Does cyber insurance make sense?

Insurance relies on pooled risk; when a business is exposed to a risk it feels is not manageable with internal controls, the risk can be deferred to the capital markets through an insurance contract. For events that are unlikely to hit a very large number of insurance customers at once, this model makes sense. The pooled risk allows the insurer to create capital gains on the premiums paid by the customers, and the customers get their financial losses covered in case of a claim situation. This works very well for many cases, but insurers will naturally try to limit their liabilities, through “omissions clauses”; things that are not covered by the insurance policy. The omissions will typically include catastrophic systemic events that the insurance pool would not have the means to cover because a large number of customers would be hit simultaneously. It will also include conditions with the individual customer causing the insurance coverage to be voided – often referred to as pre-existing conditions. A typical example of the former is damages due to acts of war, or natural disasters. For these events, the insured would have to buy extra coverage, if at all offered. An example of the latter omission type, the pre-existing condition, would be diseases the insured would have before entering into a health insurance contract.

20150424_155646090_iOS

Risk pooling works well for protecting the solvency of insurers when issuing policies covering rare independent events with high individual impact – but is harder to design for covering events where there is systemic risk involved. Should insurers cover the effects of large-scale virus infections like WannaCry over normal cyber-insurance policies? Can they? What would the financial aggregate cost of a coordinated cyber-attack be on a society when major functions collapse – such as the Petya case in the Ukraine? Can insurers cover the cost of such events?

How does this translate into cyber insurance? There are several interesting aspects to think about, in both omissions categories. Let us start with the systemic risk – what happens to the insurance pool if all customers issue claims simultaneously? Each claim typically exceed the premiums paid by any one single customer. Therefore, a cyberattack that spreads to large portions of the internet are hard to insure while keeping the insurer’s risk under control. Take for example the WannaCry ransomware attack in May; within a day more than 200.000 computers in 150 countries were infected. The Petya attack following in June caused similar reactions but the number of infected computers is estimated to be much lower. As the WannaCry still looks like a poorly implemented cybercrime campaign intended to make money for the attacker, the Petya ransomware seems to have been a targeted cyberweapon used against  the Ukraine; the rest was collateral damage, most likely. But for Ukrainian companies, the government and computer users this was a major attack: it took down systems belonging to critical infrastructure providers, it halted airport operations, it affected the government, it took hold of payment terminals in stores; the attack was a major threat to the entire society. What could a local insurer have done if it had covered most of those entities against any and all cyberattacks? It would most likely not have been able to pay out, and would have gone bankrupt.

A case that came up in security forums after the WannaCry attack was “pre-existing condition” in cyber insurance. Many policies had included “human error” in the omissions clauses; basically, saying that you are not covered if you are breached through a phishing e-mail.  Some policies also include an “unpatched system” as an omission clause; if you have not patched, you are not covered. Not all policies are like that, and underwriters will typically gauge a firm’s cyber security maturity before entering into an insurance contract covering conditions that are heavily influenced by security culture. These are risks that are hard to include in quantitative risk calculations; the data are simply not there.

Insurance is definitely a reasonable control for mature companies, but there is little value in paying premiums if the business doesn’t satisfy the omissions clauses. For small businesses it will pay off to focus on the fundamentals first, and then to expand with a reasonable insurance policy.

For insurance companies it is important to find reasonable risk pooling measures to better cover large-scale infections like WannaCry. Because this is a serious threat to many businesses, not having meaningful insurance products in place will hamper economic growth overall. It is also important for insurers to get a grasp on individual omissions clauses – because in cyber risk management the thinking around “pre-existing condition” is flawed – security practice and culture is a dynamic and evolving thing, which means that the coverage omissions should be based on current states rather than a survey conducted prior to policy renewal.

 

How to prepare for and survive a computer virus epidemic

Today another panic wave struck in the afternoon, central European time. I was on the bus on my way home, and scanning my Twitter feed, I find this tweet from my favorite Finnish security nerd:

What followed pretty much resembled the WannaCry media panic messages: things will be encrypted, there is nowhere to hide and society is going to crash hard… Of course, if somebody encrypts your files, and this spreads throughout your network, it is pretty close to an ocean of pain. At least if you are unprepared. So, instead of an analysis of the Petya virus, or some derivative of it, let’s get down to what we can do to prepare and survive a ransomware attack. Because it really isn’t that hard. Really.

