topic Re: How do we combat this, if the illicit bad community are making more money than legal companies? in Industry News

How do we combat this, if the illicit bad community are making more money than legal companies?

Caute_cautim — Mon, 23 Apr 2018 20:28:40 GMT

According to a new report coming out of the RSA Conference 2018:

https://www.darkreading.com/vulnerabilities---threats/cybercrime-economy-generates-$15-trillion-a-year/d/d-id/1331613?elq_mid=84437&elq_cid=23392365&_mc=NL_DR_EDT_DR_daily_20180423&cid=NL_DR_EDT_DR_daily_20180423&elqTrackId=5bbb195f772d4e2487fa4dc6d732582d&elq=23ba019a8acc4ba089ba1b3206ae0005&elqaid=84437&elqat=1&elqCampaignId=30497

"The $1.5 trillion that cybercriminals generate each year includes $860 billion in illicit online markets, $500B in theft of trade secrets and intellectual property, $160B in data trading, $1.6B in crimeware-as-a-service, and $1B in ransomware. Evidence indicates cybercrime often generates more revenue than legitimate companies: large multi-national operations can earn more than $1B; smaller ones typically make between $30k-$50K."

How do we combat this?

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

ekloh — Mon, 23 Apr 2018 20:51:37 GMT

I will suggest the best way to combat this is begging with education the potential victims. I believe if proper awareness/education is given it will reduce the amount of attacks thus reducing the revenue generate through these illicit acts.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Shannon — Tue, 24 Apr 2018 07:01:01 GMT

Although awareness is a primary & critical factor, it can't make a difference on its own. Let's look at a potential scenario for this...

Scenario: A company 'XYZ' has developed an extremely potent psychedelic drug and strives to make money out of it. It can't market this legitimately --- at least not immediately --- so a great way to do it is through social media. (Nothing complicated here, just create fake personal profiles, befriend users & lure them into trying it.) Assuming the drug is addictive, in no time there'll be a whole lot of customers & much profit for the company. Even if any action is taken and the site compelled to disable accounts / stop activity, it won't help if all this happens after the damage is done & illegitimate profits are made.

For a qualitative risk analysis, we can look at this as: -

Risk: People getting addicted to a psychedelic drug --- negatively impacting both them & their economy.
Threat: Marketing of the drug.
Threat Agent: Posts / blogs / promotions on social media sites.

Putting it all into a risk matrix yields the following: -

Risk Probability: Almost certain
Risk Impact: Catastrophic
Risk Level: Extreme

To address the risk, any of following approaches may be used: -

Risk Acceptance: This requires no effort --- but a lot of hope. Just ignore the threat, and assume that people won't be impacted.
Risk Avoidance: This would require stopping the use of social media, so it isn't likely to be effected.
Risk Transfer: This would only be feasible if insurance policies cover drug abuse --- which I'll assume isn't the case.
Risk Mitigation: This requires taking measures to reduce the risk. It would seem like the best thing to do.

To mitigate this risk, 2 of the main options are: -

Awareness: Communicate the risk to potential victims and regulatory authorities via proper means --- taking into cosiderarion the target audience, environment, and other factors. (Receptiveness will play a major role here.)
Regulation: Ensure strong enforcement of regulations --- holding social media sites liable for securing user data as well as controlling the posting of material by users, based on content.

Neither of these would work well by itself --- effective risk mitigation would depend on them being combined,

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

CISOScott — Tue, 24 Apr 2018 14:07:19 GMT

What usually happens is that government gets involved and tries to regulate it and make new laws (see GDPR, FISMA, etc.). Or companies get smarter about trying to protect it.

