Cyber criminals operate in networks – those fighting this threat need to do the same
A couple of years ago, the US Department of Justice and Europol released court documents showing how a cyber criminal organisation worked.
The documents showed how the criminals built an international online network, building malware to steal bank details in one country, launching phishing attacks from another, and passing the stolen money through several more.
In total this group, Goznym, stole more than $100m from 40,000 different businesses – having hatched their plan, developed their attack strategy and organised themselves on the dark web.
There are two key learnings – amongst many others – that can be taken from this rare spotlight into cybersecurity criminality networks.
Firstly, this was an attack on businesses of all sizes and across all sectors – the threat actors in this case were targeting anyone and everyone they thought might be susceptible to phishing. The documents detailed how the victims included an asphalt and paving business in PA; a law firm in Washington DC; a church in TX; a neurological equipment distribution firm in FL; a furniture business in CA and a stud farm in KY – amongst many, many others.
The second key learning was not only how this criminal gang was able to form, iterate and act as a deeply integrated community – and share huge amounts of knowledge and strategy, but also how it took the same level of connectivity between police and enforcement teams to catch the crooks. This article, on the WEF site, outlines the cyber criminal network value in greater detail: https://www.weforum.org/agenda/2019/10/cyber-crime-and-security-business/
To beat a network you need a better network.
The following statement is from one of those leading the prosecution of Goznym:
“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge, Robert Jones. “Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively.”
This necessity of communication, of forging your own counter-network to tackle cyber criminality, is an issue that is much wider than just the requirements of the law enforcement agencies. Once it has got to the point of police, FBI and court involvement, it’s already too late because there will be victims out there.
Instead it is an area where those working to protect organisations from cyber criminality – like MSPs, technology vendors and of course insurance specialists like DataStream – can and must get ahead of the game. To do that, it has to start with the wider sharing of data – data which can help all those on the non-criminal side of the fence to get ahead of those seeking to do damage – this currently isn’t happening enough.
The instigation of the Cybersecurity Information Sharing Act (CISA) is a solid start, though there is still much to be worked out, as is informatively written here: https://techbeacon.com/security/cisa-good-start-challenges-remain-security-information-sharing.
But it also starts with a change in dynamics around how cybersecurity insurance providers work.
DataStream CEO Andy Anderson, says: “To effectively mitigate the risk of cyber attack, businesses need three core tools to be working seamlessly together: Technology – the products that work to stop threats; Compliance – ensuring your business operates in accordance with the guidelines or regulations governing it and uses best practice for cyber security (like changing passwords, monitoring BYODs etc); and Cyber Insurance – the backup that keeps your business operational when the inevitable happens.”
Currently, insurance is very much the outlier – to reference the above statement, cyber insurance is the ‘seam’. Legacy insurers – those who until recently offered other insurance products by not cyber insurance – are typically not part of the cybersecurity industry, so they don’t work as truly integrated partners in the sector – and that’s a problem.
We have seen in other sectors of insurance that when insurers are part of the ecosystem, they can play a pivotal role in advancing safety.
For example, in the US car industry, the Insurance Institute for Highway Safety was founded by three insurance firms in 1959 to promote better safety in motoring. The institute started by scientifically evaluating what factors – human behaviour, car design and environmental factors – were the biggest causes of both crashes and human loss and sharing their findings with manufacturers and other insurers. It has been widely credited with having significantly reduced both crash and death rates, and has expanded to incorporate elements of testing too. In other words, getting ahead of the curve and creating a virtuous circle whereby the safer a car, and the better the driver, the less the insurance costs.
The IIHS also initiated the Highway Loss Data Institute in 1972. The HLDI analyzes losses under six insurance coverages — collision, property damage liability, personal injury protection, medical payment, bodily injury liability and comprehensive (including theft). HLDI collects data from companies representing over 85 percent of the U.S. market for private passenger vehicle insurance. That information helps car buyers make more informed choices about which cars to buy so they are as well protected as possible – and its database is the largest repository of such information in the world.
In much the same way DataStream – which also uniquely has access to the largest repository of cyber insurance claims – believes that same level of cooperation and data-sharing is needed amongst those working in the cyber security space, if we are to claw back the advantage against threat actors and reduce the cost of data breach and other incidents.
One key to delivering effective cyber insurance is forging deeper partnerships between the technology vendors and support teams (MSPs) – that are at the heart of installing, maintaining and upgrading the core technologies businesses use to protect themselves – and the insurers who analyse and measure risk both at the individual business level and at a macro level across the entire sector.
These partnerships allow all parties to analyse, mitigate and influence cyber risk more effectively, enabling more data to be gathered and assessed and subsequently to be acted on and approaches adjusted. Put simply, by working together we can better understand the threat landscape and increase resilience.
It is exactly this shift in approach that DataStream is working to change. By working with the MSP community to offer insurance to their customers, we forge that connectivity from the start. We not only offer the insurance products that help with business continuity when the worst happens, but we get upstream of the problem too – helping mitigate risk and facilitating the sharing of information, data and insight which helps others stay protected too.
This is never going to stop some attacks being successful – sadly there are too many threat actors out there already connected with others and sharing ideas and tactics. But by building the counter-network out as wide as we can, and working with other similar networks too – we stand a good chance of stopping some attacks.
And that, really, is the basis of insurance in the first place – sharing risk with others so that collectively we can face the dangers together.
The power of a network can be both positive and negative – as this article begins to show. It’s a theme we at DataStream will be returning to over the coming months, as we examine how collectivity drives progress across the cybersecurity ecosystem in areas including, for example, data science.