Baseline Security

A security baseline means the security controls you apply irrespective of risk level. The things that everybody should do, and that will actually stop almost every cyberattack. Yes, almost every attack, say like 90% of them. And it doesn’t even require you to buy a lot of expensive consulting services or other snakeoil to fix it. Here we go, this should be the minimum baseline for everyone:

  1. Patch your software as fast as you can whenever a new security patch comes out. Operating systems normally do this automatically if you do not configure your system otherwise. Sometimes organizations need to check compatibility for critical systems, and such, but the main rule is: patch everything as fast as you can.
  2. Do not allow users to perform regular work using an account with administrator rights. Most users don’t even need admin rights at all, but if they do, give them two accounts. Perform work using a standard account with limited privileges.
  3. Run a firewall that is configured to block all incoming traffic (unless you need it).
  4. If you run an organization: use application whitelisting. Do not allow execution of unauthorized code, or at least code running from unauthorized locations (like USB media or downloaded email attatchments).
  5. Backup everything. See below for details. This doesn’t stop any attacks but it saves the day when you are under siege. It is like a secret superweapon that more or less guarantees criminals won’t get their payday.

None of these will require you to buy any new software, or new services. So just do it – it will reduce the chance of having a very bad day by 90%.

Awareness Training

Most cyber-attacks spread through some form of social engineering, and in most cases this is an email with a malicious link or attachment. Train your people to spot the danger, and get it into your organization’s culture that file sharing is not done via email attachments. Provide them with real collaboration tools instead. This would further reduce the chance of a very bad day by another 90%.

If you want to be sure, you can scrub attachments and disable links in emails – but people may feel that is a little extreme and start using private email accounts instead, which is completely outside of the organization’s control, so only do this if you really have a compliance culture in place. Most organizations don’t.

Backups and restore testing

Ok, so you can reduce the likelihood of getting hit, but that only goes that far. Sooner or later, you will reach a day when you end up having to recover systems and remove a virus infection. Ransomware is icky because they encrypt and make your files useless, so in most of these cases your AV program cannot save you. So how can you avoid paying criminals and help fund money laundering, human trafficking, terrorism and drugs trade? Here’s how.

Backup your data, with reasonable frequency and retention. And verify the backups. If you run a backup of your files every few hours, and you do an offline/offsite every night, and you keep the rolling backup (online) for 30 days, and the offline backups for 180 days, it will be very hard to put you in a hard spot. If you generate important data very fast, increase the backup frequency.

Make sure you also verify backup integrity. An easy way to make sure you are safe is to do binary image disk backups as offline backup, and to do a hash of the image that is stored separately in a different offline secure location. This way you can make sure your offline backups really stay the way they were when you copied them by checking the hash. Do the same for the rolling backup – this way you can check if the cryptovirus has changed something on your backup.

Many companies back up their data but they never test if they are able to restore their data. So to be sure that everything works the day the shit hits the fan, do regular restore testing. Try to restore your system from scratch using various backups to make sure everything works as it should. If it doesn’t, review your backup practice and find you what you need to change to make it work.

Response: security monitoring, escalation and crisis intervention teams

In addition to these technical things you need a response team. The team should be ready to respond in  a well-prepared and structured way. Typically, you would go through a series of steps:

  1. Identify the threat and classify it as incident or not.
  2. Contain the problem. Make sure it does not spread (disconnect from network if feasible)
  3. Collect evidence. Create multiple binary images of the infected system, and store hashes of them. Some you will use for forensic analysis, some are collected as evidence and are not to be touched.
  4. Eradicate the attacker form your system. Normally this means to format everything and to restore from a safe backup.
  5. Test your restored system. Any signs of reinfection or problems? If not, bring it online step by step. One server or computer at the time. Monitor closely for strange behavior.
  6. Lessons learned: what did you do well, what should you have done differently? Collect experiences and share with your peers. This is the way we learn. This is what we should be better at than the bad guys. I’m not entirely sure we are better than them at shared learning, though.

