Breach Notification , Cybercrime , Cybercrime as-a-service
Wait, Watch, Disrupt: How Police Keep Targeting Cybercrime
Top Targets: Providers and Infrastructure, Says Cybersecurity Expert Alan Woodward Mathew J. Schwartz (euroinfosec) • August 31, 2021 23 MinutesWhat if all of the online-enabled crime in the world could be traced to a relatively small number of service providers and enablers?
In fact, a panel of cybersecurity and law enforcement experts, speaking at the Infosecurity Europe conference in London in 2015, estimated that just 200 individuals globally were providing the vast majority of all cybercrime services and infrastructure. Obviously, arresting even a small number of those individuals could take a big bite out of cybercrime.
Cybercrime expert Alan Woodward, who was one of those panelists, says that identifying and disrupting cybercrime service providers remains a top law enforcement priority.
"The people with the technical skills - there are not that many of them who've gone to the dark side," says Woodward, who's a visiting professor in England's University of Surrey. "The bottom line is: If you could get to them, then obviously, you could stop anything new happening. But also, it's rather like the bulletproof hosters. This … doesn't happen by magic. There has to be infrastructure working somewhere for this to happen, including ransomware, and a lot of effort has gone into trying to identify that and take it out."
In this audio interview with Information Security Media Group (click on player beneath image to listen), Woodward discusses:
- How the cybercrime-as-a-service economy functions;
- Cross-border law enforcement strategies for disrupting cybercrime;
- The role of threat intelligence in spotting breaches and tracking criminal syndicates.
In addition to his role as visiting professor at the department of computing at University of Surrey, Woodward is nonexecutive director at TeenTech, which encourages teenagers to pursue careers in the fields of science, engineering and technology. He is also an academic cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.
Transcript
Mathew Schwartz: What if all of the online-enabled crime in the world could be traced to a relatively small number of service providers? Hi, I'm Mathew Schwartz, executive editor with Information Security Media Group. And, back in 2015, a panel of cybersecurity and law enforcement experts speaking at the Infosecurity Europe conference in London estimated that perhaps up to just 200 individuals globally were providing the vast majority of all cybercrime services. The mandate for police then, as now, remains to try and arrest these individuals, or to at least disrupt those operations. Before that, however, police often attempt to identify not just the suppliers of services, but their suppliers, as well as their customers and top users.
Cybercrime expert Alan Woodward is a visiting professor at England's University of Surrey. He was also one of those Infosec Europe panelists. Welcome, Alan. So does the observation that so few people continue to facilitate so much cybercrime continues to fascinate me.
Alan Woodward: We tried to say for some time, and indeed, people like Europol were saying the same thing as the National Crime Agency, the NCSC, that - actually - I think people have a slightly, misguided is the wrong word. There's a misconception about how broad the base is, when people talk about organized crime - online organized crime - it's very dependent on a few things, a relatively few things.
First, the people with the technical skills. There are not that many of them who've gone to the dark side, and that was where I think in that particular panel we were talking about, at the time, we estimated 200-ish. But the bottom line is, if you could get to them, then obviously you could stop anything new happening. But also, it's rather like the bulletproof hosters. This all, again, it doesn't happen by magic, there has to be infrastructure working somewhere for this to happen, including ransomware. And a lot of effort has gone into trying to identify that and take it out, basically.
But the problem is that there are some jurisdictions where it's, they're not as cooperative as they have been, as they might be. I mean, one of the interesting things that happened when the Americans got hit recently, a lot, by ransomware, and it was being hosted out of Russia. There were clearly a lot of things going on in the back channels because all of a sudden certain things - certain, you know, hosting things, they just got closed down. So, oh what a surprise, it just went, thump, like that overnight, it cut the head off it. So that demonstrates that where there's a will, you know, it can be done. But it's trying to get that cross-border cooperation into some of these other jurisdictions that perhaps, they think, well what is the benefit to me. And so they're almost waiting. I think, personally, I think they're probably waiting a little bit to use it as bargaining chips. Russia, for example, has already said, "Oh, yes, well we'll extradite the criminals. But you've got to extradite some to us, who we think are criminals as well. So of course, that, you know, it's that the people they think are criminals, and not necessarily ones that the Biden administration are thinking are criminals. So, you know, it all gets caught up in the geopolitics inevitably.
