Understanding the business models of cybercrime points to ways to defend against it.
I attended a webcast on Anti-Fraud organized by the RSA Conference in the leadup to the conference itself. The anti-fraud webcast was split into two sections. First was Steve Winderfield, who is advisory CISO at Akamai, titled “How We Can Keep up with Cyber-Criminals’ Evolving Business Models?” The second part was by Michael Tiffany of White Ops and Chris Ott of Rothwell Figg, titled “Detecting, Disrupting, and Destroying Ad Fraud.” This post will focus on the first part, since that is more relevant in a corporate environment, and where secure silicon is most likely to be involved.
Steve started off by pointing out the image on the right of his title slide, which is a security gate for an airport in Alaska. It’s not that easy to see, but the code is actually taped to the post beside the keypad. Of course, it may seem that it doesn’t matter much since it’s an obscure airport in what is probably our most obscure state (sorry, Alaskans…and yes, I have been there. In fact, I walked from Alaska into Canada). But from that airport, you can fly to any other airport in the US.
It may seem odd to talk about “business models” when you are talking about criminal enterprises, but that’s the way that Steve said we need to think about it. He gave a bit of history about how online retail has been under attack:
Each time the transition was to data that could be converted into an income stream.
You need to think about what data do you have that can be monetized before the threat has worked out how to build a business model around it.
One challenge is that we don’t have good definitions for everything. Fraud vs cybercrime (fraud involves deception). Business model vs attack method. Account takeover (existing account) vs identity theft (open a new account). Mules vs online service center. Mules are humans required for some business models. If you want to take money out of an ATM, for example, you need a human to do that.
The motivations determine the business model, with very different motivations for hobbyist, hacktivist, criminal, non-nation state (terrorism), nation state. Steve said that the focus of the rest of the presentation would be on cyber criminals.
So what are some business models for cyber-criminals?
Bots: AWS talked about a huge spike recently:
In Akamai we saw a huge increase…the largest, most complex we’ve seen, but we never understood their business model, it seemed more a proof-of-concept.
Credential stuffing: Taking compromised usernames and passwords and trying 1M of them on a retailer. Maybe only 1-2% work, but with a million that is plenty.
Piracy: Streaming media sites, people stealing live events like sports or stealing pre-release movies. Then sell the content. They are so organized they even have customer complaint centers, the whole ecosystem.
Personal health information (PHI): Insurance information, false unemployment claims, etc.
Advertising and click fraud:
I want to sell a car. I pay $5 when ad is clicked. Competitor pays someone to click 1000 times. I spent my whole advertising budget. They can put their ad up for just $2 per click.
Ransomware: They lock up your data.
Extortion: They threaten to take away access to your data.
Combined approaches: They do a ransomware attack, but also steal the data. Then threaten to expose it publicly.
Javascript formjacking:
This wasn’t even on our radar before. For a lot of companies, it was not tightly controlled. There is a paradigm shift in the things that you have to cover and protect.
What’s coming?
The little flow above shows an example of a process cyber-criminals might use (C2 is command and control, once malware is successfully inserted on a target and they exfiltrate data). Defense needs to have a kill chain, with defense in depth giving multiple opportunities to stop them.
Think about their business model and where there are opportunities to disrupt that business model.
The costs of an attack are not all just stolen money:
Steve finished with some practical advice:
One challenge with ad fraud is that it is often hard to detect. The “best” way to do it is to run a background process on a real person’s computer: that computer already records successful logins, cookies, and so forth. It makes ad fraud surprisingly scalable. Sometimes fraud is just suspected: you spend money but get no sales, so there is a suspicion of fraud but nothing strong enough to bring a lawsuit.
The obvious victim is the person buying the ads. But everyone is in price competition with everyone who is faking it. And it is not just ads, there are bots listening to music or watching videos. It has a dilutive effect on the whole market where fakes are being sold.
Ad fraud can scale into billions of dollars so has attracted tier #1 adversaries. People are rationally motivated to spend an extraordinary amount of time to work out details of the fraud controls of the ad industry.
It’s not like robbing an account you’ve taken over. When it succeeds, no one notices that a fraud has occurred and you can legitimately collect checks.
I’ll wrap up with the last summary slide:
A strong cybersecurity program should mean that plant infrastructure is also well connected. This opens up possibilities for leveraging plant solutions that can hit your bottom line quickly and efficiently. Solutions like artificial intelligence or augmented reality, asset management tools, and analytics tool all require a well-connected network to gather, move and analyse the data. Security is about having visibility to connected and unconnected devices.