Would it have helped in the cases of the Petya mutant and WannaCry?

You bet! First of all, WannaCry only worked on computers that were either beyond end-of-life versions of Windows, or unpatched versions of newer operating systems. Patching would have kept everyone safe.

What about Petya? The attack is still ongoing. It spreads using the Eternalblue exploit (that the NSA wrote and lost), which Microsoft issued a patch for in March: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. In other words, if people had followed good baseline security practice, they wouldn’t have a problem now, most likely (you can never really be sure if there is another zeroday, but probably not).

So, who’s been affected? Just small and unknown companies? Nope. Here are a few examples:

  • Rosneft (a Russian oil giant)
  • Ukraine: Government, power companies, airports, supermarkets, and also the Chernobyl nuclear power plant. That one, yes.
  • Maersk: one of the largest shipping companies in the world

To remember what to do: please keep this miniposter handy.

sleepwell

Here’s a picture telling you how to prepare for and survive almost any type of cyberattack. First you make it difficult for the bad guys by keeping your systems patched, not giving regular users admin rights, denying execution of applications that are not approved, and giving people the training the need to spot and avoid social engineering attacks. Then you start reducing the impact for the day when the inevitable happens: segregate your networks and control traffic in and out of each subnet/vlan using firewalls (with logging). Take backups – rolling and offsite/offline. Use strict firewall rules. and test that you can actually restore when you need to. Then you can sleep well, reasonably sure that you will not have to dance to the hacker’s tune. 

 

 

What is your “vital object” when planning security measures?

Physical object security and cybersecurity defense have many similarities, such as:

  • Defense in depth
  • Intelligent adversaries
  • The need for awareness
  • Structure of response activities
lockouthorse

Every asset is not created equal: make sure you prioritize your assets in order to get the most out of your security budget. 

There is one thing, however, that is taught to everyone responsible for providing physical security: you main focus is to protect the “vital objects”. These things can be a power substation, decision makers (like a prime minister), it can be a munitions storage or about anything you can imagine. But if a military unit, or private security guards, or the police, is told to secure this object – they will know exactly what the “vital object” is.

Jump to the world of cybersecurity in businesses. Here the main focus is on “vulnerabilities”. Obviously, that is a key part of the security equation – without vulnerabilities to exploit (human or technical), there is no way to access the target assets. The problem is, when people start with the “hunt for vulnerabilities”, they tend to forget what their vital object is. In fact, in many cases there has been no criticality analysis at all. This is why the step “risk and vulnerability assessment” must be taken seriously. So here’s a suggested approach to narrow down the scope for the teams responsible for providing security:

  • List all your assets and perform a critciality assessment. What will be the consequence to the overall goal of the owner organization, its partners and customers, if you should experience the following:
    • Confidentiality breach: adversaries get access to the asset’s core information
    • Integrity breach: adversaries can manipulate the asset’s core information
    • Availability breach: adversaries can deny legitimate users access to the asset
  • Perform a risk assessment based on known adversaries and available intelligence. Determine if it is likely or unlikely that the asset can be breached.
  • Narrow down your asset list to “assets” and “vital assets”.

Now, you have your priorities set. It is time to plan your security strategy. You should apply baseline security measures to all assets. The minimum baseline would be:

  • Network segregation: at least keep vital and non-vital assets on separate network segments with firewalls between them
  • Anti-malware
  • Keep things patched and up-to-date
  • Harden both software and hardware as appropriate for “normal assets”
  • Apply monitoring as suited. Created red flags for suspicious activity (e.g. form an intrusion detection system).
  • Ensure your automated backup system is working and that you are able to restore when needed
  • Teach people what they need to know to reduce the likelihood of breaches, and what to do when one is suspected (usually call support).

For your non-vital objects this would typically be enough. For vital objects (a database containing credit card information for example) you need to base your defense on the risk exposure and your available resources.

