The Evolution of Cybercrime and What It Means for Data Security
Cybercrime is now an industry unto itself. And, just as any industry evolves, so does the cybercrime industry.
This industry is built upon enterprise data. Granted, there is a ready underworld supply chain and market for vulnerabilities, attack kits, botnets, APTs, phishing-as-a-service, ransomware-as-a-service and other evolving tools. Cybercriminals generate significant sums of money by trading up and down this supply chain. But stealing or obstructing access to enterprise data is the foundation of this value chain. If data were of no value to the cybercrime industry, none of these other elements would have value either, and the entire value-chain (and industry) would collapse.
Cybercriminals will naturally gravitate toward the most efficient and risk averse mode of operation. This fundamentally differentiates information security from any other IT problem. Information Security is the only IT problem where there are financially motivated human actors explicitly working to break your enterprise IT infrastructure. Their tactics will change. But what they’re after—your data—doesn’t.
In this post we discuss how the changing nature of cybercrime and app and data accessibility create risk, the essentials of application and data protection, and questions you can ask to assess how well your core data assets are protected.
A World of Increasing Opportunity – for Cybercriminals
Data is at the center of today’s digital environment. More data is in more places, available through more apps, accessed by more people, and cybercriminals have more places to sell it.
Any law enforcement professional will tell you, “theft is a crime of opportunity.” Fundamental to digital transformation is that enterprises are simply generating more data than ever before. It’s part and parcel of a knowledge-driven economy and how enterprises create and deliver value. All of this data—stored in an ever-shifting array of locations and repositories—simply presents more opportunity to the cybercrime industry.
“Apps” are fundamental to digital transformation. They—manifested as mobile apps, customer portals, websites and even as APIs—are now the defacto way enterprises interact with other businesses and consumers. In addition to driving down enterprise costs, these apps directly generate much of the data driving how enterprises create value. This exploding app universe serves as a direct gateway to enterprise data, and exponentially expands the potential attack vectors available to the cybercrime industry. More opportunity.
Many criminals don’t get caught stealing. They get caught attempting to transact upon what they stole. The combination of bitcoin and the dark web have reduced the transaction costs and hazards associated with being a cybercriminal today. There is less risk in relation to law enforcement, and less “counter-party” risk (a.k.a., one criminal ripping off another). This naturally draws in more actors, leads to increased specialization, and ultimately enhances the efficiency and effectiveness of the cybercrime industry as a whole.
Adding to enterprise exposure is the fact that more people now have legitimate access to data. So-called “knowledge workers” now comprise over 100 million. As an example, when bringing in a new hire, most managers extend an implicit trust so that person can perform their duties. The new hire is made privy to certain enterprise data assets. Not to mention all the data security risks associated with using contractors.
Looking externally, enterprises strive to let customers easily and directly access a multitude of apps and the data available through them. This is in fact one of the ways enterprises generate the data that is so valuable. A paradox is that this now turns consumers—coupled with all of their intrinsic security flaws (e.g., weak password reuse)—into an attack vector.
Evolution of Data Monetization
In a knowledge-driven economy, enterprises have two core assets:
- Data, which is their IP
- Apps, which are the manifestation of their business processes
Since the origin of mankind, criminals have made money based upon one of two ways:
Cybercriminals are no different, and the cybercrime industry makes its money targeting these two enterprise assets.
Extortion involves DDoS and ransomware attacks; data theft occurs with application attacks and insider threats.
Extortion attacks directly targeting data didn’t exist at scale until the relatively recent ransomware explosion—such as those instances that targeted a number of hospitals in 2016. While ransomware targeting file servers is presently the most prevalent, expect cybercriminals to develop other extortion-type attacks (such as this or this) on a continual basis.
DDoS (distributed denial of service) is textbook extortion targeting enterprise apps, although perpetrators are also looking at other methods. For example, hackers can now lock all of the doors at a hotel and demand a ransom to unlock them. This gives new meaning to “denial of service.”
