Access Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
ISMG Editors: Bitcoin or Monero - What Do Criminals Prefer?
Also: Applying an Identity-Centric Zero Trust Approach Anna Delaney (annamadeline) • April 29, 2022In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity issues, including how virtual currency Monero is becoming the main alternative to Bitcoin as the crypto choice for criminals, the challenges involved in an identity-centric Zero Trust approach and how to influence change in culture.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The editors - Suparna Goswami, associate editor, ISMG Asia; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Tom Field, vice president, editorial - discuss:
- How some ransomware-wielding attackers prefer virtual currency Monero over Bitcoin for ransom payments thanks to the privacy-preserving coin being tougher for law enforcement officials to track;
- Key takeaways from a panel discussion on mapping the Zero Trust journey;
- Highlights from an interview with Octavia Howell of Equifax Canada on how she encourages cultural change in her organization.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the April 8 edition discussing building cyber defenses in wartime and the April 22 edition on the complications of regulating spyware.
Anna Delaney: Hi, this is the ISMG Editors' Panel. I'm Anna Delaney and this is where I am joined by three eminent journalists to review this week's top stories. Introducing the team: Tom Field, senior vice president of editorial; Suparna Goswami, associate editor at ISMG Asia; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Very good to see you all.
Tom Field: Always good to be seen.
Mathew Schwartz: Great to be here.
Delaney: Oh, yes!
Field: Who walked in these eminent journalists?
Delaney: Do you know them? So, Suparna, we've got to start with you, with the architecture like that.
Suparna Goswami: Oh, yes. I went to Agra recently, a couple of weeks back—the city of Taj Mahal—but I thought let me put the picture of Buland Darwaza - the highest gateway in Asia and showcase the architecture from the Mughal era.
Field: Is it like a BNB you stay in if you go to visit the Taj?
Goswami: I visited it again but I thought let me just put a different picture this time.
Delaney: A bit of a history lesson, Suparna. That's great. Tom, I think we're in the same city again this time.
Field: Imagine that! This is the Times Square, which is close to the American Taj Mahal.
Delaney: Mathew?
Schwartz: I am once again in Dundee. Behind me, you can see the RRS Discovery, which sailed Scott and Shackleton to Antarctica in 1901. And, to my side, we have the V&A Museum—Victoria and Albert Museum—which exists in London and now has an outpost in Dundee.
Delaney: That's a wonderful cultural lesson. This is great. And I promised you a scene from New York again, Central Park, of course. Beautiful spring day, got to happen. So Mathew, starting with you this week, is Monero taking over from Bitcoin as the preferred currency for ransom payments? That's the question.
Schwartz: That is the question, isn't it? I thought it would be an interesting question to explore. There's been some interesting research that's come out lately, from security firm CipherTrust, for one, and also from the US Treasury Department's FinCEN, the bureau that looks at financial crime. It's been looking at payments for ransoms and what those trends look like. One of the interesting questions is the use of cryptocurrency because we continue to see a number of crackdowns against organizations, individuals, criminal syndicates that are using Bitcoin. Everyone thinks Bitcoin makes you anonymous, hard to trace, and so on. While it might offer some degree of difficulty when it comes to trying to track the people who are using it for illicit purposes, we do see law enforcement having a number of successes when it comes to tracking and sometimes identifying and arresting criminals who use Bitcoin. So, open question, given the fact that it seems like Bitcoin, which has a public ledger—the blockchain—allows these transactions to be traced and intelligence from investigations helps police crackdown. Are we going to see criminals moving to different forms of cryptocurrency, such as Monero, which is known as a privacy coin? It's much more difficult to trace by default than Bitcoin. And we know this in part because a lot of criminals will pay to use Bitcoin mixers, or tumblers, or illicitly use peel chains where they peel off a little bit from a lot of different transactions. All of this is designed for money laundering to disguise the flow of funds. With Monero, however, you don't need to do that or you need to do a lot less of that attempted obfuscation. So to cut to the chase, the interesting takeaway I found is Bitcoin is still widely used - far and away the most common cryptocurrency for crime. You would think that more criminal syndicates would be relying on the likes of Monero, or perhaps some other type of cryptocurrency, but it's a small fraction. When the Feds traced flows of cryptocurrency in the first half of last year, that's when we have the most recent information from them. They found negligible Monero use. They did find a lot of ransomware operations requesting Bitcoin payments or Monero payments. Very few of them only accepted Monero. But what we do often see is if you pay a ransom, the attackers will charge you a premium, typically between 5 to 20%. I hear, 10 to 20% is pretty average. They'll charge you a premium to pay in Bitcoin, because it costs them money to launder it. Interesting fact, right? For Monero, they charge a little bit less, because they don't need to spend as much to launder it. But I do think we're going to see a lot more use of Monero because we have seen a huge amount of cracking down on Bitcoin. One challenge for criminals, though, is there's not a lot of Monero relatively speaking. So they're continuing to use Bitcoin, despite the fact that it has some downsides because the liquidity is so good. And they are attempting to, again, obscure their use of it to hopefully stay out of jail.
