With a long history in working against cybercrime in the United States, working at the FBI with other US and international agencies, Timothy Wallach has seen almost everything when it comes to global cybercrime. He spoke at this year's Trend Micro CLOUDSEC event in Sydney.
Wallach started by looking at where the threats are coming from. He says hacktivists, criminals, insiders, spies, terrorists and warfare actors such as nation-states are the main categories of threat actors the FBI looks at. Of those, about 45% of the threats the FBI looks at are related to criminal gangs with nation-states garnering a similar level of FBI interest.
A major issue, says Wallach, is the ease with which threat actors can access the tools and support they need for an an attack. With many of the tools now readily available, the barrier to entry into some form of cybercrime is very low. Wallach estimates there are more than 800 forums where hackers can peddle and buy malware.
These forums are invitation-only, languages with at least 50 different roles and service specialisations.
Over 90% of hacks, says Wallach, come as a result of a successful spearphishing attack. Staff click a link or open an attachment, letting the attackers in. The malicious parties then carry out detailed reconnaissance to find vulnerabilities that they use to exhilarate data, often using easily accessed services such as cloud file sharing services such as Google Drive or Dropbox.
Specific types of data, such as healthcare, financial and government data, are of particularly high value to data thieves. Interestingly, while the number of records stolen has fallen slightly recently, this isn't because of greatly improved security but rather, says Wallach, because higher value data is being stolen so criminals are getting higher payments for the data stolen.
In addition, business email compromise and ransomware attacks are on the rise and far easier to monetise, says Wallach.
When it comes to ransomware, Wallach says the FBI does not recommend paying. While a consumer might see a $500 ransom as reasonable, the impact on a corporate target, where thousands of machines might be compromised, is much higher. Also, payment can "embolden attackers" he says.
Business email compromise remains a significant issue. Wallach suspects only half the victims actually reporting losses. While it's widely reported that this attack vector has needed about US$2.3B up to 2015, Wallach says the number is now closer to US$3B now with 70% growth in 2016.
Wallach told the audience about a recent FBI operation where the bureau wanted to infiltrate an exclusive, invitation-only meeting of hackers called Darkode. An online forum was established by the members.
Rather than taking the past approach of trying to take down hacker servers, the FBI became a service provider, delivering servers for the forum.
During the three month operation in 2014, they collected 75TB of data as well as intercepting communications. They were able to indict 12 individuals with extradition processes and prosecutions now in progress.
Another breach Wallach described involved the theft of payroll card data. Of the 45 million data records stolen, just 45 erred used to launch an ATM banking attack that netted US$9.5M, highlighting both the sophistication of the attack methods.
When it comes to what to do, Wallach says there needs to be a focus on user education. He says research reveals almost three-quarters of user still click on malicious links in emails.