Apps, which provide a publicly accessible gateway to data, are the most visible vector for data theft. Historically, application attacks exploit software vulnerabilities (i.e., OWASP Top 10 attacks like SQL injection and cross site request forgery) in the application code. This still accounts for the majority of application breaches. However, cybercriminals have expanded to application/business logic assaults (e.g., price scraping and data alteration on e-commerce sites) and credential compromise/account takeover attacks.
Direct data breaches of database repositories are ultimately an insider threat problem. In almost all cases, they involve either:
- A malicious insider who already knows where the data is and has access to it, and has and takes the opportunity to steal it for their own gain
- Careless or compromised users who—while not malicious—take actions that expose either themselves or the data they can access to external cybercriminals
An Asset-centric Security Posture
As mentioned earlier, Information Security is different than any other IT problem because there is a financially motivated opponent. As long as there is money to be made—whether via extortion or theft—there will be actors constantly evolving their tactics. However, what they target remains constant: data, and the apps that front it.
As businesses have become more sophisticated in their understanding of the realities of managing threats from the cybercrime industry, we’ve seen the beginning of a shift away from focusing on the “attack du jour” (aka the latest tactic) and towards an emphasis on better visibility and protection of the core assets that cybercriminals target, regardless of what tactics they may use at any given time.
The essentials of application and data protection.
Application and data protection—whether protecting against extortion or theft—ultimately comes down to these essentials.
- Protect apps wherever they are, in the cloud or on-premises.
- App footprints will exist both in the cloud and on-premises. Application security needs to protect in both cases. Moreover, application security itself needs to be hybrid, as some protections (e.g., DDoS) are best done “in the cloud” while other protections are better suited to close proximity to the applications themselves.
- Leverage actionable threat intelligence.
- As the cybercrime industry continually innovates and automates, expect any public application to get attacked hundreds, if not thousands, of times a day. Threat intelligence is critical to filtering, understanding and ultimately blocking application attacks. IP reputation and signatures alone are not sufficient. Bot protection/anti-automation and threat intelligence that identifies credential compromise attempts against apps are critical as well. This threat intelligence needs to be delivered in a way that enforcement points can use directly to take action in real time as they mitigate threats.
- Automate blocking with accuracy.
- Working under the assumption that every app will be attacked hundreds (or more) times a day, simply raising an alert for later investigation won’t be effective. Too much will get through, and too many alerts will be raised for the SOC to investigate. The dirty secret in app security isn’t false negatives (not detecting an attack), but rather false positives (flagging valid traffic as an attack). Any solution must be accurate enough—minimizing both false positives and false negatives—so that the business has the confidence to actually block application traffic without fear of blocking valid requests.
- Know where your enterprise data is located, who is accessing it, and when.
- This is an ongoing endeavor, especially in relation to both employees and contractors rotating through the enterprise. Without such monitoring, ops teams are flying blind— they don’t know what they don’t know. But monitoring simply provides a baseline. It alone isn’t sufficient due to the sheer volume of data that legitimately gets accessed.
- Frequently reassess whether data access on every level is acceptable.
- And flag those instances when it is not.
- Position ops teams to immediately respond to risky data access in order to contain the threats.
Are Your Core Data Assets Protected? 10 Questions to Ask.
The existence of the cybercrime industry is predicated upon the fact that your data has value. While cybercriminals will continually evolve their tactics, what they’re after won’t change. Here are ten questions we’ve seen organizations use to “self-assess” how well their core data assets are protected.
- Where specifically, is private data located?
- Who is accessing data? Should they have access to the data?
- Which users have access to the data, but do not use it?
- How do they access it?
- What level of risk is acceptable?
- Who is responsible if data is lost?
- Who is responsible for monitoring that data?
- Can you determine which data has been lost in a breach?
- Are the processes for answering these questions repeatable, scalable, timely and cost-effective?
Organizations that can satisfactorily answer these questions are in good shape to manage the risk posed by the cybercrime industry regardless of what tactics/attacks that industry is using at any given time.