March 2017 saw the publication of not one, but two, reports into cybercrime which make interesting reading both as to recent developments and what is expected by criminal investigators in the future.
Europol’s 2017 Serious and Organised Crime Threat Assessment – Crime in the age of technology report covers a broad range of threats, of which cybercrime is only one. Nonetheless, it is useful in putting cybercrime in the broader context of organised crime and serious criminality. The joint National Cyber Security Centre / National Crime Agency 2016/17 report “The cyber threat to UK business” is, as its title suggests, focused purely on cybercrime and provides a more detailed assessment of cybercrime trends, and what UK businesses can do to try to protect themselves.
Much of the reports will not be new to those following the cybercrime threat landscape closely, although it is always useful to benefit from the views of law enforcement. The key areas of growth in the past year, and those which law enforcement consider will move up the threat landscape in the near future, are as follows:
- Cryptoware (i.e. ransomware using encryption) continues to be a major threat, and its users are responding to efforts to mitigate the threat. For example, many tech and cybersecurity companies have joined together to write code to “unlock” the encryption used on older varieties of cryptoware. That code is freely available to download. As a result, more sophisticated cryptoware now either seeks to prevent such code being downloaded, or copies data outside the business and deletes the business’s copy, only returning it is the ‘ransom’ (still almost always in bitcoin) is paid.
- Theft of intellectual property and confidential information remains a key threat to UK business. While this has been going on for many years, it is specifically identified as a key threat and is expected to increase.
- The “crime as a service” model of cybercrime means that unsophisticated attackers can operate at a scale beyond their level of technical sophistication. This impacts on how businesses should consider the threat landscape. This trend is perhaps exemplified by the public release of the code to the Mirai malware, and the significant increase in DDoS attacks which utilise devices infected with Mirai over the past 12 months.
- Malware targeting smart devices, often combined with ransom demands, is expected to increase significantly. Many of these devices have default settings which are easily exploited and do not require consumers to change them. There is already malware which can lock smart TVs and Android phones (unlocked by paying a ransom), and this trend is likely to increase. The level of ransom required is likely to be relatively small – there is no point setting the price point at such a level that consumers decide simply to replace the device in question – but this is likely to be a significant source of revenue for cybercrime in the coming years.
- Data integrity will move up the risk register. While this has been acknowledged as a risk for some time, some relatively high profile successes will see an expansion of attempts to alter data by malicious insiders, cyber-vandals, hacktivists and cyber-criminals for profit.
Our experience in the past two years matches the NCA / NCSC’s report. We have seen a significant increase in the number of clients seeking legal advice on whether they can legally pay ransoms after a cryptoware attack, or how they should respond to a DDoS ransom threat. We have acted for several clients in obtaining court orders following the theft of confidential data or IP. We have seen cases of randomiser code being introduced into software to produce deliberately incorrect results, and attempts to build back doors into smartphone app code. We do not expect to see a decrease in any of these areas.
The NCA / NCSC report also highlights the importance of people, processes and technology in defending against cyber-attacks. There is perhaps a perception, due to the wealth of vendors in the market and the fact that a new technological “solution” arrives each day, to focus on the technology aspect of cybersecurity. This is undoubtedly a key piece of the puzzle, and is critical in detecting and shutting down successful attacks.
The continuing involvement of insiders, either through malicious activity or negligence, in data loss and theft also gets significant press. However, it is worth repeating that while the ‘people’ part of people, processes and technology can be a significant risk, they can also be one of a business’ greatest assets in defending against cyber-attacks. A very significant proportion of successful attacks start with access gained through phishing, and the proportion of employees who click on the link in, or attachment to, a well-crafted email, remains (depressingly) high. It is also an asymmetric situation – it only needs one person to fall for a phishing email for an attacker to gain a foothold. The fact that 99 employees didn’t click is irrelevant to the attacker if one does.
Clear and regular training to staff, as well as ways to report suspicious emails securely and safely, is crucial. Many businesses now send spoof phishing emails, and staff that fall for them undergo additional training. The number of staff falling for such emails is monitored over time to check for improvements and trends. If click rates aren’t improving, you should be re-thinking your approach to training.
The NCA / NCSC report also makes a plea for businesses to report cybercrime via Action Fraud. Even if no further action is taken (and in our experience with clients who have been the victims of cyberattacks over the last 12 months, there has been a significant increase in response and engagement when cybercrime has been reported), the intelligence received from reports assists law enforcement in their work behind the scenes. Although not specifically mentioned in the NCA / NCSC report, there are also a number of other schemes for sharing information about attacks which should assist law enforcement, and many clients have reported very positive engagement in those schemes.
It is abundantly clear that cybercrime is not going to go away, and by its very nature defences will always lag behind attackers. Both reports provide an interesting insight into the law enforcement view on cybercrime, and should assist businesses in understanding the threats they face.