There’s definitely a feeling in InfoSec that the attackers are outpacing us. They’ve got all the creds, the vulns, and the shells, not to mention the possibility of huge monetary incentives. We, on the other hand, have a four-year project just to replace the servers on end-of-life operating systems. However, when contemplating this unfair advantage it’s sometimes easy for us to overlook the bigger picture. While it is true that attacks typically happen quickly (hours or less) when they are well aimed, and it is also true that when our organizations are successfully breached it often takes us months or more to learn of it, there is still room for optimism. In the paths section, we examined the route that attackers take to get from point A to point B. In this section, we take a look at those events that take place prior to the attack, and those required after the attack has ended in order for the attacker to realize their profit.
"Give me a place to stand and a lever long enough and I will move the world."
Like all good stories, attackers need somewhere to begin, and whether this starting point is with a list of vulnerable servers, phished emails, or stolen credentials, if the proverbial lever is long enough they will breach your perimeter. Therefore, it is wise to do all that you can to reduce the number of starting points that they are provided. After all, vulns can usually be patched and creds can be better protected with multi-factor authentication. Having said that, we do realize that even the best security departments can only do so much. Sixty-two percent of breaches not involving an Error, Misuse, or Physical action (in other words, wounds that weren’t self-inflicted) involved the use of stolen creds, brute force, or phishing. And all that malware doesn’t write itself. Admittedly, there’s not a lot you can do about the development, preparation, targeting, distribution, and other shenanigans that take place on the part of the bad guy before the breach.13 However, what goes down after the breach is another story altogether.
Just ask the axis
Let’s look at what’s being stolen. In Figure 37, we illustrate the analysis of the amount lost to attackers in two types of breaches: business email compromises and computer data breaches. This loss impact data comes courtesy of the Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3), who have offered some helpful hints in the breakout at the end of this section. When looking at the visualized distribution, the first thing to notice is the spike at zero. Not all incidents and breaches result in a loss. The second piece of good news is that the median loss for a business email compromise is approximately the same as the average cost of a used car. The bad news is that the dollar axis isn’t linear. There are about as many breaches resulting in the loss of between zero and the median as there are between the median and $100 million. We are no longer talking about used-car money at this point, unless you happen to be Jay Leno.
- 2019 DBIR
- DBIR: A couple of tidbits
- DBIR: Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
As mentioned above, there’s a great deal that has to occur even after the breach takes place to make it worth the criminal’s while. For example, business email compromises normally involve the fraudulent transfer of funds into an attacker-owned bank account. On this front, we have more glad tidings to impart. When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered. Let that sink in. BECs do not pay out as well as it initially appears, and just because the attacker won the first round doesn’t mean you shouldn’t keep fighting.
On the other hand, BECs are still advantageous for the criminal element because they provide a quick way to cash out. Many other types of data breaches require a little more work on the adversaries’ part to convert stolen data into accessible wealth. A common solution is to sell what you stole, whether PII, email addresses, creds, credit card numbers, or access to resources you have compromised. Figure 38 provides information about the numerous things for sale in the darker corners of the internet (which surprisingly enough, resemble a 1990s video game message board). In the center we see a large blue cluster. This is comprised primarily of credit card related posts—the buying and selling of credit cards, to make money, to take money, and to cash-out gains. It also includes smaller nodes related to the attacks involved in actually stealing the cards. There’s an even smaller cluster in the upper right which is related to credential theft. These may grant access to more lucrative things such as bank accounts, but many times are for consumer services including video games, streaming video, etc., that attackers use directly.
The alternative to posting this data for sale on the dark web is using the data to steal identities and committing direct fraud themselves. Herein lies the appeal of stealing tax and health related information. Filing fraudulent tax returns or insurance claims is a relatively straightforward way to put cash in one’s pocket. The problem is that tax returns and insurance claims don’t pay out in unmarked bills or wire transfers to South America. This requires another step in the post-breach to-do list: money laundering.
Normally, money laundering is an expensive and risky task. If, for example, the money has to go through three separate sets of hands on its way to its final destination, each person needs to take their respective cut. If the third person in the succession says they did not receive it, but the first person insists they sent it, who does the actor believe? "There is no honor among thieves," etc.
This is in large part why attackers often favor cryptocurrency, as is it can be laundered and transferred for relatively low cost and presents negligible risk. However, a distinct drawback is that this type of currency is a bit limited with regard to what one can purchase with it. Thus, at some point it has to be exchanged. For these and other reasons, research into increasing both the risk and cost associated with cryptocurrency laundering and/or exchange for illicit purposes has a good deal of potential as a means of increasing breach overhead and thereby decreasing the relative profit associated with such crimes.
About the IC3
The Federal Bureau of Investigation Internet Crime Complaint Center (IC3) provides the public with a trustworthy and convenient reporting mechanism to submit information concerning suspected internet-facilitated criminal activity.
The IC3 defines the Business Email Compromise (BEC) as a sophisticated scam targeting both businesses and individuals performing wire transfer payments.
The Recovery Asset Team (RAT) is an IC3 initiative to assist in the identification and freezing of fraudulent funds related to BEC incidents.
Regardless of dollar loss, victims are encouraged and often directed by law enforcement to file a complaint online at www.ic3.gov. The IC3 RAT may be able to assist in the recovery efforts.
13 Save some large organizations that have gone after dark markets or bullet-proof hosting