[BreachExchange] The real deal on cybercrime, breach timelines, and mounting a proactive defence

[Destry Winant]

https://www.enterprise-cio.com/news/2018/nov/19/real-deal-cybercrime-breach-timelines-and-mounting-proactive-defence/

Here’s something that may seem obvious but is more true today than
ever: Organisations that take security breaches seriously (which
should be all of them) can’t afford to sit back and take a reactive
approach to their defensive strategy. Although a considerable amount
of damage can be done in a shockingly short period of time, simple
proactive steps can often thwart cybercriminals and defend
organisations against a wide variety of attacks.

No target is impervious, but the most resilient companies understand
who the cybercriminals are, what motivates them and which tactics they
use. Criminals waste no time in attacking as soon as the right
opportunity presents itself, meaning the organisations they target
must preemptively act, and knowledge is power in being able to do so.

The criminals

Cybercriminals come in all shapes and sizes. They can operate
individually or coordinate with others. Some are newcomers to the
scene (“skids”) who don’t have a high degree of technical acumen,
while others are seasoned professionals who use sophisticated methods
to conduct widespread attacks.

While criminals vary drastically in their capabilities, methods of
choice and chosen targets, they all have the common motivation of
seeking control. The most common interest is to control funds that
aren’t theirs. By stealing credentials that grant them access to bank
accounts, personally identifiable information (PII) or corporate data
and intellectual property, criminals can keep the profit for
themselves or, most likely, sell the accounts and data to either
trusted contacts or on underground markets. More capable actors, such
as those sponsored by nation states and organisations, seek
information that can be used to expose weaknesses and render a
targeted entity powerless.

The crimes

While their end intent is often uniform, cybercriminals aim for
organisations of all types and sizes. The FBI estimates that business
email compromise (BEC) cost organisations more than $5 billion between
October 2013 and December 2016. And while associated reputational
damage can be more difficult to quantify, it can be just as
devastating.

In stealing account credentials and PII, health records and social
security numbers bring in the most money. One recent report found that
a skilled cybercriminal committing these kinds of attacks can make as
much as $350,000 per year.

Sometimes, employees of the organisations targeted by criminals work
unwittingly in their adversaries’ favor. These employees can be
manipulated into helping criminals take over accounts or wire money to
criminal-controlled mule accounts by falling for instructions in a
phishing email or an email from an already compromised account.

Social engineering is also used to trick unsuspecting users into
revealing personal information. This tactic generally targets
individuals who have access to central databases or high-value assets.
It only takes a single employee to inadvertently grant a cybercriminal
access to sensitive data. With a single click or a weak or reused
password, they can end up giving criminals all they need.

Once criminals establish their preferred tactics, techniques and
procedures (TTPs), they repeat their crimes to target more
organisations or scale their attacks to multiple employees. To scale,
criminals automate their attacks at rapid speed to hijack credentials,
data and money on multiple accounts simultaneously. Bots, for example,
are perfect for quickly spreading malware, cracking passwords and
performing credential stuffing attacks at scale. Since there are a
number of solutions that may help organisations recognise activity
from a bot, it would seem logical that this problem would be simple to
solve. Unfortunately, the most sophisticated criminals are smart
enough to “fingerprint” companies to determine whether or not their
login attempts can be traced. These criminals tend to change
techniques until they can attempt logins undetected.

Criminals then sell their commandeered goods (credentials and data) to
underground armies that grow exponentially as the breach matures.
Overhead is low and ROI can be quite high. Attack sequences like this
can turn a single breach into a widespread event that can still take
months for companies to discover, causing significant brand and
financial damage in the meantime.

The first 72 hours, months and years ahead

Cybercriminals are fast. When a criminal discovers a vulnerability on
Day 0, for instance, they can sell that vulnerability within 24 hours.
By Day 2, a larger team of criminal cronies has already purchased the
vulnerability and proceeded to breach the organisation to steal
employee or customer usernames and passwords. Millions of credentials
can be stolen within only 48 hours of the vulnerability being exposed.
By Day 3, those credentials are being used by criminals to actively
take over employee or customer accounts.

Cybercriminals are also patient. They squeeze every last ounce of
potential gain from their breaches. Over the next several months to a
span of a few years, they will use those stolen credentials to attempt
to breach other accounts that may use the same password or a
derivative of that password, a common occurrence. This credential
stuffing technique is quite literally where criminals “stuff” their
stolen credentials into as many websites and apps as they can find.
For every account that can be taken over, the criminal has a new asset
to monetise in underground markets.

Credentials that were harvested from the original breach are never
deleted or removed from the underground, eventually leading to
less-sophisticated criminals being able to use simple tools to
automate attacks at scale. This is why such a large percentage of
login attempts at large online sites are malicious and fraudulent (and
easily detected).

The proactive defence

The possibility for prevention lands squarely on detection early in
the breach timeline, preferably the day the credentials are harvested.
Existing tech solutions that detect bots or suspicious IP addresses
rely on a combination of AI, machine learning and data scraped from
the deep and dark web. However, given that time is of the essence,
organisations cannot afford to wait for a bot detection, scraper or
AI-driven security information and event management (SIEM) solution to
eventually alert of an attack.

The single most effective way to prevent account takeovers early in
the timeline is to know when customers’ or employees’ credentials have
spilled and then change the affected passwords before a criminal can
make use of them. That remediation process is the proactive path to
ensuring that criminals cannot continue to leverage data from accounts
that have been compromised and cannot expand into full-scale breaches.