By Alan Zeichick
Tech Editor, NetEvents
We are very fortunate, in many countries, to have law enforcement agencies that focus, as part of their mission, to deal with hacking as either crimes to be prosecuted, or as intelligence operations to be managed. We have law enforcement agencies and experts who are, themselves, CISOs, Chief Information Security Officers. We have people out there who spend their time educating, and teaching businesses how to be safe on social media, perhaps, or what to do when a breach happens, when to call the specialized cops to come and help.
Let’s talk about the hackers, not through the eyes of industry, and not through the eyes of diplomats, but through the eyes of current and former U.S. law enforcement experts, whose job it is to run these people down and throw them in jail.
The Federal Bureau of Investigation
MK Palmore, an Information Security Risk Management Executive with the FBI’s Cyber Branch in San Francisco, runs the cyber-security teams assigned to the San Francisco division of the FBI. “My teams here in San Francisco typically play some part in the investigations, where our role is to identify, define attribution, and get those folks into the U.S. Justice system.”
Palmore noted that the “FBI is 35,000-plus personnel, U.S.-based, and part of the Federal law enforcement community. There are 56 different field offices throughout the United States of America, but we also have an international presence in more than 62 cities throughout the world. A large majority of those cities contain personnel that are assigned there specifically for responsibilities in the cyber-security realm, and often-times are there to establish relationships with our counterparts in those countries, but also to establish relationships with some of the international companies, and folks that are raising their profile as it relates to international cyber-security issues.”
The U.S. Secret Service
It’s not really a secret: In 1865, the Secret Service was created by Congress to primarily suppress counterfeit currency. “Counterfeit currency represented greater than 50% of all the currency in the United States at that time, and that was why the Agency was created,” explained Dr. Ronald Layton Deputy Assistant Director U.S. Secret Service.
“The Secret Service has gone from suppressing counterfeit currency, or economic, or what we used to refer to as paper crimes, to plastic, meaning credit cards. So, we’ve had a progression, from paper, to plastic, to digital crimes, which is where we are today,” he continued.
Protecting Data, Personal and Business
“I found a giant hole in the way that private sector businesses are handling their security,” said Michael Levin. “They forgot one very important thing. They forgot to train their people what to do. I work with organizations to try to educate people — we’re not doing a very good job of protecting ourselves. “
A leading expert in cyber-security, Levin is Former Deputy Director, U.S. Department of Homeland Security’s National Cyber-Security Division. He retired from the government a few years ago, and is now CEO & Founder of the Center for Information Security Awareness.
“When I retired from the government, I discovered something,” he continued. “We’re not protecting our own personal data – so, everybody has a role to play in protecting their personal data, and their family’s data. We’re not protecting our business data. Then, we’re not protecting our country’s data, and there’s nation states, and organized crime groups, and activists, that are coming after us on a daily basis.”
The Modern Hacker: Who They Are, What They Want
There are essentially four groups of cyber-threat activists that we need to be concerned with, explained the FBI’s Palmore. “I break them down as financially-motivated criminal intrusion, threat actors, nation states, hacktivists, and then those security incidents caused by what we call the insider threat. The most prevalent of the four groups, and the most impactful, typically, are those motivated by financial concerns.”
Why? “We’re talking about a global landscape, and the barrier to entry for most financially-motivated cyber-threat actors is extremely low,” Palmore continued. “In terms of looking at who these folks are, and in terms of who’s on the other end of the keyboard, we’re typically talking about mostly male threat actors, sometimes between the ages of, say, 14 and 32 years old. We’ve seen them as young as 14.”
Criminals? Nation states? Hacktivists? Insiders? While that matters to law enforcement, it shouldn’t to individuals and enterprise, said CIFSA’s Levin. “For most people, they don’t care if it’s a nation state. They just want to stop the bleeding. They don’t care if it’s a hacktivist, they just want to get their site back up. They don’t care who it is. They just start trying to fix the problem, because it means their business is being attacked, or they’re having some sort of a failure, or they’re losing data. They’re worried about it. So, from a private sector company’s business, they may not care.”
Levin pointed out that, “Law enforcement cares, because they want to try to catch the bad guy. But for the private sector is, the goal is to harden the target. Many of these attacks are, you know, no different from a car break-in. A guy breaking into cars is going to try the handle first before he breaks the window, and that’s what we see with a lot of these hackers. Doesn’t matter if they’re nation states, it doesn’t matter if they’re script kiddies. It doesn’t matter to what level of the sophistication. They’re going to look for the open doors first.”
The Secret Service cares almost exclusively about folks trying to steal money. “Several decades ago, there was a famous United States bank robber named Willie Sutton,” said Layton. “Willie Sutton was asked, why do you rob banks? ‘Because that’s where the money is.’ Those are the people that we deal with.”
Layton explained that the Secret Service has about a 25-year history of electronic crimes; the first electronic crimes taskforce was established in New York City 25 years ago. “What has changed in the last five or 10 years? The groups worked in isolation. What’s different? It’s one thing: They all know each other. They all are collaborative. They all use Russian as a communications modality to talk to one another in an encrypted fashion. That’s what’s different, and that represents a challenge for all of us.”