Delaney: Matt, what's the chatter on the cybercrime forums? What are they saying? What are the criminals talking about?
Schwartz: They're always looking for the best, easiest, fastest way to do anything. What I think you have here is Bitcoin remains easy to use. The illicit use of cryptocurrency including Bitcoin is a very small fraction, I should emphasize, of cryptocurrency use. All the experts I speak to always highlight this. Cryptocurrencies aren't bad, cryptocurrencies get used by bad people. But we have visibility now into cryptocurrency that we never have into cash. For example, if you do some multimillion dollar illicit transaction or drug deal, and you pay with cash, you can't often track that. If you pay with cryptocurrency, you might not be able to track it right away as law enforcement but intelligence might come to light as you do other investigations, as you bust people, as you analyze their computers. We're seeing much more reliable estimates of the amount of crime that's happening using cryptocurrency coming to light—sometimes months or years later—but fascinating upsides for law enforcement when it comes to cryptocurrency use.
Field: I think I’ve landed on a new marketing slogan. Cryptocurrency doesn't steal, cybercriminals do.
Delaney: You do have an alternative career and in marketing, I think, Tom.
Schwartz: Don't blame the crypto coin users.
Delaney: Matt, do you have an insight into how the analysts really assess what types of cryptocurrency the criminals are using and are accepting?
Schwartz: It's fascinating. You have companies like CipherTrust, for example, and you have other ones such as CipherTrace, Chainalysis, and TRM Labs. You have lots of different blockchain intelligence firms, and the government is working with possibly all of them, using them for different reasons. They are able to identify wallets that are being used by criminals. The FBI is also seeking this information. Just think of all of this as going into a huge pool of intelligence and they're tracing which ransomware groups are tied to which wallet addresses. A lot of times there's crossover between different types of criminality and the more information that comes to light, the more they can trace this and they can see ransomware flowing to groups in Russia, for example. There has been some great research that's come out from these intelligence firms looking at just how many hundreds of millions of dollars’ worth of cryptocurrency flow every year. We do have much better insights into the groups involved and their locations.
Delaney: So this time next year, Bitcoin will still be here, will still be used by the criminals rather.
Schwartz: Yes, I spoke with a lot of experts about this. While Monero offers huge upsides, Bitcoin's big upside is ease of use and availability. You would think that they will migrate to privacy coins but Bitcoin is much easier for victims to get and to pay with and so on. And, obviously criminals want to get paid. They don't want to make it too difficult for victims to pay them.
Delaney: Always fascinating, Matt! Thanks for that insight. Suparna, you recently conducted a panel on the topic of zero trust. It was excellent, I got to say. I think it's really useful for organizations across many verticals, but could you just share some highlights?
Goswami: Thank you for that, Anna. Yes, it was a panel discussion between security practitioners in Australia. I had a vendor from Okta, I had somebody from E&P, which is a financial institution in Australia, and somebody from EY. So, free perspective from all. The topic was how does one decide the right approach to zero trust and what are some important considerations to keep in mind. As we know, different industry verticals have different regulatory expectations. For example, a higher education university by default has an approach of open trust and open collaboration and sharing. That is what they thrive on. Here, you can't really go full throttle trying to restrict everything. That will have a very different approach to zero trust than a financial institution, because you need to take a risk-based approach for financial institution, and there is heightened expectation of prevention and detection activities. My entire conversation was how different industries need to decide what approach to take. You can classify your requirements into four buckets. The first one is of users, which has components of identity governance - your bank. The second one is identity and access. This is where you have your adaptive access management. The third one is resources, which includes your data and your services. In order to classify your data, you need to leverage your encryption, your containerization. And the fourth bucket is of rationale where you apply your analytics, your reasoning. These buckets are common for all industries, but an assessment of each of these buckets will give you an idea of where to start from. For example, you have a weak domain in terms of detection and response and your cyber risk is mainly around denial-of-services and you're an e-commerce industry, in that case, network will be the one where you start from, whereas if malicious insider is a big problem for you, then you better start with PAM. That is how you essentially decide which approach of zero trust to take. It essentially depends on the business objective and goals. That is what the entire takeaway was from the discussion.