In an alternate universe some people may go to those companies to gain experience and then when the salaries become commensurate with the experience required to combat it, they will switch sides and go to protect the companies they once hacked.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

CISOScott — Tue, 24 Apr 2018 14:14:15 GMT

As a security community we can combat this by increasing our skills and outreach opportunities. We can look for budding cyber talent and nurture and mentor them into the nextgen cyber warriors. In previous civilizations the older generations made sure to pass on their knowledge to the younger generations, however we seem to be losing that ability. I keep preaching to my daughters that the world they live in is so amazing. They have more power in the palm of their hands than I did at their age. When I was young you had to go to where the information was at, i.e. a library, a school, a mentor/sensei, etc. Now the power of the Internet brings it to the palm of your hands, although that can be modified/restricted/controlled by the powers that be (Google, etc). Still the amount of information out there is amazing and they need to take advantage of it before it gets controlled and restricted by censorship.

It is amazing that the book "1984" by George Orwell seems to be coming true....

So we combat this by looking to train up the next generation of cyber warriors.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

mgoblue93 — Tue, 24 Apr 2018 14:23:35 GMT

More keyboard and less whiteboard.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

canLG0501 — Wed, 25 Apr 2018 00:44:43 GMT

First, we need to work toward introducing ways to effectively democratize threat intelligence data and share more. Instead you see more hiding of threat data to avoid litigation, competitive advantage, and reputation damage. Second, fostering even more security education is key. The best explanation that I have heard thus far is presented in a TED TALK from Caleb Barlow. See link below. Just my thoughts.

https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

mgoblue93 — Thu, 26 Apr 2018 16:15:39 GMT

> effectively democratize threat intelligence data and share more.

Just curious...

What specifically does this mean... meaning examples of what "democratization" would do?

I hear this over and over again at conferences too but it's always a problem statement rarely a solution statement.

There's a lot of sources of threat data/intelligence out there which is publicly available, no?

Gov't

====

CVEs

CWEs

US-CERT/NCCIC

NIST

DISA

Commercial

=========

Symantec

Verisign

Cisco

FireEye

Others

=====

exploit-db

Hak5

Rapid7

...and literally hundreds of blogs and twitter feeds on the topic. I'm sure the forum could go on about sources other folks here use.

What's missing?

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

vt100 — Fri, 27 Apr 2018 15:51:57 GMT

Leaked 0 day NSA exploits that were used in multiple waves of the ransomware were missing.

Exploits should be treated on par with biological or chemical weapons. Stockpiling them without disclosure to security community should be outlawed internationally.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Baechle — Mon, 30 Apr 2018 15:43:04 GMT

(@Caute_cautim) John,

The first thing that I would like to do is deconstruct the statistics that Ms. Sheridan used in her article so that we can understand what the problem actually is.

Ms. Sheridan compares the value of the entire universe of cybercrime to individual businesses. I would venture to say this borders on the Logical Reasoning error known as, “Lying with Statistics.” If you want to look at scale, compare the entire universe of online criminal business to the entire universe of legitimate business; or compare large criminal enterprises to large legitimate businesses, and small criminal enterprises to small legitimate businesses.

The second thing that I would like to recommend is that instead of concentrating on all the failures, let’s balance the successes, and ensure that we’re not shouldering too much of the burden. The best analogy that I have is the responsible use and maintenance of an automobile.

We expect, first of all that if we drive to a bad neighborhood get out with the engine running and the keys in the car that your house will probably be cleaned out and your car lit on fire under the freeway by the time you hitchhike or Lift/Uber your way back home. You can tell people to act responsibly with their computers, but you will always have the equivalent to the person that gets carjacked, mugged, and burglarized after getting lightly rear ended in the middle of the night on a street with no lights in the inner city. The analogy to this is the "Your Computer is Infected" pop up with the number to a barely-English speaking operator that offers to remotely fix your system while browsing a dubious web site.

We also expect the licensed operator of heavy machinery to be familiar with it enough to recognize safety concerns such as odd noises and smells, and to stop driving it and get the car looked at. We expect basic maintenance tasks like changing the oil and windshield wipers, inspecting and changing the tires and brakes, and updating the operating system and antimalware definition files to be performed. How often do you think mechanics see cars come in where the brakes are completely worn away, or a multi-thousand dollar engine rebuild problem could have been prevented a couple of months earlier by replacing a $25 sensor when the Engine Light came on?