  • Limit access as much as possible
  • Monitor and log more aggressively, and be prepared to refine the mesh on higher threat levels
  • Design sufficient capacity for fail-overs if possible
  • Apply stricter hardening policies
  • Apply backups as suited for this asset.
  • Be ready to act fast (train for it, and have sufficient resources available)

The last point cannot be stressed enough. In physical security you would typically have a team in place to provide deterrence and monitoring, and a quick reaction force to act fast when necessary. In many IT organizations the sysadmin on duty will be expected to fill both these roles with little training or backing to do so. That does not work.

  • Assign roles and responsibilities for responders
  • Pay them enough to make the extra vigilance feel worth it
  • Give them the resources needed to train, and focus 1/3 on baseline defense breaches and 2/3 on vital object breaches

Cyberinsurance cannot play the role of a great and well-prepared response team. If your vital data is breached it may easily be the IT equivalent of a nuke to your head office – your customers will lose trust in you – especially if you fail to respond fast and in a structured way to limit the damage as much as you can.

Don’t apply the same defense strategy to everything. Establish a baseline, and then focus on your vital assets.

Handling suppliers with low security awareness

Supply chain risk – in cyberspace

Cyber supply chain risk is a difficult area to manage. According to NIST 80% of all breaches originate in the supply chain, meaning it should be a definite priority of any security conscious organization to try and manage that risk. That number was given in a presentation by Jon Boyens at the 2016 RSA conference. A lot of big companies have been breached due to suppliers with poor information security practices, for example Target and Home Depot.

supplychainexpansion

Your real attack surface includes the people you do business with – and those that they do business with again. And this is not all within your span of control!

Most companies do not have any form of cybersecurity screening of their suppliers. Considering the facts above, this seems like a very bad idea. Why is this so?

A lot of people think cybersecurity is difficult. The threat landscape itself is difficult to assess unless you have the tools and knowledge to do so. Most companies don’t have that sort of competence in-house, and they are often unaware that they are lacking know-how in a critical risk governance area.

Why are suppliers important when it comes to cybersecurity? The most important factor is that you trust your suppliers, and you may already have shared authentication secrets with them. Consider the following scenarios;

  1. Your HVAC service provider has VPN access to you network in order to troubleshoot the HVAC system in your office. What if hackers gain control over your HVAC vendor’s computer? Then they also have access to your network.
  2. A supplier that you frequently communicate with has been hacked. You receive an email from one of your contacts in this firm, asking if you can verify your customer information by logging into their web based self-service solution. What is the chance you would do that, provided the web page looks professional? You would at least click the link.
  3. You are discussing a contract proposal with a supplier. After emailing back and forth about the details for a couple of weeks he sends you a download link to proposed contract documents from his legal department. Do you click?

All of these are real use cases. All of them were successful for the cybercriminals wanting access to a bigger corporation’s network. The technical set-up was not exploited; in the HVAC case the login credentials of the supplier was stolen and abused (this was the Target attack resulting in leak of 70 million customer credit cards). In the other two cases an existing trust relationship was used to increase the credibility of a spear-phishing attack.

To counter social engineering, most companies offer “cybersecurity awareness training”. That can be helpful, and it can reduce how easy it is to trick employees into performing dangerous actions. When the criminals leverage an existing trust relationship, this kind of training is unlikely to have any effect. Further, your awareness training is probably only including your own organization. Through established buyer-supplier relationships the initial attack surface is not only your own organization; it is expanded to include all the organizations you do business with. And their attack surface again, includes of the people they do business with. This quickly expands to a very large network. You can obviously not manage the whole network – but what you can do is to evaluate the risk of using a particular supplier, and use that to determine which security controls to apply to the relationship with that supplier.

Screening the contextual risk of supplier organizations

What then determines the supplier risk level? Obviously internal affairs within the supplier’s organization is important but at least in the early screening of potential suppliers this information is not available. The supplier may also be reluctant to reveal too much information about his or her company. This means you can only evaluate the external context of the supplier. As it turns out, there are several indicators you can use to gauge the likelihood of a supplier breach. Main factors include:

  • Main locations of the supplier’s operations, including corporate functions
  • The size of the company
  • The sector the company operates in

In addition to these factors, which can help determine how likely the organization is to be breached, you should consider what kind of information about your company the supplier would possess. Obviously, somebody with VPN login credentials to your network would be of more concern than a restaurant where you order overtime food for you employees. Of special concern should be suppliers or partners with access to critical business secrets, with login credentials, or with access to critical application programming interfaces.

