they involve extensive and careful reconnaissance of the target organisations and data, according to Charlie McMurdie, senior cyber crime adviser at PwC and former head of the UK police central e-crime unit.
Fighting fire with fire
Like cyber criminals, law enforcement is turning its attention to new and emerging technologies, working with technology companies to ensure new products and services are secure by design.
They are also following the money in an attempt to shut down cyber criminal finances, depriving them of the buying power to develop ever more stealthy and resilient malware.
Troels Oerting, group chief security and information security officer, Barclays
“Right now, crypto-currencies like bitcoin are a big area of focus for European law enforcement working groups as part of a general focus on new and emerging technology,” says McMurdie.
Not only are cyber criminals using bitcoin to conduct financial transactions outside the regulated financial world, but they are also attacking exchanges, with the August 2016 theft at Hong Kong-based exchange Bitfinex believed to have netted around $66m (£51m) worth of bitcoins.
“The working group is just kicking off to look at what standards and mitigations should be in place around bitcoin and other digital currencies, at how they are being used, how law enforcement could disrupt that and what opportunities there are for monitoring and seizure,” says McMurdie.
Laws need updating
One of the challenges with digital currencies is that until recently in some countries they were not covered by legislation on the proceeds of crime, while in other countries they are still not recognised as the equivalent of cash or something that can be seized. In these countries, the law needs updating.
Historically, disrupting criminal financial infrastructure has been a separate activity by a dedicated team, says McMurdie.
“The UK and several European countries have tended to have a cyber team and an economic team, but increasingly they are working together to use technology to follow the money to prevent financial gain, which is an effective way of disrupting cyber criminal operations,” she says.
Bitcoin is playing a key role in ransomware attacks, where malware is used to encrypt critical data and demand payment in return for decryption keys.
Ransomware has grown in popularity in 2016 and has become the most profitable malware type in history, with losses to US companies in the first quarter alone believed to have been around $200m (£150m), according to the FBI. Meanwhile, in Europe, ransomware is a top threat for EU law enforcement, with almost two-thirds of EU member states conducting investigations into this form of malware attack.
Turning the tide
Cyber criminals operating ransomware operations typically require ransoms to be paid in bitcoin because it has historically been difficult to track.
However, the tide is turning, according to Troels Oerting, group chief security and information security officer at Barclays and former head of Europol’s European Cybercrime Centre (EC3).
Although the banking industry has not been hit by ransomware as much as small-to-medium sized enterprises in less regulated industries where cyber defences are typically weaker, Barclays is using bitcoin tracing software developed by a company that took part in the bank’s accelerator programme for fintech startups in partnership with incubator firm Techstars.
“Thanks to the software developed by the Chainalysis startup, we can now trace where bitcoin transactions end up, so there is hope, because bitcoin transactions are not as much of a black hole for law enforcement as they used to be,” he says.
Chainalysis provides anti-money laundering systems for financial institutions that provide banking services to the blockchain industry as well as blockchain research tools for government agencies.
“We have customers among all the major US law enforcement agencies, we are partners with Europol, and for Barclays we enable them to analyse companies in the blockchain and bitcoin space they onboard as well as provide procedures for continued monitoring of their relationship,” says Michael Gronager, CEO and co-founder of Chainalysis.
Advanced malware tools
The rise of ransomware does not, however mean that cyber criminals have abandoned other forms of malware. Oerting says he is concerned by the trend in the past 12 to 18 months of cyber criminals making “very aggressive” use of more advanced malware tools like Carbanak, previously associated with a single gang targeting financial institutions but now used widely.
Associated with this trend, he says, cyber criminals are looking at target organisations more broadly. In banking, for example, attackers are looking at ATMs, bank-to-bank operations, Swift financial messaging services, payment platforms and bank transfers.
“There have even been cases where attackers have installed video and sound recording devices to monitor those people who have privileged access to banking systems, rather than targeting everybody in a bank,” says Oerting. “Malware is becoming much more sophisticated, and even includes the ability to detect surveillance cameras inside the banks.”
This is just a hint, he says, of the convergence between physical and cyber crime, where criminals are using all means at their disposal to get sensitive information.
This means defenders in organisations and law enforcement need a more comprehensive view, says Oerting, and should not treat cyber crime and cyber security as separate from all other crime or security.
“Security strategies need to consider the fact that criminals will use insiders, either wittingly or unwittingly, and gain physical access to systems either directly or indirectly through USB sticks that people pick up and plug in without thinking,” he says.
For this reason, he says, it is important for organisations to ensure they have all the necessary control systems in place, including user behaviour analysis systems and protection for internal infrastructure such as surveillance cameras, and cameras built into TVs and laptops.
