From the investigation of the U.S. presidential election to the ransomware attack of the National Health Services in the U.K., cybercrime is front page news. Cybercrime can come in several forms executed by a host of actors, hacktivists to nation-state. Cyber threats are now global affecting all industries. International cybercrime has victims worldwide, there is not a physical or virtual border that it will not cross. It is a global crisis.
The Lizard Squad, Anonymous, Electronic Tribulation Army, LulzSec and Morpho. This isn’t a list of popular MixCloud DJs. Nor is it a group of colorful Marvel superheroes. Rather, it’s a small selection of notorious hacker groups. These decentralized groups coordinate their efforts online through various channels. They do not have one website to sign up on to become a member. You do not need to submit a resume and anyone can participate. For this reason, global dispersed hacking groups present a challenge to authorities and continue to be a moving target.
The uncontrolled membership can cause disharmony in messaging and the selection of who or what to attack. However, the small ripples of discord within their ranks have not stopped the success of many of their attacks. In recent years, they’ve leveraged distributed denial of service attacks on Microsoft Xbox, Sony PlayStation, Sony Pictures, Apple, Facebook, Twitter and Amazon. And now Petya and WannaCry ransomware are making headlines with their creators are yet to be identified.
Combating a Distributed Network of Actors
These threat actors use a multi-vector approach to execute their attacks, raising the odds for success. Traditional perimeter security does not cover all areas of vulnerabilities, especially when protecting against the sophisticated hacking groups. While an organization is experiencing a distributed denial of service (DDoS) attack on the network perimeter, an attack on their applications could be in progress on their web browser, leading to ultimately identifying a vulnerability, thus executing a successful attack. In several cases, until the data has left the building, the attack does not get identified. If this breach is a result of an international hacking group or person, there is no process for prosecution across borders. If the cybercriminal is traced back to allies of the United States a coordinated effort between the countries’ law enforcement can lead to prosecution. However, the success of prosecuting these international cybercrime cases are not the norm.
Fighting Back at International Cybercrime
Since 2001, the United Nations (UN) has been researching cybercrime and its effects. In 2013, the UN Office on Drugs and Crime (UNODC) began delivering technical assistance to law enforcement authorities, prosecutors, and the judiciary, in three regions of the world, in Eastern Africa, South-East Asia, and Central America. As of 2017, the UNODC considers cybercrime as an “Emerging Crime”. While the UNODC is helpful with investigations, it leaves open the advisement for consequences for cyber threat actors and nation states.
Recently in the U.S., there was a proposal to amend the Computer Fraud and Abuse Act with the Active Cyber Defense Certainty Act (ACDC). The bill would specifically allow victims of a “persistent unauthorized intrusion” to access of an attacker’s computer “to gather information to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s network.”
We had the privilege of interviewing a cybersecurity hero – the person who recently stopped the spread of the WannaCry malware – MalwareTech. Fresh from the heat of battle he provided us insight on his views on cybercrime.
Imperva: What are your views on the proposed US Active Cyber Defense Certainty Act (ACDC) otherwise known as “Hack Back”?
MT: I don’t agree with it for a lot of reasons:
– It makes it harder to prosecute real criminals as you first should prove they were the first to attack and [were] not retaliating against a prior attack.
– The kind of people who will be hacking back if it’s legalized are unlikely to be the people who should be (because those who should already are). The people in favour [of hacking back] are pentesters looking to make more money being contracted to hack back, but the people who have all the relevant information to do so are those working in threat intelligence, not pentesting.
– To avoid accidentally damaging non-attacker controlled infrastructure, you would have to first have a good understanding of their TTPs and which infrastructure belongs to them. Quite often attackers use compromised servers or Windows boxes as proxies to run attacks through and someone not familiar with the actors could attempt to compromise these, resulting in unintentional damage. Think about how DoublePulsar (Exploit used in WannaCry) crashes Windows XP boxes, now imagine someone runs a metasploit module to exploit some compromised Windows boxes which they think are attacker owned…they’re going to crash all the XP ones, leading to data loss.
Imperva: Now, when a cyberattack occurs, if the person executing the attack resides and conducts the attack outside of the country they are attacking there is very little that can be done to bring criminal charges. Do you think there should be a global agreement put in place for the prosecution of cyber criminals across boarders? If so would this require a separate arm of the UN to investigate/charge the individual or group? What are your thoughts on if this would work or not?
MT: Something like this would be great, but it’s never going to happen for the same reason that a lot of these countries don’t have extradition treaties.
Imperva: If a global agreement was in place for the prosecution of cyber criminals across borders — how do you believe this would impact the attack environment? Increase/Decrease?
MT: It would decrease due to eastern European cybercriminals being less untouchable, but I don’t think any of the countries who would need to join the agreement ever would.
What You Can Do
As we continue to read about emerging cyberattacks across the globe, organizations will continually need to assess their security posture. Until an agreement of global action is in place, you’ll need to strengthen your offensive security. Checking all the boxes for an audit will not save you from a cyberattack.
Here are some suggestions on procedures you can implement to protect your network:
- Preform red team simulations to expose vulnerabilities.
- Create a playbook based on scenarios that have occurred to competitors in the industry along with other attack ideas. This includes not only your security software and hardware security testing but the people in your organization.
- Test everything from simulating phishing attacks to vulnerabilities in physical security. Yes, I said physical. If I can get in your building and find a cubicle or conference room with network information, as a hacker I have the advantage compromise your perimeter.
- Include scenarios with cross departmental war rooms. For example, your war room should have not only IT and security members, but also a marketing representative with a plan to communicate across all internal and external outlets.
These are only a few suggestions on how to build an offensive posture for your security plan. The primary goal is to write your playbook and get your organization practicing offensive security. Mastering offensive security will make your organization stronger against cybercrime.
By understanding your role in the threat landscape you can protect your IP, systems, and reputation from falling victim to an attack. The ability to mitigate risk in an environment is key since there is minimal to no retribution against adversaries, especially international actors.