Going back to the external context of the supplier; why is the location of the supplier’s operations important? It turns out that the amount of malware campaigns a company is exposed to is strongly correlated with the political risk in the countries where the firm operates. Firms operating in countries with a high crime rate, significant corruption and dubious attitudes to democracy and freedom of speech, also tend to be attacked more from the outside. They are also more likely to have unlicensed software, e.g. pirated versions of Windows – leaving them more vulnerable to those attacks.

The size of the company is also an interesting indicator. Smaller companies, i.e. less than 250 employees, have a lower fraction of their incoming communication being malicious. At the same time, the defense of these companies is often weak; many of them lack processes for managing information security, and a lot of companies in this group do not have internal cybersecurity expertise.

The medium sized companies (250-500 employees) receive more malicious communications. These companies often lack formal cybersecurity programs too, and competence may also be missing here, especially on the process side of the equation. For example, few companies in this category have established an information security management system.

Larger companies still receive large amounts of malicious communications but they tend to have better defense systems, including management processes. The small and medium sized business therefore pose a higher threat for value chain exploitation than larger more established companies do.

Also, the sector the supplier operates is a determining factor for the external context risk.  Sectors that are particularly exposed to cyberattacks include:

  • Retail
  • Public sector and governmental agencies
  • Business services (consulting companies, lawyers, accountants, etc.)

Here the topic of “what information do I share” comes in. You are probably not very likely to share internal company data with a retailer unless you are part of the retailers supply chain. If you are, then you should be thinking about some controls, especially if the retailer is a small or medium sized business.

For many companies the “business services” category is of key interest. These are service providers that you would often share critical information with. Consulting companies gain access to strategic information, to your IT network, gets to know a lot of key stakeholders in your company. Lawyers would obviously have access to confidential information. Accountants would be trusted, have access to information and perhaps also to your ERP systems. Business service providers often get high levels of access, and they are often targeted by cybercriminals and other hackers; this is good reason to be vigilant with managing security in the buyer-supplier relationship.

Realistic assessments require up to date threat intelligence

There are more factors that come into play when selecting a supplier for your firm than security. Say you have an evaluation scheme that takes into account:

  • Financials
  • Capacity
  • Service level
  • And now… cybersecurity

If the risk is considered unreasonably high for using a supplier, you may end up selecting a supplier that is more expensive, or where the level of service is lower, than for the “best” supplier but with a high perceived risk. Therefore it becomes important that the contextual coarse risk assessment is performed based on up-to-date threat models, even for the macro indicators discussed above.

Looking at historical data shows that the threat impact of company size remains relatively stable over time. Big companies tend to have better governance than small ones. On the positive side for smaller companies is that they tend to be more interested in cooperating on risk governance than bigger players are. This, however, is usually not problematic when it comes to understanding the threat context.

Political risk is more volatile. Political changes in countries can happen quickly, and the effects of political change can be subtle but important for cybersecurity context. This factor depends on up to date threat intelligence, primarily available from open sources. This means that when you establish a contextual threat model, you should take care to keep it up to date with political risk factors that do change at least on a quarterly basis, and can even change abruptly in the case of revolutions, terror attacks or other major events causing social unrest. A slower stream would be legislative processes that affect not only how businesses deal with cyber threats but also on the governmental level. Key uncertainties in this field today include the access of intelligence organizations to communications data, and the evolvement of privacy laws.

