Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

The Seedy Underbelly of Cybercrime

image of Chris Pogue - Nuix

5-Sep-2014 - Another day and another major breach announced.

Just last week, I wrote a blog post titled, Compliance Does not Equal Security. In it, I detailed that box checking is no way to protect critical assets.
In this latest breach announcement, America’s largest bank, JP Morgan Chase and at least four other American banks – not yet named – have suffered breaches.
As had been correctly predicted multiple times over the past several years, attacks of this nature on our financial infrastructure are not going away; they are increasing.  Businesses need to start approaching security as if they are going to be breached, rather than hoping they won’t.
To help organizations prepare for what is likely inevitable, it helps to understand the organizational structure of the attackers. Doing so provides an elevated level of understanding that will subsequently enable enhanced protection of critical data.
Cybercrime organizations are set up much like legitimate business. There are multiple “departments” or functional “teams” that perform specific tasks, staffed by individuals with specific skills. Each team may be manned by the same crew of attackers, or they may be staffed by crews made up of specialists. They are organized like this:

•    In this initial stage of the crime, the recon team will scour the internet looking for IP addresses that contain indicators needed for remote access. As we will discuss later, this access is essential for the breach to take place. These indicators can include open remote access (RDP/Termserv, LogMeIn, VNC, pcAnywhere, etc), protocol vulnerabilities (FTP, SSH, SMB, SMTP, etc), and web based vulnerabilities. Once Intellectual Property (IP) with these vulnerabilities are identified, they are passed along to the next functional team.

•    With a list of vulnerable Internet Protocol addresses in hand, this team carries out the breach. This can be as simple as entering in a weak/default username and password, or as complex as a multi-staged attack involving chaining together and exploiting various vulnerabilities. This also includes web-based attacks like Structured Query Language (SQL) injections or Remote/Local File Inclusion (RFI/LFI).
•   Once inside, this team is also responsible for identifying the systems that store, process, or transmit the targeted data. The overall goal of this stage of the breach is to gain access to the target environment and its critical assets. Once access is gained, this team tags out, and passes on the IPs and credentials, or compromised web page URL, to the next team.

•   This team is now responsible for deploying malware into the target environments. They move back into the targeted systems and drop the malware that is to be used for harvesting. This malware is usually highly customized, for the sole purpose of aggregating the desired data elements. It is extremely unlikely that it will be detected by systems administrators or anti-virus applications.
•    In cases in which critical data is handled insecurely, native resources are used and no malware is necessary.

•    Once the malware executes successfully, it will usually create an output file, commonly known as a “dump” file that either needs to be picked up by whichever team/individual is responsible for harvesting, or will be automatically exfiltrated to an external system.
•   Advanced malware packages can immediately exfiltrate data upon interception, and have no need to generate an output file.
•    The stolen data is then collected and placed into a larger pool that contains harvested data from other targets.  Doing this helps prevent detection and attribution when fraud is eventually executed.

•    The stolen data is then put up for sale on the black market, often referred to as the “Shadow Economy”.  Estimates run into the tens or even hundreds of thousands of active members who buy, sell, and trade this data on the black market every day. It is a high-dollar commodity, with sales and purchases that can reach into the billions of dollars. This is also the primary driver behind these types of crimes. They are extraordinarily lucrative, and have a very low rate of attribution or arrest.

•    The final stage of the crime workflow is the execution of fraud. This can be payment card fraud, HealthCare fraud, pirated goods production, or even blackmail. These teams are usually non-technical and are increasingly made up of street gangs looking to expand their criminal activities beyond drug sales, extortion, and prostitution (among other types of crime). The primary driver here is that these crime are less dangerous and do not carry mandatory sentences the way “legacy” crimes do. In fact, there are currently 47 different breach laws in the US alone, with no overarching federal law as of yet. None of these breach laws have mandatory sentences. In the few instances when perpetrators are arrested and convicted their sentences are considerably less than with other types of crimes.
One thing is clear: cybercrime has become a part of our society. Additionally, the increase in high profile breaches underscores the stark reality that prevention is no longer a realistic defensive strategy. The sooner businesses can accept this, and prepare to respond to data breaches, the better off they will be.


Chris Pogue Bio
Chris Pogue is the Senior Vice President of Cyber Threat Analysis at Nuix. He has 14 years experience in digital forensic investigation, having worked with Trustwave SpiderLabs, the IBM/ISS X-Force incident response and ethical hacking teams, and the US Army Signal Corps. Chris has been a cybercrimes investigator, law enforcement and military instructor, and delivery director. He holds a Master’s Degree in Information security, and multiple industry-relevant certifications, including CISSP, CEH, CREA, GCFA, and QSA.