iOCATA 2015

The scale of the Target data breach of late 2013 made it one of the largest data breaches in history, affecting up to 40 million customers1. However, it turned out to only be the first of a series of significant breaches that earned 2014 the title of "Year of the data breach" across a variety of industry and media reporting.

In the 2014 IOCTA it was highlighted how a lack of reporting hindered law enforcement from mounting a suitable response to network intrusions, with industry preferring (where possible) to allow the incident to be handled by private security companies. Since then however, there has been a clear increase in the level of reporting to and subsequent involvement of law enforcement in such investigations.

Almost 75% of Member States indicated that they had investigated some form of data breach or network intrusion, with almost half of Member States running 10 or more distinct investigations. Over one third of EU law enforcement agencies identified network intrusions as an increasing threat.

Not all network intrusions lead to the leakage of data or theft of intellectual property. The defacement of business or private websites was one of the most commonly reported cyber-attacks within EU law enforcement. It was also noted that there is an increasing number of these attacks with a terrorist context. The 2015 Verizon Data Breach Investigation Report (DBIR)2 identified that in 70% of attacks where the motive could be established, a breach occurs with the intention of instigating further attacks on secondary victims. For example, using a hacked server for hosting malware or phishing.

Nevertheless 2015 has already witnessed a number of significant data breaches. In May and July respectively, adult hookup websites AdultFriendFinder and AshleyMadison3, an allegedly discreet website for those seeking extra-marital affairs, were hacked. Both leaked personal and sensitive details related to millions of their customers, leaving them vulnerable to extortion and social engineering attacks. AshleyMadison's clientele were largely North American, however AdultFriendFinder had approximately 3.5 million customers worldwide. The proportion of these within Europe is unknown, therefore the impact of these breaches on European citizens may never be fully appreciated. However over 1400 customers were identified as senior executives of Fortune 500 companies4, over one fifth of which are based within Europe. It is therefore safe to assume that European citizens feature amongst those who have had their personal details disclosed.

The majority of data breaches occurred as a result of compromised credentials (typically those with administrator rights), with the rest largely made up of phishing attacks and, in the case of industries using point-of-sale (PoS) terminals, RAM scraping. Broken down differently, 25% of breaches were as a result of crimeware, 20% the result of insider misuse and 15% as a consequence of physical theft or loss. Almost one third were additionally as a result of miscellaneous human errors, such as sending sensitive information to the wrong recipient or accidentally publishing sensitive data to public servers5.

The table below identifies some of the more prominent publicised data breaches from the first half of 2015 which originated from within, or which are believed to impact, the EU6. The number of breaches apportioned to each country is at least partly representative of the stringency of the reporting regulations within that jurisdiction.

Click here to open this table
Open image in new tab Data Breaches
Open image in new tab Data Breaches
DDoS attacks img

DDoS attacks

Approximately half of the Member States highlight Distributed Denial of Service (DDoS) attacks as a considerable threat. This is confirmed by security industry reports documenting hundreds of DDoS attacks per day7. So far in 2015, several of the attacks have exceeded 100 Gigabits per second while even attacks which are an order of magnitude smaller, may already cause availability issues for many hosts. Three-quarters of attacks last less than four hours, suggesting that this is sufficient time for an attacker to either achieve their goal or to realise their attack was successfully mitigated8. Also, opportunity costs or rental fees prevent those who own or rent the botnet from prolonged attacks.

DDoS extortion attacks have become a well-established criminal enterprise. These attacks further benefit from availability of DDoS capable malware and increasing popularity of pseudonymous payment mechanisms. One of the most evident personifications of the threat is a group called DD4BC (DDoS for Bitcoin) emerging in early 2015. Their ransoms range between 1 and 100 Bitcoins, depending on the perceived financial standing of the victim and their willingness to comply with the attacker’s instructions. To increase the credibility of their claim, the group often launches a small attack against the victim’s infrastructure. Companies that pay the ransom risk being approached by the blackmailers again for a higher amount.

DD4BC primarily targets the online gambling industry but has recently broadened their activity to also attack the financial sector. It is no longer clear whether the attacks can be attributed to a single criminal group or whether other criminals are trying to replicate the business model. As the reputation about the crime group and its modus operandi spreads, it may become increasingly effective for attackers with no technical skills and infrastructure to impersonate the group.

  1. Kaspersky, DDoS Intelligence Report Q2 2015, https://securelist.com/analysis/quarterly-malware-reports/71663/kaspersky-ddos-intelligence-report-q2-2015/, 2015
  2. Kaspersky, DDoS Intelligence Report Q2 2015, https://securelist.com/analysis/quarterly-malware-reports/71663/kaspersky-ddos-intelligence-report-q2-2015/, 2015
Future threats and developments img

Future threats and developments

Historically, law enforcement has not been the first port of call when an organisation has been the victim of a network intrusion or data breach. The reasoning behind this is likely a combination of the belief that law enforcement would be either unwilling or unable to investigate the crime and/or a lack of confidence in law enforcement's ability to handle the investigation with the appropriate level of discretion.

