On November 25-27, the eight edition of a global threat hunting & intelligence conference CyberCrimeCon, was held online for the very first time. The conference, powered by Group-IB, a Singapore-based cybersecurity company that recently opened its European headquarters in Amsterdam, brought together more than 3,000 independent researchers and cybersecurity professionals from all around the world. The major theme of the event on the fight against evolving cybercrime now encompasses a myriad of different threats such as intelligence units’ military cyber operations, traditional cybercrime, ransomware, carding etc. Representatives of Group-IB, INTERPOL, Europol, financial and tech companies and industrial giants got together to present the latest research findings and share threat hunting and attribution tips. This article will focus on the first day of the event and to four keynote presentations given by four speakers on November 25th.
The conference kicked off with a Manifesto by Ilya Sachkov, Group-IB’s CEO and founder. In his opening remarks, Mr. Sachkov shared his vision of the mission for cybersecurity professionals which, according to him, is the elimination of cybercrime at its core through intellectual and engineering methods. He said that cybercrime has been especially dangerous, smart, and powerful in recent years.
The numbers say it all. According to Group-IB’s Hi-Tech Crime Trends report 20/21, also presented at the event, late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported, and the total financial damage from ransomware operations amounted to at least $1 billion.
If ransomware is used primarily for monetary gain, then the so called advanced persistent threat actors are a whole different story. Military cyber operations conducted by various intelligence services are becoming increasingly common, according to Group-IB’s CTO Dmitry Volkov. The company has identified a continuing trend where physical destruction of infrastructure is replacing espionage. Most state-sponsored threat actors originate from China (23), followed by Iran (8 APT (advanced persistent threat) groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.
Middle East and Africa, were the scene of at least 18 campaigns conducted by pro-government attackers from Iran, Pakistan, Turkey, China, and Gaza. Europe is not a safe harbour anymore. At least 22 campaigns were recorded on the European continent, with attacks carried out by APT groups from China, Pakistan, Russia, and Iran.
COVID-19 upended the world in many different ways and has made companies accelerate their digital transformation. According to CyberCrimeCon’s guest of honour Craig Jones, Director of Cybercrime at INTERPOL, since the outbreak of the COVID-19 pandemic, there was a rise in people going online, because a lot of businesses had to close down and move to a virtual world, and a lot of companies were not set up initially to do that. Mr. Jones explained that the speed and pace of this move left vulnerabilities and that the security aspect was sometimes unintentionally overlooked. He further discussed how during the COVID-19 pandemic, critical infrastructure such as hospitals and health care institutions were suffering from ransomware attacks. INTERPOL provided these organisations with operational support and technical guidance.
What are the major weapons in the fight against modern cybercrime? Obviously, there is no magic pill, but a combination of technologies and public-private partnership can ultimately reduce the global impact of cybercrime, according to the conference speakers.
There are always real people behind every line of malicious code who exploit political discord between different nations to commit crime freely. INTERPOL, for example, has a cybercrime threat response, which is where you work with partners to monitor and gather information on where the latest threats are coming from. In terms of INTERPOL’s cybercrime operations, Mr. Jones said that they work with private entities where they look at their cyber capabilities development, where they provide knowledge and training. Mr. Jones referred to two successful operations, Night Fury and Falcon, supported by Group-IB’s cyber investigations teams. The details about operation Falcon were first revealed during CyberCrimeCon2020. A cross-border anti-cybercrime effort targeted business email compromise (BEC) cybercrime gang from Nigeria and resulted in the arrest of three individuals in Lagos. Since at least 2017, the prolific gang compromised at least 500,000 government and private sector companies in more than 150 countries.
It is impossible to fight the enemy without knowing them, without understanding their motives, techniques, and tactics. And that’s where threat hunting, attribution, and cyber investigation technologies come into play.
Group-IB’s CTO, Dmitry Volkov, and the company’s Head of Global Business, Nicholas Palmer, presented Threat Intelligence & Attribution – the result of Group-IB’s years-long development of proprietary high-tech products for threat hunting and intelligence. The system is designed to create and customise a cyber threat map for a specific company, correlate individual cybersecurity events in real time, and attribute attacks to a particular threat actor.
Nicholas and Dmitry talked about how cyber threat intelligence is no longer something that is just for large companies with mature threat intelligence or security operation centers, but for all organisations that want to have a deeper understanding of the threats and threat actors that are out there and the risks that exist as well as information that has already been compromised. They also explained how there has been a huge shift in the way that people consume or search for threat intelligence where information is being collected from open and semi-open sources and then integrated into different security solutions. Nicholas and Dmitry stated that this approach does not work, because it collects information that is not trusted and relevant to your company.
They also discussed the new approach to collecting and analysing threat intelligence, which is the way of the future. Every cyber incident is connected to a cybercriminal and these cybercriminals have different behaviours and infrastructures that can be tracked. They stated that at Group-IB, they look at the specific threat actor and their behaviours that could turn into indicators relative to a specific organisation. Group-IB also curates specific threat intelligence like compromised credentials, or domains or specific vulnerabilities to an organisation and then provides it to many security teams like red teams, digital forensics, incidence response teams, and security operation centers.
Nicholas and Dmitry discussed what Group-IB’s Threat Intelligence & Attribution delivers that others don’t, which is a tailored threat landscape for every customer, an advanced threat actor profiling, a unique reporting framework and modern research and attribution tools. They explained that Group-IB collects information specifically from threat actor infrastructures and that they look at having an actor-centric solution, which tracks cybercriminals and newly created infrastructures. Group-IB tracks specific information that is specifically relevant to your organisation as well.
