INT_YCorp_Cyber_4_A

This article was first published in the September 2015 international edition of Accounting and Business magazine.

Almost £1bn a day is spent online. In a hyper-connected world that has more mobile devices than people, it should come as no surprise that online crime is intensifying. Yet we continue to leave ourselves vulnerable in cyberspace because of a collective failure of information sharing. If we want to create a properly protected digital environment, a fundamental shift is required in our approach to cybersecurity threat intelligence, with governments, corporates and small businesses all playing their part.

The Hatton Garden heist, in the heart of London’s jewellery quarter, where enterprising thieves tunnelled into the vault of Hatton Garden Safe Deposit, netted the robbers an estimated £200m in valuables earlier this year. This was an audacious and well-planned robbery. The incident garnered massive media attention and captured the public imagination until the alleged burglars were arrested six weeks after the theft. 

Compare this to Carbanak – an online hacking campaign that reportedly generated US$1bn from around 100 banks worldwide. The highly sophisticated theft required a network of criminals with specialist digital skills, with each attack taking up to four months to execute. No arrests have yet been made and coverage of the attack has been extremely limited. Which brings us to our first problem: the poor visibility of cybercrime.

Don’t dodge it

There are several interconnecting factors at play here. First is the perception that cybercrime is too technical and difficult to understand for non-IT staff. However, IT is now a pervasive and critical part of our lives, massively improving connectivity and thus productivity. Given that employees themselves make extensive use of a constantly evolving array of gadgets and methods of communication, all staff have a responsibility to understand the risks and to use such devices securely. 

This is not difficult: short awareness sessions of one to two hours should be sufficient to give employees the rudiments of cybersecurity and how to counter social engineering attacks and phishing emails. Given these techniques have cost companies dearly, with one attack alone thought to have cost a US retailer US$500m, such learning is surely a reasonable investment.

Victims are also often reluctant to report cybercrime to law enforcement agencies. Businesses may be concerned about the interruption and loss of control caused by an investigation, believe there is little chance of recovering stolen assets, and hope to minimise reputational damage by restricting reporting to outside entities. However, in a world where breaches are increasingly commonplace, reputations can be more tarnished by efforts to suppress the reporting of an incident than through an early declaration; the positive media coverage of US health insurer Anthem’s prompt response to a cyber attack earlier this year demonstrates this. 

Enforcement authorities are also gaining experience of investigating cybercrime, and doing so effectively with corporates. This usually involves collaboration with incident response businesses that seek to minimise disruption within the corporate estate. More organisations need to follow this model: enforcement authorities require visibility to provide a proper response but until they have more scope to disrupt the activities of cybercriminals, the rate of attacks is unlikely to diminish.

Cyber threat actors are constantly evolving and, more worryingly, cooperating. Malware and infrastructure are shared, recycled and reused at an alarming rate, with a recent banking malware campaign reportedly lasting just five hours. Criminals are also adopting and adapting the sophisticated techniques used by government agencies as these leak into the public domain.

Stovepiped

Some of this should make it easier to defend against attacks, except that defenders are not cooperating in the same way. Even the best efforts, such as the ISAC knowledge sharing system in the US, are ‘stovepiped’ – businesses share information within their industry but not with their own supply chains, a strategy that seems inexplicable from a risk management perspective. Furthermore, attackers do not think primarily in terms of industry or sector – they consider profit, intellectual property or, perhaps, ideology.

Reviewing even the most sophisticated attacks, attributed to highly cyber-capable nation states, there is a pattern of the same malware (or ‘implants’ in government parlance) and command and control infrastructure being used against multiple victims, across various sectors, including finance, energy, telecoms and governmental institutions.

What this tells us is our adversaries are constantly adapting; they are agile, unencumbered by regulatory or legal restraints, unconcerned about national jurisdictions, and developing attack techniques so quickly that it is impossible to keep pace without the broadest possible coalition working to defend against them. This requires a complete paradigm shift in the approach to sharing intelligence about cyber threats.

Cyber intelligence has a unique attribute, where its value increases the more widely it is shared. Of course, attackers can change their command infrastructure or obfuscate their code, but no-one has limitless resources. Recent reporting on cybercriminal groups has shown their operations can be severely damaged by sharing information about their tools and infrastructure.

While governments should lead the way, they are no longer the main owners of intelligence in this space. Commercial entities almost certainly top the charts for cyber-attacks by volume, including the most sophisticated malware. 

In the hyper-connected world, the private sector often has defensive tools or capabilities that rival or exceed those in the public sector. Many organisations also have the capacity to share information and initiate investigations across international borders far more quickly than government agencies, an area where change is also required to redress the balance.

Real collaboration between the public and private sectors is required to make this work. This is not about the sort of sharing envisaged in proposed EU and US legislation, intended largely as a data privacy measure. Nor are closed systems such as ISAC sufficient. Instead, there needs to be a new model of willing cooperation that expands existing relationships. Government should build on its links with critical national infrastructure to engender exchanges that go into greater depth. That infrastructure should in turn share with its supply chain, creating a trickle-down effect for capability, and a two-way flow of intelligence on the cyber threat.

Cybercriminals have demonstrated some of the elements required to operate effectively in this space: they are early adopters, embracing technology; they collaborate, sharing information, techniques and assets; and they are agile and international in approach. Defenders must respond accordingly, or risk being constantly outpaced by the attackers. 

Alister Shepherd is a security and investigations expert at Stroz Friedberg, an investigations, intelligence and risk management company