Mathew Schwartz: So I was reminded of your Infosecurity Europe panel discussion recently, thanks to some new findings concerning the initial access broker landscape.
These are, of course, the brokers who sell remote access to pre-hacked networks. Research from Israeli threat intelligence firm Kela suggests that over a recent 12-month period, of the more than 1,000 such access offers that they've been able to see for sale on cybercrime markets or forums, 46% were being offered by about 10 people, 10 different access brokers.
Does that give police an opportunity to disrupt this supply, by potentially arresting this very small number of people?
Alan Woodward: I don't think you can assume that the brokers being a small number, means that the number of people that are out there doing the attacks and - if you like harvesting the data - is small. What's happening is that they then know who to go to, in order to fence the data, if you like.
And I suppose it's a fairly specialized market, isn't it? So that's why it comes down to a relatively few people. And not surprisingly, it's like, celebrity PR, isn't it? You know, they'll all end up going to the same people eventually, because they've become well known and they have some power in that market. And you just have to hope you haven't picked Max Clifford, who's a criminal.
But the problem is, all these guys are still criminals. But they are middlemen. They're not the ones harvesting the data. But interestingly, if you could take them out, then there's no market. So there's nowhere to sell the data. So the hackers know that how the hell do I get rid of this data? What's the point of taking it? Because if I can't sell it, I can't monetize it.
So again, it's about getting to those people.
But I'm surprised that it's as few as 10, that is a very small number. But I'm not surprised it's a small number. Because like any markets, it ends up being dominated by relatively few people who have, no pun intended, who have the access. And actually the capability that goes with it, because actually, it takes some doing and setting up.
It's always quite funny when eventually they get raided. People have this idea of organized crime as being sort of mafiosi in sharp suits, or sitting in plush offices. The funniest one was the Polish police video, when they raided one of the guys behind - I can't remember which ransomware it was. And he was literally sitting there in his underpants. And his flat was strewn with gold bars and 5,000 euro notes, which I didn't even know 5,000 euro notes existed. But his infrastructure was old PCs, which were basically skeletons - they were motherboards, sort of balanced on old olive oil tins and things like that, but at the same time he was using a bulletproof holster.
So his IT didn't need to be that smart in the same way you and I don't have to have - everything's done in the cloud. So if you can find somebody will do it in the cloud. Great.
Mathew Schwartz: Does that give police an opportunity to disrupt this supply? How would this proceed then?
Alan Woodward: Sometimes it's finding out who they are, that isn't trivial in terms of individuals. It's finding out what infrastructure they might be using. And for data brokers, that's not nearly as much as for example, running a ransomware network or, you know, a crime as a service network.
If you can find out who they are, then it doesn't happen overnight in terms of how you can pursue them because, of course, you've got this cross-border issue, you've got to get the local police to, cooperate. They're the only ones that can arrest them. And typically, what happens is, you see it all sort of bundled up in one big sort of operation. You'll see Europol announce another operation where they've you know, there have been X 100 arrests across everywhere. I mean, surprising countries as well. Places like the Netherlands is the one that people all say, "Really, the Netherlands?" But actually of course the Netherlands is remarkably liberal in terms of what it allows to happen. They have laws that mean that if you run a data center, you can't be held liable for what's being run on systems within your data center. That's why most of the porn in Europe, for example, is all run out of the Netherlands. So, you know, there's some surprising countries. And the Dutch police do quite often get involved, the Polish police, you know, all sorts of people, but you can see kind of how much coordination that would take. And it gets particularly difficult if you're doing it into places like Ukraine, Russia, China's impossible, but actually not that much tends to be done in China. Although the data brokers, I'm not that familiar with the data broking side. I'm tending to think of sort of ransomware infrastructure, etc. It might be it might be run by groups, say in China, but actually, a lot of the infrastructure is outside of China. Because they know they can then claim plausible deniability. And also, they don't get hidebound by actually the restrictions that the Chinese government place themselves on the internet. So I guess it's complicated. Like, I'm surprised, it's quite a few, but I'm not surprised it is a small number.
