As more and more business is conducted online and cyber criminals target in on a very lucrative market, both the public and private sector face increasing cybersecurity risks. The Cipher Brief sat down with Scott Keoseyan, the leader for Deloitte’s Cyber Threat Analysis and Research Teams, and Keith Brogan, a Senior Manager at Deloitte Cyber Risk Services to discuss the motives driving cyber attackers, and what is being done to combat cybercrime.
The Cipher Brief: How would you assess or characterize the threat of cybercriminals, at present, to industry or enterprise?
Scott Keoseyan: Financially driven. From an enterprise perspective, if you’re in business, you’re in business for a reason, which is usually centered around profit of some kind. That means you usually have something other people don’t have, whether that’s intellectual property, products, or services, as you move those things from what I call traditional brick-and-mortar. For the last 20 years we’ve been shifting from brick-and-mortar to cyber, bringing things online. But we’ve kept the same sense about business risk to a certain degree, as we did back in the days of brick-and-mortar.
We’ve never gone through addressing what the new risk is associated with bringing things online—what your new risk exposures are. How we’re doing business differently actually changes not the outcomes but the way that we’re doing business, which incurs more risk. Because of that, you end up in a place where your exposures don’t necessarily translate to the old way of thinking, where I can keep all my money in my drawer, I can lock it up at night, and I can be safe about it. Now all my money and all the things that make my business unique and valuable become exposed in ways I’ve never thought of before.
That makes an enterprise a potentially target-rich environment for somebody who wants to take those things and turn them into money for themselves, steal them. Instead of kicking down the front door and taking all of the cash out of the drawer, or kicking down the front door and stealing all the TVs off the shelf, now we’re talking about things like taking the design for those TVs. The things that make them unique are things that I can turn around and sell to other companies and monetize in various ways.
TCB: You said that it’s financially motivated and you seem to touch very heavily on theft of intellectual property or trade secrets. Has that been the case consistently, is that a recent shift? How has the focus on cybercriminal activity been changing over time, and how do you anticipate it will change moving forward?
Keoseyan: I’d say that that’s probably been a focus for a while, probably since the late 2000s. Whether it’s a nation-state, or it’s somebody stealing intellectual property, like digitally trademarked things, music, movies or other things like that, in an effort to monetize through piracy. I think that trend continues. As long as there’s money to be made, criminals continue to do that. What changes is as the technologies change or the ways that we deliver things change, new criminals come along that are more savvy, and they’re able to figure out new ways to gain access to those things. It’s to a certain degree an arms race. And I think that continues over the long haul.
Keith Brogan: To a certain extent, right now, what we’re seeing is the technology required to actually exploit those things that the threat actors are after has become more accessible. Traditionally, back in the early 2000s, we really looked at what I would almost call “run-of-the-mill cybercriminals,” people who were more organized. Now, to a certain extent, we see a lot more, kind of petty theft, because the technology is more accessible.
TCB: You mentioned seeing a lot more “petty theft”—are there any other significant trends that are emerging from more people being able to enter into this market, let’s call it?
Brogan: The one trend that’s not necessarily driven directly by people entering the market, but I think what we have seen is—rewind to the early 2000s, or even kind of the late 2000s, you saw a lot of purpose-built technology for a cybercriminal to go exploit something and get access to a piece of intellectual property. Now, one of the trends that we are most definitely seeing is technology for hire to a certain extent. There are now criminals who are building packages that are for sale that lower that barrier to entry.
Keoseyan: I don’t have to have the coding skills or necessarily a deep understanding of the technology in order to be able to commit a crime. I don’t have to know how to make the gun, I just have to know how to fire it.
TCB: With that in mind, how does this kind of cybercrime-as-a-service, malware-as-a-service, whatever you want to call it—the service providers, how does their existence and their ability to spread this over a much larger area affect the threat landscape for businesses—is it a matter of intensity, or does it open up new things that they have to contend with? And how can they better defend themselves against this apparently increasing number of cybercriminals?
Keoseyan: The first part to that I’d say, it impacts enterprises from the standpoint of, because it’s not one person doing this whole entire enterprise themselves, when you’re investigating that crime, and you’re pulling the information together to be able to prosecute that perpetrator, that’s all fine and dandy, but you pull that guy off the market, Because of his specialization, you maybe got one part of that crime. You only saw that one piece of it. And maybe at the end of the day he doesn’t actually understand where he got all the pieces from. In other words, when I say where from, meaning he obviously went out and bought and contracted and paid for these different pieces, whether it was a botnet infrastructure, whether it was a way to distribute malware or information by whereas malware was hosted, maybe it was a rented exploit kit, maybe he bought a ransomware kit to be able to deliver, maybe he bought access to a payment gateway or even a Tumblr service to clean his money. You take that one guy off the market, all those other parts of that enterprise that provided those services are still intact and that person doesn’t have really good information on where he actually got any of that stuff from. He knows handles in a forum and he knows ICQ numbers and a few other things that maybe are breadcrumbs to someone who is really smart, that can go off and try to hunt those guys down too. But from an enterprise perspective, yeah, I want to go tackle that guy because he’s hurting me, he’s targeting my customers right now. You get rid of him, it doesn’t really solve the problem anymore. Back in the old days, you caught a bank robber, and the bank robberies in that area stopped. That’s not the case anymore necessarily.