Also the sector influence on cyber threat levels do change dynamically. Here threat intelligence is not that easy to access but some open sources do exist. Open intel sources that can be taken into account to adjust the assessment of business sector risk are:

  • General business news and financial market trends
  • Threat intelligence reports from cybersecurity firms
  • Company annual reports
  • Regulations affecting the sector, as also mentioned under political risk
  • Vulnerability reports for business critical software important to each sectoor

In addition to this, less open sources of interest would be:

  • Contacts working within the sectors with access to trend data on cyber threats (e.g. sysadmins in key companies’ IT deparments)
  • Sensors in key networks (often operated by government security organizations), sharing of information typically occurs in CERT organizations

Obviously, staying on top of the threat landscape is a challenging undertaking but failing to do so can lead to weak risk assessments that would influence business decisions the wrong way. Understanding the threat landscape is thus a business investment where the expected returns are long-term and hard to measure.

How to take action

How should you, as a purchaser, use this information about supplier threats? Considering now the situation where you have access to a sound contextual threat model, and you are able to sort supplier companies into broad risk categories, e.g. low, medium, high risk categories. How can you use that information to improve your own risk governance and reduce the exposure to supply chain cyber threats?

First, you should establish a due diligence practice for cybersecurity. You should require more scrutiny for high-risk situations than low-risk ones. Here is one way to categorize the governance practices for supply chain cyber risks – but this is only a suggested structure. The actual activities should be adapted to your company’s needs and capabilities.

Practice Low risk supplier Medium risk supplier High risk supplier
Require review of supplier’s policy for information security No Yes Yes
State minimum supplier security requirements (antivirus, firewalls, updated software, training) Yes Yes Yes
Require right to audit supplier for cybersecurity compliance No To be considered Yes
Establish cooperation for incident handling No To be considered Yes
Require external penetration test including social engineering prior to and during business relationship No No To be considered
Agree on communication channels for security incidents related to buyer-supper relationship Yes Yes Yes
Require ISO 27001 or similar certification No No To be considered

If you found this post interesting, please share it with your contacts – and let me know what you think in the comments!

Why “secure iframes” on http sites are bad for security

Earlier this year it was reported that half of the web is now served over SSL (Wired.com). Still, quite a number of sites are trying to keep things in http, and to serve secure content in embedded parts of the site. There are two approaches to this:

  • A form embedded in an iframe served over https (not terrible but still a bad idea)
  • A form that loads over http and submits over https (this is terrible)

The form loading on the http site and submitting to a https site is security-wise meaningless because an attacker can read the data entered into the form on the web page. This means the security added by https is lost because a man-in-the-middle attacker on the http site can snoop on the data in the form directly.

ssl_safecontrols

Users are slowly but surely being trained to look for this padlock symbol and the “https” protocol when interacting with web pages and applications. 

The “secure iframe” is slightly better because the form is served over https and a man-in-the-middle cannot easily read the contents of the form. This is aided by iframe sandboxing in modern browsers (see some info about this in Chrome here), although old ones may not be as secure because the sandboxing function was not included. Client-side restrictions can, however, be manipulated.

One of the big problems with security is lack of awareness about security risks. To counter this, browsers today indicate that login forms, payment forms, etc. on http sites are insecure. If you load your iframe over https on an http site, the browser will still warn the user (although the actual content is not submitted insecurely). This counteracts the learned (positive) behavior of looking for a green padlock symbol and the https protocol. Two potential bad effects:

  • Users start to ignore the unison cry of “only submit data when you see the green padlock” – which will be great for phishing agents and other scammers. This may be “good for business” in the short run, but it certainly is bad for society as a whole, and for your business in the long run.
  • Users will not trust your login form because it looks insecure and they choose not to trust your site – which is good for the internet and bad for your business.

Takeaways from this:

  • Serve all pages that interact with users in any form over https
  • Do not use mixed content in the same page. Just don’t do it.
  • While you are at it: don’t support weak ciphers and vulnerable crypto. That is also bad for karma, and good for criminals.

Trust in business is trust in the security of those you do business with

Without trust in business there would be no growth. When someone grants you credit, they trust you will honor your duty to pay. When you fork over money for a product you trust that the product is what marketing says it is, or at least fairly close to that. If this trust was not in place, we would not be so eager to do business with each other, and growth would stall. With that follows unemployment, poverty, less innovation.

