Buried in the avalanche of recent cyber attacks, there is good news and bad. Ransomware attacks, which paralysed many organisations — from parts of the UK’s National Health Service to the German railway and major manufacturers — illustrate how acting on good threat intelligence and sensible advice, such as updating and patching software, can avoid major damage.
The attack was an example of the crude new business reality: most companies should aim to raise the cost to attackers and make them look for victims elsewhere. On the less positive side, the response to such incidents reveals we are not yet matching the scale and sophistication of organised cyber criminal groups, particularly when nested in or directed by acquiescent states. The first step is to take them seriously as businesses and to view them as the malevolent version of disruptive competitors, rather than old-fashioned criminals. The reality is that they often understand how the digital economy works better than the companies they are attacking. They do not need to worry about being unique — there are plenty of victims to go round Thanks largely to US law enforcement, we know a lot about these criminal groups and how they operate. They have business models, product lines and targets that would make Harvard Business School proud. They even understand customer service and have helplines on the dark web; if the managed cyber attack capability you have purchased does not deliver, you can, in theory, ring up and complain. But their real strength comes from crowdsourcing innovation and skills, and understanding the power of data and how to monetise it. The chief executive equivalents in these criminal groups co-ordinate a flexible arrangement of skills, which can be scaled to meet demand. Their malware developers can harvest the best ideas available on the open or hidden web and adapt them, using the tools that work best and discarding others. They do not need to worry about being unique — there are plenty of victims to go round. To scale up the launch of these attacks, criminal groups have administrators responsible for “herding” bots, creating their own cloud networks, harnessing their own servers and many unwitting computers. This gives cyber criminals cheap global reach and infinitely flexible processing arrangements, facilitated by poor cyber security around the world. The real core of a cyber criminal enterprise lies with those who can navigate networks and then identify, extract and monetise the data on them. The intrusion specialists in criminal groups will, once inside an organisation, survey the network and identify likely pots of gold. The choices are wide, from encrypting data and ransoming it, to selling it piecemeal. Data miners are as valuable in the criminal world as their commercial rivals, making sense of the stolen data by organising and reformatting for ease of sale. Even credit card details or passwords do not necessarily come in a neat, publishable format. And of course data needs stripping of anything compromising to the criminal sources. The marketers and monetisers can then decide which data are the most valuable and how best to sell it, while constructing realistic ways of cashing out, a process that can take months. In practice, successful criminal groups have cracked some of the most difficult problems for traditional companies: understanding which data matters, how it is stored and transmitted across networks and, indeed, what their own networks look like. In the age where employees bring their own devices into the office, most large organisations struggle to map their own networks, even less the complex connections their supply chains have to the wider world. Perhaps most impressively, criminals have approached the skills challenge in a modern way. They recruit based on aptitude, technical and criminal, and are happy for people to learn on the job and prove themselves. The roles are fluid — operators can stray across boundaries — and they are in constant dialogue with each other. In short, they look much more like successful tech disrupters than their victims. I am not advocating a life of crime. These groups do no not worry about the law, still less the ethics of their work, and their employment practices are brutal. Criminal technology is parasitical. The good news is that, given the will, the non-criminal world has the technological edge to defend against them. Industry can win the arms race with these groups. But understanding their scale and sophistication is the way to start.
The writer is a former director of GCHQ, a UK government intelligence and security organisation
Source: https://www.ft.com/content/63cf277c-662a-11e7-9a66-93fb352ba1fe