Delaney: Very good! Suparna, you've had so many conversations around zero trust over the past year or so. How do you think this conversation has shifted? Just in the conversations you're having, say, thinking back to this time last year?
Goswami: The conversation has shifted. Like I said, even in one of the previous interviews, for the first couple of years, it was about why is zero trust important? What is zero trust, and now we are into what approach of zero trust we are taking. We have gotten more specific like, say, identity approach or what are the problems of identity. If you take the identity-centric approach of zero trust, what are the specific challenges that you face? Because mainly people take either the network approach or identity approach. Majority of organizations either start by that. I asked Brett, who said that he interacts with a lot of CISOs and they take the identity approach. Where are the challenges? Identity and governance is one area where there are massive gaps. PAM continues to be a challenge. Another challenge, he said, is helping people change or break out of that mindset that addressing all these problems will increase friction and will impact user experience. He brought about an interesting point. He said, we have these technologies, like passwordless or device ID authentication. As an industry, we haven't done enough to evangelize these technologies. We need to do that. This has been there, all your web authentication has been existing for a long time now, but there has not been much of an adoption. So we need to evangelize these technologies as an industry.
Delaney: Tom, would love your thoughts too.
Field: We've got a big litmus test coming up. First of all, it was a terrific panel discussion. I've enjoyed it thoroughly. It's nice seeing people talk about the roadmap in a mature way. But I think a litmus test is coming up in just over a month. We've got RSA Conference, the first live-in-person RSA Conference, since 2020. 2020 is really a launch pad for zero trust in a lot of ways for a lot of organizations, and the pandemic certainly accelerated that conversation. Where are we now? When we get back together as a global security community, I will be very interested to hear the conversations in San Francisco.
Delaney: Next week, we have the founder of zero trust join us on our Editors' Panel, John Kindervag, of course. So prepare those challenging questions, please.
Field: The Godfather of zero trust.
Goswami: Always a pleasure to have an interaction with him.
Delaney: Yeah, absolutely. Looking forward to that. Tom, talking of trailblazers, you've interviewed Octavia Howell, CyberEd Board member. Tell us about it.
Field: I certainly have and each one of us is privileged in our role that we get the opportunity to speak with these wonderful CISOs as part of the CyberEd Board's Profiles in Leadership. Every one of us—Matt, Suparna, Anna—you all record these interviews. They are a brilliant opportunity to get to know leaders—how they shaped their careers, their focus, and their passions. I did speak with Octavia Howell. She's the vice president and head of information security and risk for Equifax, Canada. We talked a lot about fraud. We talked about privacy, we talked about responding to incidents. But what was most interesting to me was to hear her talk about the ground that she had to break, as an American going into Canada, to oversee a large organization; as a woman coming in to a management role as an African American woman, extra degree of difficulty. And as she says, as one that wears four inch stiletto heels and walks in the room with a big presence. I asked her about how she impacted culture of the organizations that she joined. And she shared with me some insights that I want to share with our audience now.
Octavia Howell: I just be myself. I tell a lot of jokes all the time. I am serious about work, the actual business of work. But when things are light, and we have a little bit of time, I tell a lot of jokes, and I pick on myself a lot as well. I think the way I overcame it really was with self-awareness and understanding because I have a powerful presence. Understanding when I walk in the door, what that does to other people, and then also understanding what relationships I can have with other people and how to relate to them. I didn't come in there busting through the door. I came in, really what I would call, playing nice in the sandbox. I understood the players, I understood who was making the moves, who were the influencers, and then also start talking to them. We really built the relationships with those people. And so I think, just showing myself, I performed. I am a techie so I can read a packet capture, I can decrypt, I can encrypt, I could tell you how many rounds in a cipher and there was no problem with that. Once they got over, the fact that I wore four inch heels to work, I think we were over that. And we were just talking technology at that point.
