Another day, another major breach. Just last week, I wrote that box checking was no way to protect critical assets. Now America’s largest bank, JP Morgan Chase and at least four other American banks (not yet named) have suffered breaches. There can be little doubt attacks of this nature on our financial infrastructure are increasing. Businesses need to start approaching security as if they are going to be breached rather than hoping they won’t.
To help you prepare, I would like to break down who is committing these crimes and how. Hopefully this understanding will help you better protect your critical assets.
Cybercrime Inc organizational structure
Cybercrime organizations are set up much the way legitimate business are. There are multiple departments or functional teams that perform specific tasks, staffed by individuals with specific skills. Each team may be manned by the same crew of hackers or by crews that specialize in a specific area. They are broken down like this:
In this initial stage of the crime, the recon team will scour the internet looking for IP addresses that contain indicators needed for remote access. This access is essential for the breach to take place. Indicators can include open remote access (such as RDP/Termserv, LogMeIn, VNC and pcAnywhere), protocol vulnerabilities (including FTP, SSH, SMB and SMTP), and web vulnerabilities. Once IP addresses with these vulnerabilities are identified, they are passed along to the next functional team.
With a list of vulnerable IP addresses in hand, this team carries out the breach. This can be as simple as entering a username and a weak, default or nonexistent password, or as complex as a multi-staged attack involving chaining together and exploiting various vulnerabilities. This also includes web based attacks like Structured Query Language (SQL) injections or a remote or local file inclusion (RFI/LFI) vulnerability.
Once inside, this team is also responsible for identifying the systems that store, process or transmit the targeted data. The overall goal of this stage of the breach is to gain access to the target environment and its critical assets. Once they have gained access, this team tags out and passes on the IPs and credentials, or compromised web page URL, to the next team.
This team is now responsible for deploying malware into the target environments. They move back into the targeted systems and drop the malware the cybercrime organization will use for harvesting. In some cases, if the environment is handling its critical data in an insecure manner, the harvesting team can use native resources and no malware is necessary. Where malware is required, it is usually highly customized, for the sole purpose of aggregating the desired data elements. It is extremely unlikely that systems administrators or anti-virus applications will detect this custom malware.
Once the malware executes successfully, it will usually create an output file, commonly known as a “dump” file. This file is either picked up by the harvesting team or automatically exfiltrated to an external system. Some more advanced malware packages can immediately exfiltrate the data they intercept and don’t need to generate an output file. The cybercrime organization collects this stolen data into a pool that contains harvested data from other targets. This helps prevent detection and attribution when the final fraud stage is executed.
The cybercrime organization now places the stolen for sale on the black market, often referred to as the “shadow economy.” Stolen data is a high-value commodity; sales and purchases can reach into the billions of dollars. Some security analysts estimate there are tens or even hundreds of thousands of active members who buy, sell, and trade this data on the black market every day. Financial gain is the primary driver behind these crimes; they are extraordinarily lucrative and have a very low rate of attribution or arrest.
The final stage of the crime workflow is executing the fraud. This can be payment card fraud, healthcare fraud, pirated goods production or even blackmail. This “team” is usually non-technical; it is increasingly being carried out by street gangs looking to expand their criminal activities beyond drugs, extortion, prostitution and fencing. Cybercrime is less dangerous and does not carry mandatory sentences the way drug related crimes, for example, do.
In fact, there are currently 47 different breach laws in the United States alone with no overarching federal law. None of these breach laws has a mandatory sentence. Even when perpetrators are arrested and convicted, their sentences are considerably less than with other more “typical” crimes.
Up next: The four stages of a breach
Now that you understand some of the practical aspects and motivations behind cybercrime, you’re ready to learn about the mechanics of a breach, in my next post. If you understand that every breach must go through four phases, it can help you target your prevention activities and, failing that, catch the bad guys faster to minimize the damage they cause.