In conclusion, I would like to claim that the problem isn’t as bad as the article makes it seem. In my opinion, instead of shouldering a failure to protect people through “IT” means, we should be educating users on the responsibility they are undertaking by purchasing and using this equipment using analogy and language they can understand. Finally, we have to accept that even though there are resources available, some people are going to ignore the “check engine light” and "drive" into a bad digital neighborhood with their computers… at least it makes for good “You Tube” videos and shock-news articles. So, we should be planning on identifying, isolating, mitigating, and recovering from these scenarios rather than reacting to them by surprise every time.

Sincerely,

Eric B.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Baechle — Mon, 30 Apr 2018 15:59:11 GMT

(@vt100) Vladimir,

I respectfully disagree!

There was a time in recent history that certain types computer network “packets” were actually listed as munitions under United States laws (the International Traffic in Arms Regulations or ITAR). Other than the hilarity of the guy that tattooed the code for RSA on himself (https://www.wired.com/1996/04/strong-arm/) leading to this concept being declared Unconstitutional, this creates all kinds of legal problems.

For example, when you use TOR or another anonymizer and your traffic flows through another country. In this context literally and legally (by definition, not legally as in authorization) fired a weapon through that country’s critical infrastructure. Think about the political, military, and legal issues that brings up.

Sincerely,

Eric B.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

vt100 — Mon, 30 Apr 2018 16:39:54 GMT

@Baechle Sorry, there is no way in this forum to see the replies in the context of the previous posts, which makes it difficult to determine what post you are disagreeing with. If it is the one where I compare exploits to the chemical and biological weapons, then the parallel you are drawing with certain crypto tech being listed as "munition" is, in my opinion, not apt. Nor is the use of anonymizers.

Yes, use of anonymizers may violate some country laws and, tangentially used for other illicit activities, but it is not destructive in nature.

Stockpiled and undisclosed 0 day exploits, on the other hand, outside of the generally accepted grace periods given by finders to the vendors, have no other use but as a weapon.

Weather someone extorts money from you by holding a gun to your head or encrypting data necessary to provide life-saving treatment, the outcome of not complying with with perpetrator's demands may well be the same. Similarly, if it is used to cripple vital infrastructure services (as was the case in Saudi Arabia, Ukraine and Atlanta).

The added scare factor is that every time those tools are used, the opposing side is automatically getting their hands on it. It may take some time to reverse engineer, modify the payload and repurpose, but so long as the original is kept secret, the blowback may be worth than the original intended use case.

Given the numbers of people affected by this, how could we not treat these threats as WMDs?

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Baechle — Mon, 30 Apr 2018 17:06:50 GMT

(@vt100) Vladimir,

I apologize. I did set my reading settings to be “Thread based” so I can see the replies in the context of the message it replies to. I’ll try to use quotes more judiciously. You are correct, I’m replying to your suggestion to place exploits on a munitions list.

Stockpiled and undisclosed 0 day exploits, on the other hand, outside of the generally accepted grace periods given by finders to the vendors, have no other use but as a weapon.

Weather someone extorts money from you by holding a gun to your head or encrypting data necessary to provide life-saving treatment, the outcome of not complying with with perpetrator's demands may well be the same. Similarly, if it is used to cripple vital infrastructure services (as was the case in Saudi Arabia, Ukraine and Atlanta).

The added scare factor is that every time those tools are used, the opposing side is automatically getting their hands on it. It may take some time to reverse engineer, modify the payload and repurpose, but so long as the original is kept secret, the blowback may be worth than the original intended use case.

Given the numbers of people affected by this, how could we not treat these threats as WMDs?

