Today, a great deal of effort has been devoted to improving the security posture of large enterprises and small businesses alike, without a serious focus on raising the cost to the attackers. The recent Cyberspace Solarium Commission report focuses on this issue, promulgating new defenses against nation-state attacks against the federal government. However, there has been little to no serious treatment of this concept in the commercial realm of the cyber security problem.
Cyber criminals use the global financial infrastructure to move their assets. They live alongside legitimate businesses. As it stands, they have a negligible cost of doing business. For cybercrime to become less destructive, this cannot continue.
We believe that industry needs to focus on a collaborative and scalable approach to making attacks costly to the adversary, whether it’s from organized cybercrime groups or nation-state sanctioned groups. It’s become a very difficult problem. Success requires participation from civilian government, financial institutions, law enforcement, policy organizations and technical organizations working collaboratively with academic institutions, to develop new active defenses and strategies to have a serious impact on reversing the trends we all see.
For example, ransomware attacks haven't abated, and next-generation attacks will undoubtedly continue to grow losses at alarming rates. The “delta variant” of current ransomware attacks has become a major concern when the ransom amount demanded by the attackers compounds with threats of releasing additional information. The government and law enforcement "advice" to victims not to pay the ransom is simply not tenable for many organizations.
The historical cat-and-mouse game shows no number of new defenses will solve this problem. We need a new approach that focuses on making such attacks costly to the adversary. Imagine a new strategy where if a victim pays the ransom the adversary gets caught. Think of this notion as a modern-day version of “marked bills” used in years past by law enforcement in ransom payments to kidnappers. Our modern financial systems might realize this strategy by taking a different approach to how organizations, private and government, deal with the problem.
The time has come to attack the attacker’s bottom line by devising methods to deny the financial benefit to cyber criminals and "encouraging" them to make mistakes and possibly identify themselves. A number of approaches might contribute to this goal of changing the economics of cybercrime, and we believe ideas from experts in government, industry and academia can make this happen.
Examples which may suggest interesting avenues to pursue to put a dent in cybercrime:
- Make it more difficult to use cryptocurrencies. Until cryptocurrencies are accepted by all major retailers, crypto exchanges are necessary to convert to real currencies. The bad guys can’t buy their Mercedes Benz cars yet using cryptocurrency, although Tesla has become a reasonable alternative. Analyses of transactions converting cryptocurrencies to real concurrencies might reveal criminal financial flows, and perhaps the owners of the accounts involved with these transfers. Once the system transfers value from crypto currencies, money flows in real currencies are traceable. Now’s the time to act, while many government tax agencies are focused on taxing crypto assets with many calling for the regulation of the cryptocurrency exchanges. The current bills being debated in the US congress include provisions for crypto exchanges to report under tax law.
- Get banks to set up decoy accounts. To cover their tracks, digital criminals will often use stepping stone accounts from unsuspecting “mules.” They can identify mule accounts by seeding the criminal ecosystem with decoy accounts designed specifically to identify illicit activities, such as providing these accounts through phishing campaigns. When a phishing site has been identified, stuffing these sites with decoy information, including decoy financial account numbers, would “seed” a breadcrumb trail to follow the bad guys’ cash flow. The industry could achieve this if banks and bank regulators permitted this operational defense.
- Tighten up money transfers. Collaborative analyses among financial institutions that handle large money transfers that utilize "dormant" accounts might reveal pre-positioned accounts created to receive and disburse illegal financial gains. Money transfers now include relatively little information about the accounts involved in transfers. Numbers and identification information could easily be augmented with account properties such as the age of the accounts and their typical volume and velocity of funds transferred that banks could easily use in fraud detection logic.
There are undoubtedly numerous other possible approaches, but this would require government involvement and relaxed regulatory constraints permitting active defense against financial cybercrime. We should explore as many of these approaches as possible.
We believe in working collaboratively, involving some of the best minds in cyber security, from academia and industry, working closely with financial and banking experts, and key global government agencies. A joint focus on actively raising the costs to cybercrime would put a huge dent into the cybercrime ecosystem, making it costly for any adversary to conduct their business.
Salvatore Stolfo, founder and CTO, Allure Security