What makes Group-IB’s Threat Intelligence & Attribution so unique, is that they collect all their own threat intelligence from many different sources, such as from their human intelligence (incident response, dark web analysis, cybercrime investigations ), malware intelligence (threat and fraud hunting framework, digital risk protection, honeypot networks), data intelligence (botnet and phishing C2 servers, phishing logs collection points, compromised data checkers) and from open-source intelligence (vulnerabilities and exploits, social networks, telegrams, paste sites).
They also stated that at the root of every cyberattack is always a real person and that this person has specific patterns that leaves traces on the internet. Group-IB has tracked the criminal infrastructure for 17 years to see if they made a mistake, which they sometimes do. This helps to reveal the real identities of cybercriminals over time.
Another presentation was delivered by Thomas Schmitt, Global Director for Cybersecurity at Anheuser-Busch Inbev. He began his keynote by explaining what a framework is. He said that it is a structure that gives body to your threat intelligence program. The threat intelligence practitioners know what their day-to-day work is and what the outcome is, but when they talk to one another, they use a “different language”. This can make it difficult to share insights with the rest of the security team. Thomas Schmitt stated that a common framework allows a common language, which allows the entire security team to understand a particular problem at hand. He then also briefly discussed the common phrases used in cybersecurity and said that cybercrime and cyber warfare use the same tools and tactics in a lot of ways. Both involve doing bad things to an organisation and to its information. Thomas further said that attackers have to be right only once, while the defenders have to be right 100% of the time, but that if you have a framework in place, it can really help map out where the attackers are right most of the time. For example, he said that if you can aggravate all the attacker behaviour in a framework, and if in one technique 80% of the attackers are right, then you can map out 80% of the attack.
Thomas Schmitt also noted that attackers have unlimited freedom and flexibility, while for defenders, it’s limited. This is because attackers can pivot very quickly, and defenders cannot, because they cannot outsource as fast. With a framework, Thomas explained, you can build your operations around defining holes in it. Making flexibility the core feature of your operations allows you to address this problem. For an attacker, as Thomas maintains, the outcome is all that matters, such as taking your data and extracting the value from it. On the other hand, for defenders, he states that they care both about what the attackers are doing and about what they are doing themselves.
He explained that there are a lot of frameworks and that all of them are useful, but that none is perfect. One such framework is known as the Cyber Kill Chain, which is one of the earliest models and still very relevant today. Thomas said that this framework focuses on how attackers have to follow a chain in order to be successful in their attack. Another model he mentioned was the Diamond Model, which is a very flexible model used to map events, where you can bring your own meta features and then track these features depending on the infrastructure looked at. Thomas then discussed the TITO Framework, which is complementary and leans on the other frameworks. It also allows you to take the framework you are using and operationalise the data. He explained that the TITO Framework focuses on three factors. First, you look at the infrastructure: aggressively identify the adversary that comes into contact with yours, look at the entire scheme and actively track and investigate. Second, look at the target: what is the adversary targeting and what systems are vulnerable. Thomas stated that you harden those elements and build defenses. And finally, outcome: as Thomas said, what does the criminal hope to achieve through its attack?
Thomas Schmitt also talked about The Offensive Mindset and briefly described the differences between inductive reasoning and deductive reasoning. Inductive reasoning is where you look at all the available data and draw conclusions. Thomas said that this model was great for quick decision making. Deductive reasoning is where you model out or create hypotheses over what you think is going on, and then look at the data supporting the hypotheses. Thomas mentioned that you need both inductive and deductive reasoning and that if you are in an offensive mindset, you need to focus on behaviour.
One interesting point Thomas Schmitt brought up was learning to lie. He stated that cybercriminals lie, and that some of us don’t enjoy lying, but for others it’s built into their nature. We often don’t want to lie to our infrastructure teams, customers or security teams and that generally, we need to learn to get around the tendency to not lie to criminals. He further explained that learning to lie is all about mapping out the attacker expectant scheme and asking questions like:
- How did the attackers learn to carry out their attacks?
- Are they using their own infrastructure, or did they create one?
- And once they obtain the data, where are they going to monetise it? For example, are they selling the customer data or using it to conduct some sort of fraud?
- And most importantly, what are the attackers trying to achieve? Thomas stated that you can add friction here by building deception and by building in target defense.
Thomas said that we don’t always have to tell attackers the truth and that it’s okay to lie if it’s for the right purpose and to the right people. Finally, he stated that there are three general methods that can be used to address some of the questions above.
- De-incentivise: This method helps you to reduce the amount, value or usability of the data. Thomas stated that you would begin at the end of the attacker expectant scheme. For example, you remove the ability to monetise and use deception to redirect attackers to a honeypot where they think they are collecting good data, but in actuality they aren’t.
- Remove feedback: Thomas stated the goal here is to delay signs of success or failure as long as possible. Even more important; make the attackers think they were successful, and ensure that they don’t find out they weren’t for a long time. He also said that it’s good to randomise the response. If you give an attacker the same feedback, it becomes predictable to them, so instead Thomas states that you need to use multiple feedbacks or codes to add some other means of friction.
- Booby Traps: Here, as Thomas stated, deception should most definitely be used, but only when necessary and only on the most critical things, as you don’t want the attacker to find out what your deception means are. Therefore it’s important to respond quickly and use deception techniques wisely.
With the world’s rapid digital transformation, catalysed by the pandemic, the stability of cyber space has come into special focus. In 2020, no one can afford to be out of touch with cybersecurity, which is a team sport. Hence, maintaining stability in the global cyberspace should include the constant exchange of threat intelligence, cooperation and joint efforts of the public and private sectors. Raising the global community’s awareness of cybercrime can help preserve and protect the opportunities cyberspace gives us.