What have we, as a society, put in place to feel OK with trusting strangers when we do business with them? Basically there are three things that build this kind of trust:

  • Mutual dependence and benefit, typically a customer needs a product and a business is supplying it
  • Activities we undertake to make sure we can trust the other party. Here are some examples:
    • Read about the firm in the news – do they seem honest and fair?
    • Check a supplier’s credit rating – do they have a solid operation?
  • Laws that we expect people to follow, such as
    • Regulations for marketing
    • Safety regulations for products

How does this transfer to information and data? Today doing business means exchanging data. Numerous media reports show that information security incidents pose a real threat to businesses, and to individuals. This threatens to erode the trust we need to make businesses successful, and to support growth. There are two issues that make it harder to trust businesses with data than many other aspects of the relationship:

  • There are fewer laws and established practices
  • We don’t really have many established practices for doing the prior checks.

In fact, most buyers don’t even have a procedure for doing any “trustworthiness checks” regarding data when qualifying suppliers. I think this is something we need to change. When people start to expect that customers are checking their security postures, they will improve their practices. This benefits us all; when more people have reasonable security practices to ensure confidential data is kept secure, and to ensure that public data are available to those that need them, we start to build more trust also in the digital economy. And we need that to ensure growth does not stagnate.

As a starting point for what to think about, see this post about supplier risk: Why high-reliability organizations evaluate the threat potential of suppliers

Social engineering and relationship management

Active sales processes are supported by thought-out processes, continuous improvement, A/B-testing, communication in multiple channels – and logging results in databases to analyze performance. The field is typically referred to as customer relationship management, and the cloud king of the field is Salesforce.com.

Some criminals aren’t very sophisticated and they still manage to earn money through cyber-scams. There are many ways they can do this, such as identity theft, document fraud, credit card fraud – or direct extortion schemes. The latter tends to have a faster path to the reward, although credit card fraud is still a big money-making machine for the criminals. But what happens when criminals get organized, and introduce customer relationship management? Most likely the same as happens when an unstructured sales team invests in methodologies, measurements and an improvement culture; they get much more efficient and they increase their revenue streams.

This is where organized crime comes in. Organized crime groups are running efficient business operations, including in cyberspace. They map out their infection processes, and start to optimize. They keep tabs on who they are trying to scam. They use content management to build trust. And they are cashing in big time. Let’s look at the touchpoints for potential revenue optimization for a typical extortion scheme using ransomeware.

ransomeware_process

A common ransomware process: each point in this process is an opportunity for optimization for the adversary. Each transition between two phases is an opportunity for the target to stop the adversary’s process. 

The first part, obtaining contact points, or rather, harvesting email addresses is a first point. If you collect these from generic lists, or buy them from large spam networks on the deep web, they will most likely be of low quality, and with little context. What if the criminal sets up an engaging platform for collecting email lists, curated with “useful content” and collecting information about use patterns, typical interests and the like? The e-mails will be real, they will be active, and the adversary will have intelligence on interests and “click triggers” for each address. Using this information would give a solid boost in the number of successful email transmissions.

The second box has another great opportunity for optimization. Armed with the context information, targeted e-mails can be generated to increase the click-rate. Links that seem to be leading to interesting content, similar to your favorite reads, will get much higher click-through-rates – even better than Google AdWords. And, of course, the click rates can be measured and used to further improve targeting. Using automation techniques – just the same as you would when using marketing automation solutions for legitimate business.

The ransomware download can also be optimized to increase infection rates. It can be disguised as a tool, it can be a JS-file that the user is told to execute, it can be an MS Office macro downloader, and so on. The key is to make the user bypass all sanity checks and allow installation – and armed with the context information from earlier, it is much easier to shape the message, and the piggyback on established trust.

We could go on with this analysis – but the main point is that this is occurring, and the criminals using these techniques are the same organized crime groups that deal in illegal weapons, drugs and human trafficking. They are sophisticated operators abusing our natural instinct to trust things we feel are useful to us.

To counter this, we need to be just as systematic and smart about things on our side too. Baseline security will take you a long way but you also need to keep the people processes up to date in order to reduce the exposure to optimized malware supply chains.