Ed Cabrera, Chief Cybersecurity Officer at Trend Micro, discussed the why and wherefore of ever-more-sophisticated cyberattacks.
In the first thought leadership presentation of the day at the 2017 Chief Information Security Officer Leadership Forum held on September 26 in Dallas, Cabrera stated, “When we talk about the evolution of cybercrime, we can’t look at it in a vacuum. How the types of threats and attacks have evolved over the years isn’t happenstance. It’s an evolution in the ecosystem where these criminals reside. The collective intelligence of the criminal underground has been changing, and we’re seeing the result of that now,” he said.
“We hear a lot about global cyber risk. We look at the attacks of late—Equifax, SEC, Deloitte—and we know the likelihood of attack is going up. That’s a given. Data fraud and data threat is the new norm,” observed Cabrera.
“We hear a lot about global cyber risk. We look at the attacks of late—Equifax, SEC, Deloitte—and we know the likelihood of attack is going up. That’s a given. Data fraud and data threat is the new norm.”
“In 2014, we started to see a shift in ransomware. At that time, only 20% of the ransomware families that we were blocking and tackling were crypto ransomware. In 2015, that had gone up to 80%. In 2015, there were only 29 families of ransomware. In 2016, there were 247 unique families. For the first half of 2017, there were 168. That’s a 752% increase from 2015. So the number of attacks we’re seeing isn’t surprising,” he stated.
“In talking about the Russian criminal underground, I use business terms,” said Cabrera. “In the mid-1990s, eBay and Amazon came online and revolutionized e-commerce. In the Eastern Bloc, a parallel marketplace began to take hold and thrive. I call this Crimicon Valley. This is where Eastern Bloc, highly skilled, underemployed individuals in the post-Soviet Union era meet the globalization of the Internet and e-commerce, creating the recipe for a huge underground where we’re now seeing crime as a service. There’s a collective rising of the tide lifting all boats in the criminal underground.”
He continued, “In the criminal underground, there’s always ROI. The reason ransomware is developed and used is because it’s making a lot of money. When we tracked this explosive growth, we noticed the development of a new model. The scaling and service providers were different. In order for ransomware to work, an end-to-end, C2C infrastructure for criminals was developed. This explains the growth of ransomware as a service (RaaS) and why it’s here to stay. Also, for ransomware developers, it’s not only about building a better mousetrap for its victims but building better information and support for its users,” said Cabrera.
“In order for ransomware to work, an end-to-end, C2C infrastructure for criminals was developed. This explains the growth of ransomware as a service (RaaS) and why it’s here to stay.”
“The advancements in ransomware aren’t only looking to see what services or tools they can use and take advantage of on your systems but are also looking for security vendors to bypass or turn on. Then there’s Satan, which is an RaaS that actually recruits individuals to be a part of the system. Cybercriminals collaborate in order to achieve scale. For example, some ransom notes were made available in 27 different languages,” he said.
“Ransomware was born in the criminal, Russian-speaking underground, and this is where it’s really grown. Interestingly, there’s always been an unspoken rule in the Russian-speaking underground that Mother Russia won’t be attacked. This rule has been hardcoded into their ransomware, and other advanced malware has this same capability,” noted Cabrera.
He then told a story involving the inviolate rule of not attacking Russia and how cybercrime evolved as a result. “In 2016, the individuals out of Russia who were behind the Lurk trojan campaign that attacked Russian banks were arrested. The Angler exploit kit fell off the face of the earth after this arrest. So, it was assumed that the same group was behind both campaigns, which meant this criminal group was diversifying. At the same time, Neutrino peaked to replace Angler. It, too, went off, but not because of an arrest. Just like in private industry, Neutrino—which was public and willing to selling to anyone in the criminal underground who wanted to pay for the service—decided to go private.”
In conclusion, Cabrera observed, “Everybody knows about business email compromises. The FBI just put out data that there have been five billion, and the average loss per scam is somewhere around $250,000. That’s here to stay, and it’s happening all over. This has gotten very sophisticated, with attacks being more front-loaded in their reconnaissance and much more targeted.”
“Everybody knows about business email compromises. The FBI just put out data that there have been five billion, and the average loss per scam is somewhere around $250,000. That’s here to stay, and it’s happening all over.”
ABOUT ED CABRERA:
Eduardo E. Cabrera is a trusted advisor and a proven cybersecurity leader. He’s responsible for analyzing emerging cybersecurity threats to develop innovative and resilient enterprise risk-management strategies for Fortune 500 clients and strategic partners. Before joining Trend Micro, he was a 20-year veteran of the United States Secret Service with experience leading information security, cyber investigative, and protective programs in support of the Secret Service integrated mission of protecting the nation’s critical infrastructure and its leaders.
Recently, he served as the Secret Service CISO where he was responsible for establishing and maintaining a global information security and data privacy program to protect Secret Service data information assets and systems. He led a team of Information System Security Officers and Compliance Specialists to develop and deploy continuous risk assessment and mitigation programs and policies critical to protecting the Secret Service enterprise.
Mr. Cabrera started his career in the Secret Service in Miami, Florida, where he worked on and led major cybercrime investigations against criminal groups that targeted financial and retail sectors. He moved on to Washington D.C. to proudly serve on the Presidential Protective Division for President George W. Bush and then transitioned to the Secret Service Criminal Investigative Division. There he led cyber forensic operations in support of Secret Service large-scale data breach investigations and served as the Secret Service Advisor to the National Cybersecurity & Communications Integration Center (NCCIC). At the NCCIC, he was responsible for identifying, analyzing, and sharing malicious data-breach indicators derived from active Secret Service investigations and worked closely with Department of Treasury, the Financial Services Sector Coordinating Council (FSSCC), and the Financial Services Information Sharing and Analysis Center (FS-ISAC) to create public/private threat intelligence sharing strategies and programs to combat data breaches targeting the financial sector.
He’s a guest lecturer at New York University Polytechnic Institute, Computer Science and Engineering Department, and was a contributing subject matter expert on law enforcement, cyber security strategy and policy, and computer forensics and network intrusion incident response for the 2014 Risk and Responsibility in a Hyperconnected World, 2012 Homeland Security Advisory Council Task Force on Cyber Skills Report, and 2012 Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector. He’s a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).