November's SC Magazine has published several key articles discussing the threat of cyberespionage. My November Cybercrime Corner blog articles look deeply into intelligence-gathering methods, known as competitive intelligence and industrial espionage and, most importantly, corporate policies which effectively and cheaply counter these persistent and advanced threats.
We're in this together: Counter intelligence
- In recent articles we've heard from several sources regarding the grave impact of cyberespionage to business.
- The same crimeware tools which are used to loot bank accounts can be repurposed daily with the goal of exfiltrating intellectual property and bypassing privacy measures set up by corporations.
- Moreover, even a competitor's loss of data can impact revenue in your business simply because of the $2M in espionage vs $60M in development value argument – their loss is shared in your market sector because an outside player can now compete without the startup costs associated.
In understanding the value of cyber threat intelligence and the value of deploying counter intelligence tactics, techniques and procedures, one must first understand that the opposing force (OPFOR) is global, organized and not afraid to go kinetic.
Criminal social networks: Connected, dangerous
As the movie quote from Heat made famous by Al Pacino:
At the drop of a hat these guys are ready to rock and roll."
Simply put, expecting cybercriminals to stay digital and not hire out for witness tampering or other data-related disruptive events is not realistic.
Harden the target. Ensuring your staff's awareness of physical security concerns means providing adequate training for receptionists on up through executives. This training is often dual purpose and will also cover the prevention of social engineering attempts.
The resulting strong physical security layer is the most effective policy against cybercriminals with the option to go kinetic, often with just an email to an affiliate bartering service for service within the gray market. Do this right and everyone will sleep well at night if one of your cybercrime first-responder-trained IT staff ever gets called to become a witness.
Criminal social networks: Not Facebook
In the draft of Douglas Farah's working paper intended for the World Bank, a diagram of criminal social networks is drawn. This overlaps partially into the cybercrime ecosystem because many cybercrime crews are partially or fully supported by organized crime and the networks are often multigenerational.
These social networks are surprisingly fungible and durable because they offer services that are vital to any incoming regime and are usually non-ideological in their network building. Driven largely by economic imperatives, the groups have proven adept at adapting to new political realities and exploiting them.
Additionally, protection through sovereignty should be considered. The cash cow analogy for any regime is simple – if revenue attributable to cybercrime is the cash cow feeding the growth of coffeeshops, restaurants, and construction, what incentivizes a regime to outlaw it?
These criminal organizations are modular and cell-oriented. Cybercrime can be seen as just one more aspect of criminal enterprise, plus the technical challenges for prosecution are larger for law enforcement.
An entire operation is swiftly financed, supervised by a trusted member, and in the face of impending threat, it can easily be dismantled overnight – often with a bullet. The World Bank paper states:
These networks flourish even in times of violence because they offer services that are vital to moving the commodities to market and insuring in return that the regime (or non-state actors) acquire the resources to enrich themselves and maintain their government (or non-state) hold on power in specific regions.
The networks also greatly facilitate the transnational traffic of commodities vital to the survival of the armed group, including timber, diamonds, cocaine and other products. In [one case study] these networks also facilitated the linkages necessary for transnational terrorist and criminal organizations to gain access to a commodity and move that commodity for profit..."
The internet offers larger global communication potential which means that cybercrime is quicker to start up. Cybercrime is believed to be much larger than the $300 million voluntarily reported through IC3.gov and preliminary bank reporting research indicates that when business banking is included the real amount may exceed $50 billion in annual losses for the U.S. alone.
Consider the potential influence that billions of dollars flowing into five to 10 host countries whose regimes are now fully dependent on the foreign cybercrime money. One source from Russia reflected recently that physical violence was down because of the ability to simply pay off the judicial system and attributed this to the high volume of money from cybercrime.
Examine the influence criminal enterprises may provide to governments who shelter them. Described within Douglas Farah's paper:
These networks are often made up by politically disempowered diaspora communities whose external contacts are useful to the regime.
In many ways, the control of these networks is vital to territorial control and the resultant grip on power. Criminal states often lose their grip on power when they lose control of their networks, or the networks challenge the state for power.
There is a weakness – apparently power corrupts, and absolute power corrupts absolutely. The question remains – should business help against criminal social networks? Is countering cybercrime a critical element which should be considered to be a goal of corporate business or is it merely a job for law enforcement?
Countering criminal social networks
For international business to remain competitive in the face of an organized global threat, such as cyberespionage, law enforcement must have the highest level of information provided to the right branch in a timely fashion.
Businesses and CIOs can help in one simple way: Mandating the use of ic3.gov for reporting all detected cyber threats whether monetary, denial of service, strange employee-related laptop thefts, etc. The threads knit together when the pieces are all laid out over time and this centralized reporting helps build the big picture for LEOs across multiple jurisdictions.
Fighting fire with fire: Public-private partnerships
The long-term key to the success of law enforcement and policymakers is through partnerships. The information exchange from the public-private partnerships which share cyber threat intelligence provides another method of threads knitting together.
Human nature dictates that people do not intrinsically trust one another without physical presence, therefore these partnerships must be cohesive, transparent and regional. The human nature aspect of building these relationships is, in my opinion, one reason most DHS cybersecurity workshops are free – not only to educate but also to affiliate.
Regional efforts, such as Securing Our eCity, do well to provide the hosted locations and events which allow the meeting of old friends, as former SDPD Chief Bill Maheu says in this event video:
Four action items for CIOs
- Start your public-private network and feel free to model your eCity after Securing Our eCity, winner of the DHS 2010 Cybersecurity Awareness Campaign. We'll show you how to leverage your existing relationships and build new ones anytime, anywhere and you'll gain the halo effect of community action. The halo effect should never be underestimated; in a recent Webinar (49:00 mark) I detail the halo effect ESET experienced through Securing Our eCity in 2010.
- Designate a member of your IT department to attend the free DHS workshops which train them in cyberterrorism first response, effective incident reporting, and many more. Having a solid evidence preservation routine will help you help the law enforcement efforts initiated on your behalf.
- Train your staff to the highest level possible, through on-demand training or instructor-led training. Securing Our eCity can provide you with curriculum. Don't forget social engineering/physical security training for the entire staff.
- Leverage eCrime and cybercrime affiliations, such as the FBI's Infragard program. Also examine participation in the RTTAC – Regional Terrorist Threat Assessment Centers – as a method to gain visibility within the law enforcement communities.
One high-level overview of countering the criminal social network is the disruption of operations – targeted efforts on the key members. Not unlike the counter insurgency operations (COIN) doctrine for effective military operations for the past decade, the ability to detect, identify, track, localize and neutralize key social network members is the metric with which law enforcement and national security success is measured. These metrics are often classified and we may see only glimpses of the struggle through periodic news stories of FBI and Secret Service victories or through committee testimony on Capitol Hill.