What CIOs can learn from cybercrime syndicates

According to Hackmageddon research into the motivations behind cyberattacks during April 2018, some 80.8 per cent were driven by cybercrime. The increasing organisation and sophistication of the criminal fraternity presents an opportunity for the forward-thinking chief information officer (CIO) to understand who and what they are up against.

The increasing organisation and sophistication of the criminal fraternity presents an opportunity for the forward-thinking CIO to understand who and what they are up against

By translating the psychology, motivations and modus operandi of these threat actors into insightful and informed decisions, the CIO can be better prepared to mitigate cyber-risks within the organisation.

Not all cybercrimes are committed by gangs

Not all cybercrime gangs are actually gangs though; some are individual criminals with state connections such as Alexey Belan. This Russian hacker, thought to have been protected by two Federal Security Service agents, made it on to the FBI most wanted list after a series of attacks on the likes of Yahoo! and Evernote.

Belan compromised more than one billion accounts using a terrifyingly simple method: he searched on Google and LinkedIn to identify servers to compromise. “He accessed corporate wikis that revealed administrative workflows and virtual private network details,” says Rafael Amado, strategy and research analyst at Digital Shadows.

The Russian found he could bypass multifactor authentication measures because cookies in staging environments were often reused in production environments. Belan also collected email addresses and passwords at every compromise, which were used to target further victims.

“Using this information, the CIO learns to segregate internet-exposed servers such as those hosting third-party WordPress sites,” says Mr Rafael. He advises not to leave sensitive material in company wikis that can be accessed by anyone, and cryptographic keys and credentials must not be reused across production and staging environments.

CIOs should focus on security fundamentals

However, there’s no doubt, according to Marina Kidron, group leader of the Skybox Research Lab, that “cybercrime has increasingly shifted from lone-wolf attackers to organised syndicates that are a mix of mafia and modern business”.

Syndicates such as the Lazarus group, responsible for many high-profile cyberattacks, including the theft of $81 million (£60 million) from the Central Bank of Bangladesh in 2016. Lazarus members took their time to open bank accounts for transfers, find an insider to assist with network access and stealthily deploy keyloggers to obtain account credentials.

“It’s important to remember that advanced persistent threat actors such as Lazarus often take advantage of missing security fundamentals,” says Jonathan Cran, head of research at Kenna Security. “CIOs can use the information on tactics, techniques and procedures to focus on fundamentals like prioritising specific updates and patches, training employees to identify phishing tactics and properly configure network security devices.”

Training employees is something Michael Levin knows a lot about. He spent 30 years in law enforcement as chief of the US Secret Service Electronic Crimes Task Force in Washington and then deputy director of the National Cybersecurity Division of the Department of Homeland Security. Now he educates others in how to stay secure in his role as chief executive of the Center for Information Security Awareness. “I use the analogy of the car break-in,” he says, “with the bad guys looking for the unlocked cars.”

Smart and sophisticated threat actors also check for the easiest way to get into a network, such as out-of-the-box default server passwords and simple phishing attacks, for example. The CIO must address this and ensure his team are on board or it’s game over. “Every employee has the responsibility to focus on security as part of their everyday duties,” Mr Levin insists, adding this “needs to be baked into how the CIO thinks and how he conveys job responsibilities”.

Cybercrime is all about the money 

Baked into the corporatised cybercrime organisation mindset is a single acronym: RoI or return on investment. It’s all about the money, which is why buying previously stolen credentials and ready-made exploit packs on the dark web is central to such operations.

“The motivations and psychology of most cybercriminals are uncomplicated,” says James Plouffe, lead solutions architect at MobileIron. “Cybercrime is how they make a living.” And he should know in his role as technical consultant on the cybercrime-focussed TV show Mr. Robot. He worked with the show’s producers to depict the information security and hacking world by drawing inspiration from real-life cyberattacks.

Take the recently dismantled organisation known as InFraud, which ran a dark-web forum connecting reliable sellers of payment-card and other valuable stolen data with interested buyers. It is estimated that InFraud, as facilitators of this trade, caused some £397 million in losses to business and individuals. “CIOs can learn from InFraud in a number of ways,” says Mr Plouffe. “It is essential to know where data is stored, how it is accessed and how it might be exposed.”

The Dark Overlord cybercrime gang also mostly purchases application and remote access credentials via dark-web marketplaces. These are then used to gain remote access and move laterally across the network successfully as many organisations lack the ability to identify such compromised accounts.

“CIOs need to ensure that businesses can detect unusual use of valid credentials,” says Stephen Moore, chief security strategist at Exabeam. Which is where threat intelligence-sharing resources, such as AlienVault’s Open Threat Exchange and IBM’s X-Force Exchange, come into play.

“Organisations on the right side of the law should try to emulate these collaborative models,” says Daniel Solis, chief executive at targeted threat intelligence specialists Blueliv. “We can better mitigate cyber-risk by exchanging intelligence and techniques between vendors, computer emergency response teams and private enterprises.”