TCB: Does that mean then, instances where, say Gameover Zeus—that big bot net that got taken down and it removed a huge section of that particular type of cybercrime—are those days pretty much ending with this more sort of—
Keoseyan: What’s the attribution on that, right? That’s I think the name of an individual I think I’ve heard before—Evgeniy Bogachev—that ran Gameover Zeus. Where is he? He’s not sitting in jail today. What else is he doing today? What else does he have his fingers in? You think just because he lost his botnet that he decided, he took my ball away so I’m going home? No, he’s off doing other things. He’s continuing. So, targeting—that’s another big challenge. I’m going to go target this botnet, I’m going to go target this thing, but that thing—Gameover Zeus—is a variant of Zeus. How many new Zeus things did we see this year already? It continues.
TCB: It seems that whenever there’s a very large hack or something it usually calls for government to do something. Within this cybercriminal space, what is the role of government in supporting the ability of businesses and I guess to an extent cybersecurity firms to combat the cybercriminal threat? What is their role, if at all, and what should the government be doing to better help people to counteract this?
Keoseyan: Their role is obviously protecting victims. But if there is no victim, there is no crime. The crime almost has to be committed. is it reactionary? Can their role be preventative? I don’t know. Now suddenly you’re crossing into a really gray area.
Brogan: The other thing that I would add on to that is more education and awareness, quite honestly. I don’t think that today we tell a broad message in a consistent way. And I think that would be one really easy way to help part of the population. Does it get to the point where we’re preventative? No, maybe not. But it makes an awful lot of informed people who can use information to make decisions. I think those are two good ways.
TCB: How do each of you feel about this moving forward? Looking at the threat space, the patterns and trends that you’ve seen in regards to cybercriminal activity—how do you think things are going, going to get better, going to get worse, going to stay the same—how do you see things progressing moving forward?
Keoseyan: I think I mentioned it earlier, it’s almost an arms race to a certain degree. I had somebody mention to me recently that maybe one of the reasons ransomware has exploded so much is because maybe some of the other avenues of cybercrime, especially in the United States around credit card fraud for example—maybe some of those doors have been closed with the adoption of BMB. That, coupled with the low barrier of entry associated with ransomware—being able to buy kits, and buy access to the infrastructure to run it and so on and so forth. I want to go make some quick dirty cash, and it’s harder to do it this way now, so I’m going to go do it that way instead. Maybe that’s the shift. But does it actually shrink the threat? No, it’s just a changing threat.
I think the threats sort of remain or in some cases grow and in other cases shrink, but the overall landscape, like you mentioned, is probably—I don’t know, outlook equals bad maybe? Or it’s continuing to rain? I think that’s why you go downstairs into that vendor area and you see so many new companies every year and so many big companies continuing to grow in this space, because it’s not shrinking.
Brogan: I got into this game 16-17 years ago, and I thought we would have all this solved. I really thought, hey, someone’s going to come up with the magic bullet. Maybe that’s because I was young at the time or maybe that was just the outlook at the time, but the threat really changes and matures and evolves. As businesses continue to evolve and put more and more of their, call it “business process” into the cyber world and into electronic means, we’re going to continue to see the threat evolve to take advantage of that.
TCB: I got like a “red queen” type thing, if you’re familiar with that metaphor. It’s Alice in the looking glass, she has to keep running to stay where she is, a metaphor of evolutionary biology that I won’t go into right this moment, but it involves having to work really hard to stay in one spot.
Keoseyan: Yeah. And that’s probably to a certain degree what we’re doing today. Some people will say we’re staying ahead of the curve. I’d imagine if I were in enterprise I’d be asking myself, just how much money do I have to have to mitigate the risk that people are telling me I have. I think realistically that’s the question a lot of large enterprises are asking themselves. I’m going to continue to try to manage this risk to the best of my ability, but you keep telling me I need to continue to spend more and more money all the time to do the same thing. Where’s the breaking point?
TCB: Any parting thoughts?
Keoseyan: I came out of financial services, so I immediately honed in on what my definition of cybercrime was earlier. Cybercrime is interesting because peoples’ definitions vary, but when you add in or lump in things like hacktivism, for example, that’s when you start to get into really gray and fuzzy areas. The financial aspects of cybercrime are interesting to me because sometimes they’re a lot more clear and tangible. But certainly that’s not to say that those other avenues don’t exist.
And then you have the whole other notion of crime around cyber that isn’t directly related to cyber but maybe uses cyber as a tool, whether it’s tweeting out bomb threats or just online abuse. Is that a crime? I’ve seen stories about people being driven to suicide and other things. There’s social media. Is that a cybercrime? Some people might say yes and some people might say no, just based on the fact that computers were involved.
Scott Keoseyan is the leader for Deloitte’s Cyber Threat Analyst and Research teams, focusing on development of research and analysis methodologies and technologies in support of Deloitte’s Threat Intelligence and Analysis (TIA) subscription products.