Mathew Schwartz: And just to be clear, too, they were saying, they were saying that about 10 people that they could see, were responsible for 46% of what they could see.
Alan Woodward: It's the old 95% problem, in that the last 5% might be spread across hundreds of people. But actually, what you're going for is that force multiplier. If you could hit those 10 people, and arrest them, then half the market disappears. So that's a big dent in the market. I mean, it's because it is always a game of whack-a-mole, you can't, you're never going to take 100% of the market. But what they will always be looking at, in gathering the intelligence about these people is, where can I get the biggest bang for my buck, if you like? And that's where they will focus. I suppose some people will say, well, oh, the police, you know, the police aren't focusing on my crime there. It's a bit like when people in the U.K. report a data breach or something to Action Fraud, they say, oh I never hear anything back. What they don't see behind the scenes - and the reason, it's rather sad that they're not told this - that the reason it's so valuable is that all gets then put into a huge intelligence machine, which starts to allow them to then pinpoint where these people are. They start, you know, you start to see commonalities which allow you to track these people there and, consequently, your bit of the picture of the puzzle, unfortunately, it might not get solved, and you might not hear a lot about it. But it is then used to try and sort of, you know, cut the head off the snake. So that a) it doesn't happen anymore, but certainly, more importantly, once you build that big picture, you can start to sort of pinpoint, I mean, you do things like link analysis and all the rest of it, and you start to see the commonalities in where things are coming from, you know, geographical ideas, because criminals only need to make a mistake once.
If you look at the history of how the FBI, for example, I managed to grab a lot of people, they have watched them and watched them and watched them, and sometimes it's taken three years. But then they've made one mistake, and revealed their real IP address, and within 24 hours they've been arrested. So you know that the law is not always quick, but it is patient. And they're not they're not daft, as well.
Their strategies are very much around identifying the sorts of things you're talking about: the people that if they could find them and find out who they are, and get them arrested and take them out of the picture, then - imagine removing half the market for data breach sales, that would be that would be enormous. And it would also cause chaos, because it would make the people harvesting the data think twice because they would think, "Well, where do I go now? Is there any point in me doing this at the moment? Because I don't know who to go to." It's that force multiplier effect, which is so important. But it does beg the question about how many people are involved in the other half of the market. And the trouble with intelligence, a lot of the intelligence that we build up with these sort of things is, you don't know the complete picture. You don't know the full picture but you know enough to then start to move on it and make inroads. And what you're obviously going to go for is where do I make the biggest inroads?
It all sounds rather motherhood and apple pie. But it's the standard policing techniques. It's what the police have done forever, but they're just doing it online and they're just, you know, they're tracking these criminals down in the same way. And as it happens, there are some of these Mr. Biggs and Mrs. Biggs out there that they can get to.
But with all these things is that cross-border problem, and the fact that within Europe and just outside Europe and across to America, there's a lot of cooperation. But there are groups of countries that are not as cooperative. And they're getting better; things are getting better. You're seeing arrests in Ukraine and things like that he wouldn't have done before, Ukraine is getting a lot closer to Europe. But there will always be the outliers. As I say, what I suspect you will see is then announcements that there's been another operation and whoosh they managed to get, you know, even if they just took out, I mean, they're talking about 10 people with half the market, if you just managed to arrest one of those, you don't really know how much they're controlling. Is that 8% of the market, or is it actually they've got 20%? The evidence that the private companies, the threat analysis companies are finding, you can kind of be sure that the law enforcement agencies know it as well. They're not daft. So the strategy they will adopt flows very naturally from it.
