By Alan Zeichick
Law enforcement officials play a vital role tracking down and neutralizing cyber criminals. Theirs is a complex, often thankless, mission. Here are some insights shared by two current, and one former, high-level officials from U.S. law enforcement, who spoke at the NetEvents Global Press & Analyst Summit, in San Jose, Calif., in late September.
Based in San Francisco, M.K. Palmore is a senior manager for the Federal Bureau of Investigation’s Cyber Branch. As an FBI Security Risk Management Executive, Palmore leads teams that help identify threat actors, define attribution and carry out arrests.
Related article: Ransomware requires effective risk-management
Palmore says financially-motivated threat actors account for much of the current level of malicious cyber activity. Nation-state sponsored hackers, ideologically-motivated hacktivists, and insider intruders also are causing significant damage and disruption.
Palmore
“We’re talking about a global landscape, and the barrier to entry for most financially-motivated cyber-threat actors is extremely low,” Palmore says. “In terms of who is on the other end of the keyboard, we’re typically talking about mostly male threat actors, between the ages of, say, 14 and 32 years
Dr. Ronald Layton is Deputy Assistant Director of the U.S. Secret Service. Layton observes that the technological sophistication and capabilities of threat actors has increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago,” Layton says. “Sophistication has gone up exponentially.”
The rapid escalation of ransomware is a telling marker, Layton says; ransomware rose from the 22nd most popular crime-ware application in 2014, to number five in 2017.
Says Layton: “In 2014, the bad guys would say, ‘I’m going to encrypt your file unless you pay me X amount of dollars in Bitcoin.’ End-users got smarter, and just said, ‘Well, I’m going to back my systems up.’ Now ransomware concentrates on partial or full hard-disk encryption, so backup doesn’t help as much. Sophistication by the threat actors has gone up, and the ability to more quickly adjust, on both sides, quite frankly, has gone up.”
Beyond cyber extortion, cyber criminals have steadily advanced supply chains and cooperative partnerships, organizing and executing cyber attacks of all types.
Layton
Ten years ago, crime groups tended to work in isolation, Layton says. Today “they all know each other,” he says. “They are collaborative and they all use Russian as a communications modality to talk to one another in an encrypted fashion. That’s what’s different, and that represents a challenge for all of us.”
With cyber attacks steadily intensifying, organizations of all sizes and in all business sectors generally must do a much better job embracing best policies and practices.
Michael Levin is a former Deputy Director of the U.S. Department of Homeland Security’s National Cyber-Security Division. He retired from the government a few years ago, and is founder and CEO of the Center for Information Security Awareness.
“I found a giant hole in the way that private sector businesses are handling their security,” observes Levin. “They forgot one very important thing. They forgot to train their people what to do. I work with organizations to try to educate people — we’re not doing a very good job of protecting ourselves. “
While the law enforcement community cares about attributing hacks to specific parties that they can apprehend, companies logically care more about how the cost of network disruptions and data theft. “For most people, they don’t care if it’s a nation state. They just want to stop the bleeding,” Levin observes.
Doing a much better job on human factors would go a long way, he says. “If we look at the Equifax hack, which is so relevant in the news right now, it was a simple error that was made by not providing the right general basic security practices on a server. This was a problem 20 years ago, and it’s still a problem today.”
Liven
Technological solutions are only one part of the answer. “How do we get organizations to do the right patching and the right updates, and get them to not be lazy when it comes to general security practices?” Levin continues. “Every citizen, every country, every organization, needs to start figuring out a way to educate the population on how to protect themselves.”
Says Palmore: “We always find that there’s some gap in the coverage of the security of that particular network that boils down to a fundamental issue of security protection.” He adds that it is essential to “get buy-in from leadership that cybersecurity is an important issue, an enterprise risk-management issue, and that you need to appoint folks, and then empower them to actually get the job done as it relates to increasing your security posture.”
Layton agreed that more training is needed. “We pay a lot of attention to what the bad guys will use to further their own illicit gain. They’re very good at understanding human factors, and what folks will click on. We are starting to see an emerging field of people who come from the addiction community, who are starting to look at the relationships that we have with our phones and devices, as some kind of unusual behavior and attachment that mimics certain kinds of addictions.”
What ends up happening is, you are clicking on everything. That’s why the technique of spearphishing is, in fact, so popular, and so efficacious, because you’re curious. You want to see what is, in fact, behind that next click,” Layton explained. “Of course, when you look at the analysis, and the pathology, of how malware gets on a system, you’re going to find that a major percentage comes from clicking on an email attachment. One of the counters to this is cyber hygiene training. If I’m a company, and I’ve got $10 to spend, 10 of those dollars are going to go to education.”
About the writer: Alan Zeichick is Tech Editor, NetEvents. His Twitter handle is @zeichick.