Field: Playing nice in the sandbox. Nice objectives for each of us.
Delaney: Absolutely. I love what she said about humor being a vehicle for change. It reminded me of something our friend, CISO Thom Langford, said that it's a powerful weapon. Humor can be a powerful weapon. And he often quotes Maya Angelou saying people won't remember what you said or did, but they will remember how you made them feel. I'm paraphrasing, but it's that powerful impact, I think.
Field: What they're going to remember is Thom Langford, Matt Schwartz, and I posing as Charlie's Angels for a photo at RSA Conference 2020.
Delaney: You're going to have to share a picture, Tom.
Field: Matt has it somewhere.
Schwartz: It'll cost you, Anna.
Field: Maybe we'll recreate it at our London summit.
Delaney: I think so. With Suparna one day as well.
Goswami: Oh, yes!
Schwartz: Everyone's welcome.
Field: We are inclusive. Foreign shields welcomed.
Delaney: Well, final question to you is a bit of a future gazing question. What's the next big thing in cybersecurity that we haven't seen coming?
Field: Pizza in a cup. That comes from the 1980s Steve Martin movie, The Jerk. But to give you a more serious answer, I think it's here. I think it's the SBOM. Consistently, I've been getting out and having conversations about application security. And it comes back to the notion of are you providing software bills and materials? Are you asking for a software bills of materials? And because there have been so many issues with zero days and application security risks and open source code, there is a greater awareness among our constituency now, that you're not going to ingest food if you don't know what the ingredients are. You're not going to buy automobiles if you don't know what the parts have been attested to. You're not going to fly in airplanes with unsafe components. There are no open source components in airplanes. There's a greater awareness that we need to protect the software that we use by knowing what the components are within it. There's certainly regulatory push in this direction, starting with the executive order from President Biden just about a year ago. I think this is really going to start to take root this year, and I believe we're going to have serious conversations about the SBOM over the second half of 2020 to what that is, standardized forms, how it's going to be provided, how it's going to be presented and how it's going to be adhered to. To me, it's a big topic for the second half of the year.
Delaney: Matt?
Schwartz: I'm going to go really big picture. Hopefully not too vague, but just the pervasiveness of cybersecurity, in everything around us, is going to be my answer. If you think how far we've come in recent years, in terms of Russian interference, for example, in the 2016 US elections; if you think about now, the Russia-Ukraine war, I'm hitting that Russia theme again there, but if you think about the war that we have now in Ukraine; and the degree to which cyber hasn't been seen. Cyber is a component of so many things in the world now. And it's being discussed like never before. I don't know where we go from here. Obviously, cybersecurity is not going to get any less important. I suspect, we're going to have a bit more nuance about how we discuss it. And again, with this war, the Russia-Ukraine war, we're talking about where it's not appearing. 5-10 years ago, we wouldn't have been having those types of conceptual discussions. It would have been, oh, hey, there's this cybersecurity component everyone should be concerned about. We've come a long way. I don't know what happens next but I think there's going to be a lot of cyber in the discussion. And again, hopefully, it does come with more nuance.
Delaney: Right on! I thought you're going to say AI-killer robots but you didn't.
Schwartz: We can go there too, if you want. It was my last week's response. You looked all sad when I said that. So I thought I would save the killer robots for later, like maybe Halloween.
Delaney: Good idea! Suparna, what are you thinking?
Goswami: I'll probably continue Matt's theme of Russia-Ukraine war. We'll likely have a global cybersecurity coalition going ahead. Something like the UN or the NATO specifically for cybersecurity, perhaps, I'm just imagining. But I don't think it's too far away, where we all have these nations collaborating with each other, in a coalition.
Delaney: Yeah, that's a good suggestion. What about just another basic error? Maybe that's the next big thing we're going to be reporting on. Unfortunately!
Field: E-R-A or E-R-R-O-R?
Delaney: Keep us thinking, Tom.
Schwartz: Error as in widespread vulnerability in literally everything in the world, which seems to happen once, twice, three, four times a year sometimes.
Field: Pick a holiday.
Delaney: Pick a holiday. Well, thank you very much, Suparna, Tom, Mathew. Always a pleasure. Thank you so much for watching. Until next time!