You do get lucky breaks as well, like, with Encrochat, that was a lucky break. They managed to get a load of people there and take them out of market, and that's had a bigger impact than people think. Because you do take people out of - not necessarily in this kind of market, in the data brokering market. But for example, in the drugs market, they were able to get some very big players who controlled large parts of the drugs market. It hasn't made it go away. But it's really put a big dent in it, in countries like France, the Netherlands, it's made a big impact. So sometimes you get the lucky break, and sometimes, all these other things that the law enforcement agencies are doing, to track these people down, they can come together sometimes. And that big picture they're putting together, there's been a break that says, actually, we know they're based in Minsk, but we just don't know who the hell they are. And then suddenly, there's some other ancillary bit of information comes in, and it identifies exactly who they are. But only if you put the two things together. And that's when people can move. But they can only move so far if they're operating across borders. And you can imagine that the geopolitical situation as it is, all of that has to be kept very quiet and done behind the scenes, because you don't want to alert the criminals that is happening, if you do ever then managed to get - because there are no formal agreements and all the rest of it, it's all done very much on a person-to-person basis and has to go up various lines and back down again, before people get permission to do the arrests, and that can take time. So you just don't want to alert criminals to it.
But it will happen. And that's where, I think, the criminals perhaps have had a false sense of security because they think, because these things take a long time, they read that as, they're kind of immune, that they can do these things with impunity, without realizing that there's already somebody watching them, and they're just waiting for the right opportunity and the right set of circumstances and the right agreements to be able to arrest them or have them arrested. And I think when things like EncroChat happen, or you get you get some other big break, where a number of the significant players in any of these criminal markets get taken down, it gives the whole set of them pause for thought because they start to look over their shoulder more and they should be, they bloody well should be because there is somebody looking over their shoulder. Even in some cases, it's not that they don't know who they are, it's that they just can't get to them.
I mean, you see that happening quite a lot now with the United States where they're actually issuing indictments against individuals in some countries, because they're saying: "We know exactly who you are. It's just that your government won't allow us to go near you, or they won't extradite you."
So that tends to happen far more from the American side. But I think there will be more of that as well. But the other thing is that in gathering intelligence, for example, if you know who the brokers are, and you catch a lucky break, and you're able to conduct targeted surveillance on them, for example, that then tells you all the people that are feeding them. I mean, one of the things you found when the Hansa network - the Hansa Market - was taken over by the Dutch police, it was run for a month by the police, so that they could see who the buyers and sellers were. So being able to conduct targeted surveillance on say, a data broker in the dark markets, you probably wouldn't arrest them straightaway, you'd want to know, you'd let it run for a few months and see who are the biggest harvesters of data? Should you be going after them as well? So you want to build up that sort of picture as well. And it's all happening. It's, I think, people sometimes confuse lack of news for inactivity. And it's not the case. And there is deep frustration sometimes I think - well, I know - in the local law enforcement agencies, because they can't move on some things you know, it's desperately frustrating when you know exactly who someone is, but you just can't get them arrested. And that's what that that's why the Americans now just say, bugger it, we're going to issue an indictment. We're gonna point the finger, and they just go for it.
Europeans tend not to have done that so far. Because we're sort of going more softly, softly, particularly because a lot of this sort of crime, it may be in some of the other big players like Russia and China, and there's a - I wouldn't say an inequality of bargaining power - but a sort of, the European countries tend to tread more softly. And so they're trying to do it by diplomatic sort of back channels. I mean, what the Americans have sort of said sometimes is, well, we're not going to get them any other way, so we might as well send the indictments out and publicly shame them. It's more of a sort of, we're going to point the finger at the country as well. And actually, I think the Europeans are saying, well, it would be better if we were to build a relationship up with the law enforcement agencies in the various countries, and then we might stand a chance of repeating arrests in the future. And actually discouraging those people from operating in those countries anyway. Does that makes sense?
Mathew Schwartz: Definitely. Multiple philosophies, or different philosophies. Geopolitical hopes, if you will.