Criminals change tack
And the barriers to entry are continually getting lower, says Oerting, as more advanced groups either develop tools for less advanced cyber criminals or simply sell their services to anyone willing to pay. In addition, he says, cyber criminals are highly responsive and adaptive.
“Where we get good at dealing with banking Trojans, the criminals simply switch to more sophisticated tactics in Europe, while continuing to deploy older Trojans in other parts of the world where cyber defences are weaker, such as Asia, Africa and South America,” he says.
For this reason, Oerting believes the future of security will have to be much more intelligence-led, with defenders attempting to track criminals, anticipate where they are moving to and where attacks will come from.
“A much more inclusive collaboration between financial institutions is needed now to share information to adopt a more unified response to cyber criminal organisations that look at financial institutions as a single market rather than individual institutions,” he says.
Another key cyber crime challenge is the proliferation of technologically based goods and services that provide an increasing number of opportunities for cyber criminals.
“There is a working group looking at what law enforcement could be doing to reduce the vulnerabilities in emerging technology being exploited by criminals,” says McMurdie. “This is a big issue for law enforcement because there is no governance, standards or best practice regarding the cyber safety of these goods and services,” she says.
A top concern is that new technology-based products and services are typically rushed to market, with the focus mainly on function and little consideration of eliminating security vulnerabilities.
“Producers are rarely addressing the cyber crime opportunities of things such as 3D printers, toys, games, drones, robots or any other internet-connected gadgets making up the fast-growing internet of things (IoT). Most developers are tasked with delivering functionality; that is what they are focused on. Security is still an afterthought, even in big projects that are part of things like initiatives to enable smart cities,” says McMurdie.
Criminals will always look for the line of least resistance, says McMurdie, which is increasingly likely to be a device plugged into a network somewhere in the supply chain of the target organisation.
Charlie McMurdie, senior cyber crime adviser, PwC
For this reason, law enforcement in Europe and elsewhere is focusing on engaging with the people who are commissioning and designing new devices and plugging them into networks without thinking about the opportunities being creating for cyber crime.
“Law enforcement is looking at what is coming on the market and how it can engage in the build stage to address the vulnerabilities so they can be designed out before they reach consumers and become an exploit,” says McMurdie. “While some of these vulnerabilities are being reported by the media and some research groups, many others are not, and these are the ones that criminals are most likely to exploit,” she says.
Read more about cyber crime
- A majority of businesses do not comprehend the methods and motivations of cyber attackers or fully understand the scale of the threat, a BT-KPMG report reveals.
- More than half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime, says a PwC report.
- Co-operation with business in the private sector is an increasingly important element in fighting crime, according to UK, US and EU law enforcement officers.
- The Metropolitan Police should appoint a senior officer to ensure the whole force is prepared to tackle online crime, says a London watchdog.
- Read more about collaboration between business and law enforcement.
- The National Crime Agency is calling for a stronger collaboration between business and law enforcement to fight cyber crime in the light of a report produced with private sector partners.
- Businesses should approach law enforcement as early as possible about cyber crime, even before they are targeted, according to an expert panel.
- The National Crime Agency is working to increase its engagement with business, according to the deputy director of the agency’s National Cyber Crime Unit.
- UK law enforcement officers work with public and private sector partners to help businesses and consumers guard against cyber crime.
At present there is no legislation requiring security testing, checking and validation of technology-based products and services before they are allowed to go to market.
“We will probably have to shift towards some kind of legislation requiring security testing for tech kit, and moves in that direction have been mooted,” says McMurdie.
Adding to the cyber crime opportunities of new technology, everybody is switching to mobile, with 40% of online transactions originating from mobile devices, according to the ThreatMetrix cyber crime report.
Mobile banking is more popular than ever, the report says, with logins to online banking via mobile apps almost double those from desktop computers, a 500% growth in mobile transactions for financial institutions compared with the same quarter last year, and a 25% increase in mobile-only users for financial institutions compared with the previous quarter.
UK leads on shift to mobile banking
According to the ThreatMetrix data, in the second quarter of 2016, the UK saw 58% of online transactions via mobile devices, compared with Canada (54%), the US and Australia (34%), Russia (32%) and Germany (21%).
Just like everyone else, cyber criminals are switching to mobile because it is easier, says McMurdie. Mobile potentially provides an easier route into corporate networks and data through the theft of legitimate credentials, and criminals think it makes them harder to catch.
“As a result of this shift, we are also seeing a rapid growth in ransomware for mobile devices,” she says.
