pixel_dreams - Fotolia
“There is not a lot organisations can do about the threat, but it is important that they make an effort to understand it,” said Mike Hulett, head of operations for the NCA’s National Cyber Crime Unit (NCCU).
“Keep yourselves up to date and aware of the potential threats to your organisations as well as about what is available to you to counter those threats,” he told Cybercon 2017 in Plymouth.
The really key part, said Hulett, is that organisations need to know what is valuable to them, but at the same time they must understand what is valuable to cyber criminals.
“These are not necessarily the same thing, and often organisations that have been breached think everything is OK if no financial credentials have been stolen,” he said.
“But they may have lost a couple of hundred thousand usernames and passwords, which is valuable data that can be married up with other data, which means the company is not out of the woods yet.”
Financial Trojans are the most prevalent, most professional, most sophisticated and most damaging threats that the NCA sees in the cases it is investigating.
“There is a huge number of variants as cyber criminals are consistently and constantly updating and changing the malware in reaction to what law enforcements and the banks do in terms of defence,” said Hulett.
DDoS continues to be a threat to business, but in the past few years it has gone from being a low-level annoyance to something far more serious, said Hulett.
“Firstly, DDoS now tends to be a ‘gateway crime’ in the sense that it is the first thing many curious teenagers will get involved in,” he said.
“For just $10 of software, teens who would not otherwise commit a crime can set up a DDoS for hire business, but typically see it as just a bit of fun, but then quickly get drawn into cyber crime.”
Read more about cyber crime
- More than half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime, says a PwC report.
- The chief of the Metropolitan Police Service’s fraud squad Falcon admits the Met’s policing of online fraud and cyber crime has not been good enough in the past.
- Co-operation with business in the private sector is an increasingly important element in fighting crime, according to UK, US and EU law enforcement officers.
- Cyber criminals are always likely to be better resourced than law enforcement. Now, national and regional police forces in Europe are switching tactics to even the odds.
In recent years there has also been a huge increase in the amount of available bandwidth, and so DDoS can be much more damaging than before.
This also means DDoS attacks are much more costly to mitigate against and recover from.
“Another trend we are seeing is that DDoS is quite often a cover for something else,” said Hulett. “In blended attacks, a DDoS attack on a company gets all the network defenders going in one direction, while at the same time there is a much more serious network intrusion happening somewhere else on the network.”
Next is ransomware and other forms of extortion, which is really difficult for organisations to defend against, said Hulett. But he said this is a growing threat and organisations should ensure they follow best-practice advice on how to reduce the impact of such attacks.
In 2016, there was a huge rise in the number of data breaches and incidences of data theft, said Hulett, but at the same time people are willing to give their data away to online service providers or organisations that run loyalty programmes.
“Many people expressed opposition to the Investigatory Powers Act when it was going through parliament, and yet many of the same people subscribe to online services and are members of loyalty programmes, both of which collect a great deal of personal information,” he said.
“They know everything about you. People are willingly giving their data to these people and trusting them to keep it safe, which is not necessarily the case.”
Business email compromise
Business email compromise, also known as CEO fraud or whaling, is also rising rapidly in the UK, said Hulett.
In these attacks, the perpetrators typically hijack an email account belonging to a high-ranking executive and then use it to send an email to people in the organisation with financial authority, instructing them to transfer typically large sums of money into accounts controlled by the attackers.
“Like DDoS, we have had to change our perspective on this. We used to put this in the ‘fraud box’ as far as policing was concerned, but these attacks have become increasingly sophisticated. They have moved beyond simple phishing emails.
“Now cyber criminals are monitoring potential victims for months to work out their level of authority, when the chief of finance goes on holiday, and who does what to the social engineering email is highly customised and targeted,” said Hulett.
Thankfully, he said attacks on industrial control systems, such as those used by suppliers of critical national infrastructure, are rare – but they still happen.
The internet of things (IoT) is an emerging area of threat and risk, which Hulett said has kept his team very busy in recent months.
A likely future challenge will be to find a way to apply a security update to a device or appliance that is connected to the internet after it has been compromised.
Similarly, Hulett said the Mirai botnet and its variants are examples of how IoT device bandwidth can be hijacked to carry out crippling DDoS attacks.
“But how are you going to persuade the owners of IP cameras or other hijacked devices to do something about it when the functioning of their device is not affected and they are not the target of the DDoS attack?” he asked.
Hulett said must be an incentive for owners of IoT devices, particularly compromised devices, to keep the software up to date, and this should be something that is easy for users to do.