With cybercrime expected to reach costs nearing $2 trillion by 2019, firms are urgently seeking ways to better defend their networks from the harmful impacts of embarrassing leaks and disruptive extortion. The Cipher Brief spoke with Justin Harvey, the Managing Director and Global Lead at Accenture Security’s Incident Response Practice, about the most worrying trend emerging in cybercrime today, what factors are driving them, and what can be done to mitigate their harmful effects.
The Cipher Brief: What are some of the more worrying trends in regards to cybercrime over the last few years?
Justin Harvey: Number one would be the proliferation of ransomware. Ransomware exists because of a few factors, the first of which is malware as a service. It’s very easy for attackers or a criminal enterprise to go and basically farm out infiltration—the initial foothold on their victims. Attackers would then just have to write the ransomware, which for many is fairly easy to code.
The second factor would be anonymous ways to communicate with victims, such as the onion router, known as the Tor browser, that gives access to the darknet, an encrypted space unavailable through typical Internet search engines. Previously, attackers always had to fear a paper or digital trail of evidence to point back to them. Now, they can operate with impunity within the darknet.
The third factor would be the proliferation of crypto-currencies like bitcoin. Currently, criminals target their victims, communicate with them anonymously, and can be paid anonymously. That’s pretty much the perfect ecosystem for digital crime.
Sometimes a ransomware attack is targeted—rather than indiscriminate—where someone tailors ransomware to get into a specific organization, and upon entry, it spreads laterally across the network. This can facilitate extortion, where someone takes the same steps that they would to steal your data, but at the very end, they instead encrypt the data in place using commonly available tools. They then communicate with their victim via anonymous communications, such as Tor, and get paid via anonymous avenues like bitcoin.
The second trend that’s really worrying is the increasing amount of embarrassing leaks. We’ve seen the Panama Papers and the DNC leaks in 2016. In years previous, we’ve seen the Sony emails and Ashley Madison. This is just the tip of the iceberg. What if we see the entire salary history for an organization? That can wreak havoc on a company if someone simply takes all of the salaries and posts it on PasteBin. It would be pandemonium. Everyone would be looking to the people next to them, “Oh they get paid more than me. Why is that?” It could also be the grounds for lawsuits based upon equal pay for equal work.
So, those are the types of leaks and embarrassing attacks that we’re going to see. And, when leaks happen, don’t ever expect that they “chose” not to grab everything. Typically, nation states or criminals grab everything then triage what to release.
TCB: How can people improve their security and resilience, or maybe even preempt these attacks?
JH: The standard answer is “keep back-ups.” Yes, keeping back-ups is good hygiene, but for a large organization, it’s also about employing strategies toward detection, understanding that prevention is not the only answer. How can we accelerate finding the bad guys or detecting the malicious software or ransomware faster than it can cause damage? For example, using a flight recorder, which is a piece of software that sits on every endpoint device and records everything that goes on within that device. This allows the ability to detect when there is anomalous behavior. For instance, you can create a folder, called a “canary folder,” so that if any program touches a file in there, or removes it, that could be ransomware, since no user should really be in that directory. That could then send an alert to the security operations center.
It’s an absolute imperative that companies just don’t go out and buy security software and devices that prevent attacks, but also realize that you need to get faster at detecting and remediating breaches.
TCB: What industries would you say are facing the greatest threat from ransomware?
JH: The industries that face the greatest threat from ransomware are the organizations with the most to lose, such as organizations that provide a critical infrastructure, where a loss of life could result from the inability to restore services. The normal cast of characters are dams, water treatment plants, sewage disposal, power distribution, air traffic control, hospitals, military, and law enforcement.
Cyber criminals are devious. They pick a target that needs to get back online as fast as possible, so they’ll probably pay a ransom to get their data back. On top of all that, criminals don’t ask for relatively large sums of money—more like $19,000, for example—and they just go from hospital to hospital extorting money for data. It adds up at the end of the day, but that’s not to say that there aren’t attacks demanding large amounts. Yes, that happens, but criminals are trying to find the sweet spot or red line. Stay under that red line, they can continue on to other victims without consequences.