I believe I understand the distinction that you are trying to make here in the word use of exploit vs a vulnerability. Specifically, you are looking to make it illegal to possess the generic definition of a (here’s my best whack at this) “payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein.” Correct?

If that law were enacted, I would be guilty simply by having a keyboard. Because I possess an “&” I therefore have the code to perform URI parameter tampering.

Do you see the problem?

Therefore we have to criminalize the act of use of an exploit rather than it's possession.. Even further, we have to restrict that criminalization to intentional use to avoid someone just being sloppy or having fat fingers when they’re typing. Or the code being illegitimate in one place, but legitimate in another.

Sincerely,

Eric B.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

vt100 — Mon, 30 Apr 2018 18:01:41 GMT

Wording of definitions is of paramount importance, as it defines grounds for legal interpretations.

I would prepend the " “payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein.” with Stockpiled and undisclosed 0 day resulting in:

"Stockpiled and undisclosed, previously unknown payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein. When the attribution of the use for the above mentioned purposes is conclusive.”

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Caute_cautim — Mon, 30 Apr 2018 19:16:23 GMT

I think the recent RSA Conference 2018, indicates the same direction - hardening and getting down to some really hard work with honesty to resolve the current situation.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Baechle — Mon, 30 Apr 2018 19:41:23 GMT

@vt100

I appreciate you trying to work through this. You should have the law named after you if you figure it out! 😄

You hit the nail on the head ... we’re not writing the law for IT pro’s… we’re writing it for lawyers.

@vt100wrote:

"Stockpiled and undisclosed, previously unknown payload consisting of instructions, signals, or program code; that takes advantage of a vulnerability in the software or hardware running on a computer or telecommunication system; that would either (1) render it inaccessible to a legitimate user; or (2) allow an unauthorized person to obtain or alter information stored therein. When the attribution of the use for the above mentioned purposes is conclusive.”

How do you define what stockpiled is? Who must it be disclosed to? Leaving the term previously unknown hanging means that if the “hacker” has it, then they obviously know about it and therefore the law is self negating.

Sincerely,

Eric B.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

vt100 — Mon, 30 Apr 2018 19:52:00 GMT

Thanks 🙂 But I am afraid that being security specialist with self-evident Russian descent is not in vogue at the moment, so the likelihood of that is slim.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Shannon — Tue, 01 May 2018 06:50:21 GMT

Perceiving a threat is one thing, but how you can act on it largely depends on what you're empowered to do.

Vladimir's question was How do we combat this, if the illicit bad community are making more money than legal companies?

Before answering that, pose the counter-question Who / what does 'we' refer to here?

Let's divide those under the scope of 'we' into two categories: Potential Victims and Potential Combatants, and then sub-divide these into Individuals, Organizations and Governments, to see just what they can do: -

Individuals: Ensure you are well aware of things, & have properly protected yourself & assets you own / are responsible for. Try to imbibe security awareness into others & promote good measures. If you detect threats, report them to your organization / government, and attempt to counter them if you're authorized to.
Organizations: Set & enforce policies to ensure your assets are properly protected, & your people kept aware & trained to respond / react to IT threats properly. Report threats and comply with regulations of the government.
Governments: Set & enforce regulations to ensure that all entities (individuals & organizations) keep themselves aware of IT threats, properly protect themselves, and report these. Respond to reports, & control threats and threat vectors as required.

(There's also a third main category: Spectators --- those smart enough not to be victimized, but not keen on combating or reporting threats, particularly if there's little support from a higher level)

For combined efforts to be effective, everyone has to play their part properly.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Shannon — Tue, 01 May 2018 07:29:26 GMT

Correction to my earlier post : John's question.

Re: How do we combat this, if the illicit bad community are making more money than legal companies?

Caute_cautim — Tue, 01 May 2018 19:42:57 GMT

Yes, the whole community needs to be involved. It also needs to be a collaboration, or team work i.e. organisations working together to combat these issues.