Priority #1: Training
If you lock your car doors, a criminal might break into someone’s vehicle instead of yours. How can individuals and businesses do a better job locking their doors? It’s human factors, said Levin. “Well, if we look at the Equifax hack, which is so relevant in the news right now, it was a simple error that was made by not providing the right general basic security practices on a server. This was a problem 20 years ago, and it’s still a problem today.”
“How do we get organizations to do the right patching and the right updates, and they’re not being lazy when it comes to general security practices?” he continued. “Every citizen, every country, every organization, needs to start figuring out a way to educate the population on how to protect themselves. It’s not just technology. When we have employees who are automatically clicking on every single email they get, and clicking on every link, and opening every attachment, we can have the best technology in the world, but eventually, something’s going to get through.”
Layton agreed that more training is needed. “We pay a lot of attention to what the bad guys will use to further their own illicit gain. They’re very good at understanding human factors, and what folks will click on. We are starting to see an emerging field of people who come from the addiction community, who are starting to look at the relationships that we have with our phones and devices, as some kind of unusual behavior and attachment that mimics certain kinds of addictions.”
What ends up happening is, you are clicking on everything. That’s why the technique of spearphishing is, in fact, so popular, and so efficacious, because you’re curious. You want to see what is, in fact, behind that next click,” Layton explained. “Of course, when you look at the analysis, and the pathology, of how malware gets on a system, you’re going to find that a major percentage comes from clicking on an email attachment. One of the counters to this is cyber hygiene training. If I’m a company, and I’ve got $10 to spend, 10 of those dollars are going to go to education.”
Follow the Fundamentals
Every business does the fundamentals of good cybersecurity, right? Wrong. “The information security fundamentals are not as fundamental as we think,” said Palmore.
“In the post-mortems of investigations that my teams conduct,” he continued, “we always find that there’s some gap in the coverage of the security of that particular network that boils down to a fundamental issue of security protection, and we’re talking about simply things like patch management. Audit and log management. Security and vulnerability assessments, and then adhering, or actually taking steps to correct those actions.”
These are obvious problems, Palmore explained. “Getting buy-in from leadership and management that cybersecurity it is an important issue, an enterprise risk-management issue, and that you need to appoint folks, and then empower them to actually get the job done as it relates to increasing your security posture. That’s essential. But time and time again, we find that folks are not doing that.”
Palmore focused on one particular fundamental: Two-factor authentication. “Two-factor authentication is an obstacle to threat actors,” he said. “It is not insurmountable. So, if you are facing a highly, highly capable threat actor, it’s not going to stop them from accomplishing their mission, but for what I call the line cyber threat actor, two-factor authentication represents an obstacle that, to them, is a waste of their time. They will move to a target that is easier for them to breach, or find an easier way to get into an identified target.”
“Issues like that, among the topics like cyber hygiene, information security fundamentals,” Palmore sighed. “If businesses and folks would be diligent about following those fundamentals, I tell you we would be in a better position than what we find ourselves in now.”
New Methods, New Actors, for the Next Decade
While the fundamentals of good cybersecurity stay the same, the attackers and their methods can change. The Secret Service’s Layton explained that the technological sophistication and capability of the threat actors has increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago. Sophistication has gone up exponentially.”
“Look at ransomware. In 2014, ransomware was the 22nd most popular crimeware application. In 2017, it’s number five. In 2014, when we saw this, the bad guys would say, I’m going to encrypt your file unless you pay me whatever, X amount of dollars in Bitcoin, or something like that. What ended up happening is, end-users got smarter, and just said, well, I’m going to back my systems up. Now ransomware starts to concentrate on either partial or full hard-disk encryption, so backup doesn’t help as much. Sophistication by the threat actors has gone up, and the ability to more quickly adjust, on both sides, quite frankly, has gone up.”
There is also more ability to act anonymously – and thanks to Bitcoin, to extract money anonymously, explained the FBI’s Palmore. “This issue of anonymity, and the ability for threat actors, again, to go into the Dark Web and exchange exploits, exchange information, and exchange currency with one another, allows for a level of activity, frankly, that we have not seen historically.”
“Twenty years ago, when I came in the FBI, we were on the heels of finishing up the dismantlement of what we then called organized crime,” he continued. “Now, what we look at in terms of organized crime, or a criminal enterprise, is a organization with the ability of folks to connect, exchange information, make plans, conduct exploits, buy and purchase things from one another using digital currency. This completely changes the landscape, and it definitely makes it harder for us to align the dots and close the gap on investigations that we conduct.”
Encryption is going to be increasingly important for businesses in the future, said CIFSA’s Levin. “In the private sector, the concept of encryption, and being able to encrypt your customers’ data, is an important piece of the puzzle. One of the things that we see all the time is that people are sending emails in clear text with very sensitive information. People don’t understand that sending emails are like sending a postcard.”
“You would never send a credit card number in a postcard,” he joked. “But emails are exactly the same thing. They’re going through the internet through servers that are not protected, in many cases, and the average citizen doesn’t realize that. Fortunately, we are starting to see more organizations that are encrypting their email as regular practice.”
Use the Hacker’s Tools Against Them
Want to keep your corporate data private?
“As the crooks get more sophisticated, the private sector needs to get more sophisticated,” Levin concluded, “and they can use the same tools that the bad guys are using to protect their customers’ data, or their employees’ data.”
Lock your doors. Practice the fundamentals. Encrypt your data. Train your users. Sounds like a good start, according to three top experts. So, what are you waiting for?