Cybercrime is considered one the most dangerous threats for the development of any state; it has a serious impact on every aspect of the growth of a country. Government entities, non-profit organizations, private companies and citizens are all potential targets of the cyber criminal syndicate.
The “cybercrime industry” operates exactly as legitimate businesses working on a global scale, with security researchers estimating the overall amount of losses to be quantified in the order of billions of dollars each year. In respect to other sectors, it has the capability to quickly react to new business opportunities, benefiting from the global crisis that – in many contexts – caused a significant reduction in spending on information security.
The prevention of cyber criminal activities is the most critical aspect in the fight against cybercrime. It’s mainly based on the concepts of awareness and information sharing. A proper security posture is the best defense against cybercrime. Every single user of technology must be aware of the risks of exposure to cyber threats, and should be educated about the best practices to adopt in order to reduce their “attack surface” and mitigate the risks.
Education and training are essential to create a culture of security that assumes a fundamental role in the workplace. Every member of an organization must be involved in the definition and deployment of a security policy and must be informed on the tactics, techniques and procedures (TTPs) belonging to the cyber criminal ecosystem.
Prevention means to secure every single resource involved in the business processes, including personnel and IT infrastructure. Every digital asset and network component must be examined through a continuous and an evolving assessment. Government entities and private companies must cooperate to identify the cyber threats and their actions—a challenging task that could be achieved through the information sharing between law enforcement, intelligence agencies and private industry.
Fortunately, like any other phenomenon, criminal activities can be characterized by specific patterns following trends, more or less strictly. Based on this consideration, it is possible to adopt an efficient prevention strategy, implementing processes of threat intelligence analysis.
Security must be addressed with a layered approach, ranging from the “security by design” in the design of any digital asset, to the use of a sophisticated predictive system for the elaboration of forecasts on criminal events.
Additionally, sharing threat information is another fundamental pillar for prevention, allowing organizations and private users to access data related to the cyber menaces and to the threat actors behind them.
At the last INTERPOL-Europol conference in October, security experts and law enforcement officers highlighted the four fundamentals in combating cybercrime as:
- Information Exchange
- Capacity Building
Executive Director of the INTERPOL Global Complex for Innovation (IGCI) Noboru Nakatani and head of Europol’s European Cybercrime Centre (EC3) Troels Oerting closed the conference, acknowledging the engagement and input from delegates had served to increase understanding and encourage greater interaction between the various sectors involved.
In September 2014, Troels Oerting announced the born of the Joint Cybercrime Action Taskforce (J-CAT) with the following statements that remark the necessity of an efficient collaboration between the entities involved, not excluding the Internet users.
“Today is a good day for those fighting cybercrime in Europe and beyond. For the first time in modern police history a multi-lateral permanent cybercrime taskforce has been established in Europe to coordinate investigations against top cybercriminal networks.
The Joint Cybercrime Action Taskforce will operate from secure offices in Europol’s HQ assisted by experts and analysts from the European Cybercrime Centre. The aim is not purely strategic, but also very operational. The goal is to prevent cybercrime, to disrupt it, catch crooks and seize their illegal profits.
This is a first step in a long walk towards an open, transparent, free but also safe Internet. The goal cannot be reached by law enforcement alone, but will require a consolidated effort from many stakeholders in our global village.”
Prevention activities must be integrated by an effective incident response activity and by a recovery strategy to mitigate the effects of cyber incidents.
Once an event is occurring, it is crucial to restore the operation of the affected organization and IT systems. Recovery from cybercrime is composed of the overall activities associated with repairing and remediation of the impacted systems and processes. Typically, recovery includes the restoration of damaged/compromised data and any other IT assets.
According to the data proposed in the last report issued by the Ponemon Institute, “2014 Global Report on the Cost of Cyber Crime”, recovery is one of the most costly internal activities. On an annualized basis, detection and recovery costs combined account for 53 percent of the total internal activity cost.
An effective incident response procedure includes the following steps:
- Identification of the threat agent which hit the infrastructure.
- Containment of the threat, preventing it from moving laterally within the targeted infrastructure.
- Forensic investigation to identify the affected systems and the way the threat agent has penetrated the computer system.
- Remediate/Recover by restoring IT infrastructure back online and in production once forensics investigation are complete.
- Report and share threat data to higher management and share the data on the incident through dedicated platforms that allow rapid sharing of threat data with law enforcement and other companies.
Unfortunately, the process described is rarely followed. Up until now, the containment and remediation process has been a primary manual human process, that make it non-responsive and inefficient.
We must be conscious that is quite impossible to recognize every cyber criminal activity before it affects the targeted entities. For this reason, it is crucial to have a mature approach to cyber security that emphasizes the aspects of early detection and recovery.
An efficient incident response plan, for example, could improve the resilience of the system to the cyber attacks and allow a quick recovery from an incident.
The processes described on both aspects of prevention and recovery has to be improved by any entity that uses a digital asset or a system exposed on the Internet. Security needs an improvement approach that will preserve every single ring of the security chain.
Never let your guard down, cybercrime never sleeps!
About the Author: Pierluigi Paganini serves as Chief Information Security Officer at Bit4Id. He is also involved as a member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and serves as Editor-In-Chief for Cyber Defense Magazine. In addition to his leadership roles, Paganini has more than 20 years experience in the field, which he shares as a blogger, freelance writer, security analyst, and author of the books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin.”
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.