According to a report by security firm Kaspersky Lab published in June 2016, mobile ransomware has quadrupled in the past year, and in the first quarter of the year the number of new pieces of mobile ransomware increased to 2,895, up 46% compared with the last quarter of 2015.
“When I was in law enforcement, we looked at the forensic demand, and even as far back as seven years ago the highest demand was not in relation to servers or desktop computers: a massive proportion of the demand was for mobile forensics,” says McMurdie. “And law enforcement continues to struggle to keep up-to-date with the tools and technology to address mobile forensic challenges.”
According to the ThreatMetrix report, a diverse landscape of mobile attacks gives cyber criminals the opportunity to inflict huge damage on business reputation, customer trust and long-term revenue.
To compound the risk, the report said mobile app delivery teams rarely have the full spectrum of specialised skills required to address all attack vectors and continuously monitor to identify and mitigate new and emerging threats.
Mobile apps are vulnerable, the report said, in part because they exist outside the security perimeter of the online business. They provide fraudsters with direct access to elements of the merchant’s business process, making the business vulnerable to a wide variety of attacks, from malware in the operating system of the host device to malicious or pirated third-party apps that can be used to steal sensitive personal credentials.
Device and identity spoofing are the most prevalent mobile attack vectors, the ThreatMetrix report said, as fraudsters attempt to dupe businesses into believing their transaction comes from a trusted device or user.
With law enforcement resources limited across Europe, organisations have to prioritise whatever is causing the most harm. But, as a result, much of this is reactive, with law enforcers waiting to see a spate of particular attacks before taking action.
“They are trying to be more proactive, but there are thousands of bits of kit on the market that have vulnerabilities that cyber criminals will try to exploit. Law enforcement does not have the resources to engage will all of those different producers, so instead they are focusing on key engagements aimed at driving a security culture,” says McMurdie.
This is a goal shared by PwC, she says. “When PwC is called out by organisations looking at expanding their market or changing their infrastructure, technology or governance, the PwC focus is not just on delivering on a requirement to do something such as automate a key process, but also on embedding appropriate cyber security measures.”
Security by design
A report on the cyber security vulnerabilities in the vehicle manufacturing industry, published in August 2016, focuses on this concept of security by design, which law enforcement sees as key to reducing the opportunities for cyber criminals.
Corey Thuen, senior security consultant at IOActive and author of the report, said researchers had uncovered several “hair-on-fire” vulnerabilities that could easily be exploited at any moment.
Manufacturers need to wake up to the risks they face in the connected world and realise that most cyber security vulnerabilities cannot be solved simply by using bolt-on systems, but instead relying on sound engineering, software development practices and cyber security best practices.
“The most effective cyber security work occurs during the planning, design and early implementation phases of the products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” said Thuen.
Failing to address security at the early development stages could be very costly in the long run, he said, leading to loss of consumer confidence or even product recalls, which some vehicle manufacturers would find difficult to recover from.
Healthcare is a target
Cyber criminals are also increasingly focusing on attacking data-rich infrastructure where they can get full-field data, says McMurdie, such as legal firms, insurance companies, universities and healthcare organisations.
In September 2015, researchers at Raytheon Websense (now Forcepoint) revealed that healthcare organisations were 340% more likely to be hit by an IT security incident than was the average across all sectors, and 200% more likely to experience data theft as cyber criminals increasingly target healthcare organisations because of the rocketing black-market value of personal medical data.
The report followed a series of data breaches at US healthcare insurance companies including Anthem, Premera Blue Cross, and Excellus BlueCross BlueShield, while in August 2016, Banner Health revealed that its systems had been compromised, exposing the personal details of patients.
But despite the challenges, McMurdie says law enforcement is far more structured than in the past and there is more collaboration at all levels.
“Regionally, you have Europol and the European Cyber Crime Centre, while in the UK, the National Crime Agency [NCA] has just reformed its tasking so that the regional organised crime units are reporting into the NCA and can be tasked by the NCA,” she says.
There are also good relationships between European law enforcement working groups and police forces, according to McMurdie, while internationally there is Interpol, which seconds people from industry to work with it and co-ordinate activities around the world.
The challenges are great, but McMurdie is optimistic about the growing collaboration and knowledge-sharing around cyber crime.
McMurdie is also positive about life after the UK vote to leave the EU. “There are strong relationships already and I think they will only improve and increase because every cyber crime you have involves infrastructure, criminals and/or victims on a national, European or international basis, and police forces have to work together,” she says.
“Those relationships will only increase despite the UK opting out of the EU because common sense dictates that we have to maintain those relationships and improve them.”