Alan Woodward: Yes, and it's quite interesting how the top-level geopolitics does tend to drive some of the approaches to these things. And, that sort of, not "softly, softly," but the sort of the more diplomatic backchannels, building relationships, trying to get the countries to form agreements and relationships where you can have an ongoing set of operations.
The problem that the problem the Americans always have is when people like the Russians kind of call their bluff and say, "Well sure, we'll extradite these cybercriminals," because they indicted them, for example, with the ransomware attacks. They say that we know exactly who they are, we'll extradite them, but there are these people we want extradited back. And of course, the Americans say no, they're not criminals. So you run smack into that.
Whereas, I personally - I would say this, wouldn't I? - the rather more diplomatic approach that the Europeans have, the collaborative approach, it's spun out really from the very nature of Europe itself and how Europol works. In that Europol has no arrest powers. It's all about winning friends and influencing people, and getting people to work together. And so when you see these big operations announced, it's quite amazing in some ways. Because there are X number of police forces all working at exactly the same time, to arrest people. And a lot of work has to go into that. And, of course, now what they're trying to do is extend that sort of approach across borders, into where they're not part of the EU, or they're not sort of on the periphery of the EU there, they're perhaps quite different. And relationships would have been different in the past. But personally, as I said, I would say this, I think it's a more fruitful, in the longer term, it's a more fruitful approach, rather than simply saying, there you go, we know exactly who they are, and you're hiding them. So send them over. Because you do that to some countries, and they'll just say, "Nah, not going to do that." So it doesn't get you anywhere, it doesn't stop it. Whereas if we could stop some of these people, and let's suppose it is 10 people for half the market. That's a big chunk. That's a major hit. You're not going get all 10 of them at once, of course, but just taking out one or two here or there, it all adds up.
Mathew Schwartz: Obviously, you have a lot of threat intelligence firms these days, their business model is trying to keep you informed of the sort of chatter that's going on, or the sort of access that's being sold. A lot of times people won't say, "This is access for Acme Organization." But, you know, they might say this is the sector, these are the people, and with a little bit of deduction, you can say, it's probably these two or three firms. And if you're contracting with them, they might say: This might be you. Is there some value in that, do you think? In terms of trying to get perspective on if you may have been breached, but you don't know it? Because that is, of course, always a possibility.
Alan Woodward: Yes, I think there is. I mean, there's always the thing about forewarned is forearmed. I mean, I've been involved in expert cases before, where people have been breached for months and haven't known. I mean, British Airways, for example, I'm not involved in that one. But the ICO fined them, and all the rest of it. It was only when an external party said you've got credit card data streaming off your site, going to a site that I don't think is - a domain - that I don't think is yours.
So yeah, I mean, they wouldn't have known to act, otherwise. Obviously everybody thinks that it's not us, but they then looked and within 90 minutes, they were able to say, actually, there is something a bit odd going on here. So yeah, I think it is really good value, and that that having somebody trawl the sort of the darker recesses of the web, and see if the data looks like it's come from you, it might be your sort of data. I mean, it's not very often that it's named as having come from company XYZ.
But again, threat intelligence companies, putting the intelligence together, you can sort of say, it might be one of these three companies, we ought to warn them. And even if even if it's not, I mean, if it looks like the sort of data you hold, and it looks like the sort of attack that could affect your company, then it's worth knowing about it just to make sure your defenses are ready for it.
So it is really about, the more intelligence you can share, the more people that know about something, the more likely they are to be able to say, Oh I'll just go and check that, and make sure that I haven't got the hole and if I have, I'll plug it before it becomes a leak. So the short answer is yes, I think it is. I mean, whether it's actually value for money, I couldn't say. But is it valuable? Yes, I think it is.
Mathew Schwartz: Alan, it's always a pleasure. Thank you so much for your insights and thoughts today.
Alan Woodward: It was a pleasure.
Mathew Schwartz: I've been speaking with Alan Woodward of the University of Surrey. I'm Mathew Schwartz with ISMG. Thanks for joining us.