Today’s advanced cyber criminals are committed to stealing data, disrupting services and maintaining access to a target environment for as long as possible (enabling future intrusions). These threats apply to all industries, not just those that deal with credit cards or personal information. Companies that have proprietary data that is perceived to be of economic value, or any company contemplating or already involved with international business transactions, are likely targets and — this you may not have thought of — their external law firms.
Transnational criminal enterprises often maintain remote access to the target environment for six to 18 months before they are detected. Our experience suggests that many state-sponsored cyber intrusions result in lingering unfettered access for many years, which in some cases is never detected. When it is discovered, recognition of advanced cyber intrusions does not typically come via in-house technology, processes, or people, but, rather, through third-party tipsters such as domestic law enforcement, intelligence sources, customers, or business partners.
Anything but random
When foreign governments, organized crime, or hackers target an organization, the techniques they use to compromise the network and enable sensitive data theft are well planned and methodical. Advanced cyber threat groups are patient, tending to invest heavily in the research and development of custom malicious code and clever means to exfiltrate data; all designed to slip under the cyber security radar.
Cyber threats are varied, complex, and continuously evolving. History shows that preventive and defensive measures can reduce risks related to acceptable use violations, computer or network intrusions, data loss/leakage, and asset sabotage. However, the cyber-threat landscape which involves targeting specific companies or industries is keenly aware of the cyber security strategies employed over the past decade. A realized cyber threat in turn creates other risks to business operations including regulatory, legal, financial, and reputational.
The future of cyber security must adopt a new philosophy that assumes a never-ending state of compromise.
The intelligence services of foreign governments are the most sophisticated, organized, and funded. Foreign intelligence services steal commercial intellectual property (IP) and business transaction information to gain an economic advantage. Absconding with classified government information gains them a military or political advantage. Also, maintaining remote access for as long as possible is a primary objective of state-sponsored groups. This permits future access to your network and its data. Often, the data of interest from an economic espionage perspective is the information shared amongst senior executives regarding business operations and deals. Stated differently, this threat group ultimately targets specific people once inside the organization’s cyber space
In one such case, PwC was engaged after a client was notified of a cybercrime by a law enforcement agency that had been investigating a national security matter. After law enforcement advised the client (a critical infrastructure organization) that its private cyber space had been compromised, we were called in to uncover the methods and techniques the state-sponsored actor used to steal economic intelligence. We also identified the mechanisms that were enabling persistent remote access.
We found breach indicators and digital evidence that had been in the IT environment for years. Although the focus of this cyber intrusion appeared to be the gathering of economic intelligence, we worked with the victim to determine if the infiltration additionally compromised systems that could be used to disrupt critical infrastructure operations and create a national security nightmare.
Same game, new names
The phrase “transnational criminal enterprises” was crafted in recent years to replace the traditional tag, “organized crime.” While a decade ago, organized crime groups hired individual hackers to compromise computers and steal data, today hackers, have formed their own global groups and underground networks and work independently of the traditional organized crime groups. The primary motive of these global criminal enterprises: sheer profit.
PwC has been engaged by clients who suspect that their environment has been compromised and that payment card data or personal information has been stolen. In one of our recent investigations, some of the criminals’ persistence and data exfiltration techniques closely resembled state-sponsored intrusions. We found multiple remote access methods that used custom malware, which at the time, were not known to the public and law enforcement. Had we wrapped the investigation upon discovering the first remote-access technique, the global criminal group would have been free to continue pillaging the environment.
Also, the client asked us to collaborate with law enforcement. This created an interactive exchange of evidence that helped us further our investigation and contain the incident. This, in turn, led to the international arrest of the criminals who had already made millions within just a few days of stealing the data.
And it’s getting harder to the tell difference between an advanced criminal groups and a state-sponsor when investigating cyber intrusions. Corrupt competitors are always looking for an economic advantage by any means.
Corrupt or corruptible users of your IT environment with authorized access to data are the most dangerous threat to private cyber space. The solo artist, or lone wolf, is often the one who has fallen on hard times or is a person motivated to achieve revenge due to some unresolved work conflict issue. As such, the insider is also ripe to be recruited by external threat groups. Combine this with the economic downturn and there is a fertile playing field for the recruitment of insiders experiencing financial distress.
We continue to see a steady stream of insider related malicious acts in our investigative work for our clients. Today, there are plenty of external outlets for corrupt insiders to leak information for profit or to publicly embarrass an employer. Attempting to manage the risk of an insider intentionally leaking sensitive information involves a continual effort of identifying at-risk insiders and employing enhanced monitoring of the cyber behaviors of those insiders.
Constant state of compromise
Given the cyber threat landscape, organizations have to re-engage the human element to better leverage their investments in security technology. Applying a cybercrime investigator’s mindset to daily cyber security operations is a much needed aspect in cyber security. The future of cyber security will have to involve human sentinels leveraging technology and custom-developed processes and procedures to constantly interrogate the IT environment forever.
Analogy: A good investigator interrogating the human subject of a fraud investigation will initially spend time building rapport in order to baseline the verbal and nonverbal behaviors of the human subject to enhance the investigator’s ability to detect deception. Also, prior to the interrogation, the investigator will gather as much intelligence as possible about the subject to improve the success of the interrogation.
These same concepts can be applied to cyber security.
Creating a baseline of network traffic and system programs, processes, and connections can greatly assist the ongoing interrogation of the IT environment for breach indicators, because those indicators, or deviations from the norm, can be more readily seen. Stated differently, you can enhance your state of cyber security to become a cyber lie-detector. Reducing your Internet points of presence and reducing the number of standard system configurations can propel this effort.
Detecting cyber deception requires training, practice, experience, and creativity. Imagine if your nonstop network traffic analysis for breach indicators, which operated from a baseline of known good network traffic, identified a large file being transmitted over a networking protocol that is authorized in your environment but is not used to transmit data. Or, imagine if the ongoing scanning of user systems for breach indicators, which operated from a baseline of known good files, processes, and connections, identified a connection from a user system to an email server in which the user had no email account.
It’s time to build a little rapport with your private cyber space.
Shane Sims is a director in the Advisory-Forensics practice at PwC with 24 years of experience in the fields of forensic investigations, cybercrime, national security and crisis management. Prior to PwC, Shane served his country for over 10 years at the FBI where he investigated cybercrime, fraud, money laundering, insider threats, acts of terrorism, and economic espionage.
Shane is a contributing author of a recently published book titled CyberForensics: Understanding Information Security Investigations, in-which he wrote the Insider Threat chapter, and the author of a recently released PwC white paper title Are You Compromised But Don’t Know It: A New Philosophy For Cyber Security.