It’s an epic confrontation seemingly without end. On the dark side: a sophisticated global underground economy worth potentially trillions of dollars. On the other: a balkanised group of law enforcement organisations, security researchers, vendors, academics, and national governments. Already this year, we’ve seen both sides make their first moves. The only thing that’s certain is that the CISOs stuck in the middle will continue to lose sleep over mounting threats.
As we move through 2019, IT security must become more proactive and business-aligned, because as good as law enforcement can be the underground economy will continue to undermine digital growth and corporate reputations.It’s an epic confrontation seemingly without end. The only thing that’s certain is that the CISOs stuck in the middle will continue to lose sleep over mounting threats. ~Phil MuncasterClick To Tweet
Striking a blow
First, the good news. Although traditionally hobbled by the cross-jurisdictional nature of cybercrime, safe havens for hackers, and anonymising tools like TOR, law enforcers have been doing a pretty good job of disrupting the bad guys. This is important, not just because taking down a botnet may stop a particular attack group in its tracks and save some unwitting businesses or consumers from the repercussions of a major data theft/ransomware attack/DDoS/etc. It’s also important because every time it happens, arrests are made and infrastructure disrupted, it sends a signal deep underground, however faint, that this cybercrime lark may not actually be worth pursuing.'Arrests and other disruptions to cybercrime network are important because they send a signal deep underground that cybercrime might not be worth the risk.' ~ Phil MuncasterClick To Tweet
So it was good to see an international law enforcement operation shut down notorious marketplace xDedic, which facilitated a trade in log-ins to compromised servers, resulting in $68 million in fraud losses. Even better is the subsequent arrest of three suspects. We should also welcome news that global police are following up on another famous takedown, DDoS-for-hire platform webstresser, by targeting users of the site. Europol claimed the UK’s National Crime Agency (NCA) is preparing action against 250 users.
The US authorities, meanwhile, have begun notifying victims of North Korean botnet Joanap in order to disrupt the infrastructure that way, as its P2P design means there are no C&C servers to take down. It’s another example of the determination of law enforcement to try and target cybercrime as far up in the chain as possible.
A bit further down is a community-led effort worthy of mention. Abuse.ch project URLhaus recently reported it managed to effect the takedown of 100,000 malicious websites in 10 months through an information-sharing programme with web hosters. It shows what is possible when stakeholders come together. The frustration is that these efforts are so often piecemeal.
Global risk rises
Despite these best efforts, the lack of coherent cybersecurity policy in many regions of the world and limited police resources mean there are still too many dark spaces for the hackers to hide. There’s no better illustration of the scale, reach and effectiveness of the cybercrime underground today than recent revelations that over 2.2 billion unique usernames and passwords are being shared online by hundreds of hackers.
Along with the democratisation of hacking tools and crimeware-as-a-service, breached or leaked log-in data is one of the cybercrime underground’s biggest gifts to the community. It’s typically the starting point for large-scale identity theft and corporate data breach attacks. Brute force and credential stuffing tools make things even easier, automating the use of these log-ins on a massive scale.
Daily Motion recently revealed its users were on the receiving end of one such attack. It will certainly not be the last in 2019. Other firms already admitting a data breach this year include aerospace giant Airbus, home improvement site Houzz, and US restaurant chain Huddle House. Magecart is also back, with researchers having discovered yet another group using the digital skimming code, this time infecting the supply chain to hit potentially thousands of clients of a French ad agency.
It’s not even all about data breaches. UK car repair chain Kwik-Fit suffered what appeared to be a ransomware attack recently which kept services down and customers irate for the best part of a week.
It’s no surprise that Accenture is predicting global cybercrime could cost firms $5 trillion over the next five years, or that the vast majority of World Economic Forum (WEF) experts believe data theft (82%) and operational disruption (80%) cyber-attacks will increase in 2019. The question is what can CISOs do to keep their organisation safe?
Unfortunately, there are no simple answers. Cybersecurity silver bullets simply don’t exist, despite what the marketing missives of many vendors will have you believe. Instead, IT security leaders must follow best practices — auditing data flows; layering up security controls across network, endpoint, server and email/web gateways; tightening access controls with MFA; rolling out comprehensive awareness raising programmes, and much more. Increasingly they need to go further, protecting IoT endpoints, and investigating AI-powered options for spotting phishing and accelerating incident response.
Most importantly, security needs to be built-in to any new project from the very start. With a more proactive, strategic approach closely aligned to the business, organisations stand the best chance of success. Effecting the cultural change necessary to get there, however, is the hard bit.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.