This trend appears to be changing however with the number of breaches being both reported to law enforcement and publically disclosed on the increase. Part of this may be a change in thinking amongst the private sector. Prior to 2014, publicising a data breach would have significant reputational damage. Suffering a breach was considered an exception whereas today there is a growing realisation that a breach is to some degree inevitable. In the wake of the volume and scale of the data breaches throughout 2014, it has perhaps become apparent that how an organisation responds to a breach is as important as whether it has had one. A timely ‘clear and confident’ message to customers and stakeholders as part of an effective communication strategy9 can do much to maintain confidence in an organisation and prevent rampant speculation by the media.

Part of this strategy is clearly more frequent engagement with law enforcement. A number of European law enforcement agencies noted that the threshold for reporting breaches was decreasing. As both confidence in law enforcement’s ability to investigate such crimes and law enforcement’s capability and expertise in doing so increases, we can expect law enforcement to become more actively and frequently involved in investigating this type of criminality.

The term Advanced Persistent Threat (APT) was originally used by the U.S. government to describe nation state cyber-attacks which were sophisticated, specifically targeted and took place over a prolonged period, typically with the agenda of stealing data or causing damage for strategic gain. More recently the term has been adopted, and perhaps overused, by the media and security vendors to apply to any cybercrime group operating similar tactics for profit10 11 . That said, there is evidently a blurring in the use of tools and techniques between the two groups; both factions using social engineering and both custom malware and publically available crimeware12 13. Industry reporting indicates that there is a clear trend in cybercrime groups increasingly performing long-term, targeted APT-style attacks instead of indiscriminate scattergun campaigns14. This will make it increasingly harder for investigators and security researchers to distinguish between attacks by either group and will require investigators to look more deeply at the motive and purpose behind an attack.

Simple Service Discovery Protocol (SSDP) protocol that is enabled by default on millions of Internet devices using the Universal Plug and Play (UPnP) protocol - including routers, webcams, smart TVs and printers - has become the leading DDoS amplification attack vector in the first quarter of 2015. With the proliferation of the Internet of Things, attackers are likely to increasingly abuse large numbers of vulnerable unsecured online devices for powerful DDoS attacks15.

  1. Mandiant, M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf, 2015
  2. Websense, Advanced persistent Threats and Other Advanced Attacks, https://www.websense.com/assets/white-papers/whitepaper-websense-advanced-persistent-threats-and-other-advanced-attacks-en.pdf, 2011
  3. McAfee, Combating Advanced Persistent Threats, http://www.mcafee.com/us/resources/white-papers/wp-combat-advanced-persist-threats.pdf, 2011
  4. FireEye, Targeted Crimeware in the Midst of Indiscriminate Activity, https://www.fireeye.com/blog/threat-research/2015/05/targeted_crimewarei.html, 2015
  5. Mandiant, M-Trends 2015, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf, 2015
  6. Computerworld, Cybercriminals Borrow from APT Playbook in Attacking PoS Vendors, http://www.computerworld.com/article/2918406/cybercrime-hacking/cybercriminals-borrow-from-apt-playbook-in-attacking-pos-vendors.html, 2015
  7. Akamai, State of the Internet – Security Report, https://www.stateoftheinternet.com/resources-web-security-2015-q1-internet-security-report.html, 2015
Recommendations img

Recommendations

  • In order to be able to effectively investigate this type of crime, law enforcement must share experience, expertise and best practice and seek to increase their capacity and capability in dealing investigations of this nature. Law enforcement must show that it is both ready and able to meet this challenge.
  • Law enforcement must continue to engage with private industry to build and maintain relationships in order to increase industry confidence and the likelihood that law enforcement will be approached in the event of a breach.
  • If the affected party has not yet done so, law enforcement should advise contacting national CERTs for addressing the incident response and prevention of future incidents using anti-DDoS protection.
  • As the business costs of seizure of the targeted infrastructure for forensic examination may be prohibitive, law enforcement should develop in-situ forensics capabilities.
  • Law enforcement should closely cooperate with IT departments of the affected companies to assure preservation of relevant evidence.
  1. LowCards, 40 Million Card Accounts Affected by Security Breach at Target, http://www.lowcards.com/40-million-card-accounts-affected-security-breach-target-21279, 2015
  2. Verizon, 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2015/, 2015
  3. Krebs on Security, Online Cheating Site AshleyMadison Hacked, http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, 2015
  4. International Business Times, John McAfee, Is the AdultFriendFinder Hack a Major Threat to National Security?, http://www.ibtimes.co.uk/john-mcafee-adult-friendfinder-hack-major-threat-national-security-1504070, 2015
  5. Verizon, 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2015/, 2015
  6. Breach Level Index, http://www.breachlevelindex.com/, 2015