True Cybercrime: From Basement Hacks to Big Business | The Element Podcast - E08
Cybercrime. Has gone from being a small basement hack and some isolated stake factors to being a fully, profitable. Big business, we're. Sitting down with the true crime experts from the FBI and Europe all to dig into this trend and see what's really happening and what we can do about it to get our business is more secure this, is the element podcast presented by Hewlett Packard enterprise I'm your host Martina, Turco and I'm joined by Eric Strom thanks, for having me James, Morrison nice, to be here and Bob Warren thanks, for having us I really. Want to start by by understanding, what's really driving the trend of what we're seeing because it, seems, the attacks and the breaches are happening, more often they're, getting, worse and. What's. Your perspective when you see this from from the crime-fighting perspective, what's really happening out there from, our point vantage point law enforcement, we're seeing a much more organized, group. Of cyber actors whether. They're nation-state, actors or criminal. Actors and we. Like to term crime as a service because what we're starting, to see is more specialty, so when you take out one segment of a group they just find somebody else to fill that void and so that persistence. Of the crime continues so, that's the real challenge for law enforcement right now right, yeah that's I was actually reading, the Kaspersky report for 2019 and and he was talking about kind of that same idea and it kind of meshes with what we see is that, more, and more people are able to get into it now because the price point is lower so now I can get into the service of my upfront cost is very low but. There's so much money on the back side so, if I'm if I'm able to launch the successful, ransomware campaign, I can clear millions and millions of dollars which. Was kind of a difference from the old credit-card fraud where, you know you get a credit card and you sell it for $8.00 so, even if you stole a million credit card numbers you.
Made The money at eight dollar increments as you told to sell those credit cards you know some places but now I can get a much bigger payoff at a faster pace I was gonna add to that you know in the IT industry which, you and I are in we. Always think of things as a server software, as a service infrastructure, services, everything as a service I guess, we never really thought it would include cyber, crime as a service right we're, looking at the for good not evil but it turns out they're they're pretty clever about your own I'm, a programmer, so if I was a bad guy pro programmer, how, do I make more money so. The way I make more money as I license the product it's the exact same business model that you're talking about I can write a code and then go and sell it on the dark web and let people buy it and license it for a year and then, if they want to continue their attack surface after that they have to come back and relicense, it so it's really become more of this business model just the exact same as you know HPE or other companies and I think it really is a lucrative and profitable you, know I like to quote a couple of statistics, from cybersecurity, Ventures group that's indicated, by the year 2021. Cybercrime. Will cost the global economy, some six trillion dollars, its trillion. Trillion, which is to put that in perspective that's, a third the gross domestic product, of the United States so, larger than the GDP of France Spain and Italy put, together it's. The greatest transfer, of wealth in the history of mankind larger. Than the entire global, illegal, drug trade so it's just a phenomenal, ransomware, itself, along those same my research, statistics. Ransomware it's gone up 15, fold in, the past couple of years because it's just that so lucrative that, goes with business, email compromised or CEO fraud here in Europe it's a multi-billion, dollar loss and it's basically, social engineering, right, and that's just scratching the surface of what Bob is talking about well, and then even even more onto that it's what's, kind of interesting from our perspective, is as we both been in you know roughly 20 years and we've seen that change even, in the way law enforcement handles. It I mean the FBI is understood, that now it's an international, problem and so that's why we have people working directly, with Europol, and pooling, our resources and, trying to you, know come, at the problem together versus, what it used to be each country we kind of do there because. We know that there's, strength in numbers including. From the nation-states I was specifically, assigned a Europe all in 2015, to work on the joint cyber Action Task Force which, is comprised of 14 countries we all sit together basically, in a room when we're all cyber experts, sharing information looking, at the, overlaps, looking at the threats and deconflict. And coordinating, man this is the kind of thing that many several, years ago might. Not have been the case because sharing. Information across, these these boundaries was not the norm but, you really have to now to sort of face the problem no, choice and and one thing that we're trying to catch up now is the actual the legislation. And legal aspects of transferring. The information we, exchange, a lot of information police, the police but, when we want to use it for court that's when we run into some of the slower down aspects. Of the laws and we had the MLA but in Europe they have what they call the Budapest Convention, that allows them to share in real-time the, United States is not part. Of that so, we still have to rely, on the MLA, a mutual, legal assistance treaties, and that takes a little time but the. Fact that we can sit together work together is really sped up the process well there are other laws and regulations, that are taking place now one of them gdpr, that's, especially effective, right here in Europe and, that requires, there's Burbridge in there that says we've, got to build in security, to prevent this type of cyber, breach. In the future so you know we have to help our customers be ready to comply with the GDP our by building, in security, well that's happened a ripple effect across the course the entire you know since we're in international, economies you know so even even countries, that you know are companies, in the United States that may, not think they do business in Europe they may have customers, European.
Customers And so GDP, our regulations, are going to have an impact on them so, as and we're starting to see kind of a change in that the criminals, understand, that as well so the criminals are coming to companies and saying we've breached your data and if, you don't pay, us a ransom we will reveal this and it, will hurt your stock price and also it, will cause, some regulatory problems for you and the GDP are a and brand recognition. That. The threat to the brain cannot be underestimated to me you had a problem with the ransom order before we move off of that a little bit and you've often told us this those, companies that do pay the ransom. Over half of them never get their data back anyway so you know so they're enabling, the problem, and, you may potentially not even be able to recover you pay their ransom you don't get your data back now you're really crippled there's kind of an interesting ripple also in that one and that statistics. Are also showing 2/3 of the people being hit by ransomware, are small and medium businesses and so that really so that's a really interesting question, because a lot of those businesses don't have any cybersecurity. Built in they have no idea how to be secure and, so over. Time we're important, for those those businesses, and even individual, users to start having a better understanding, that you, are a target simply, because you have money that's, all it takes is to have a little bit of money and even home users get hit for six hundred eight hundred dollars on a ransom I want to come back to ransomware in a minute but there's something else that kind of want to tease, out of what I feel like I'm hearing because we're. Talking about how this has really become really. A big business right but, how is it also the, attack. Landscape. Change because I think many, of us have the perception of what, we imagine, sort of a hacker to be from what we see in the movies right we. See kind of a guy in the basement of, his mom's house and he's maybe he's trying to hack a big company just just, for fun or sorry he's just trying to be kind of a bad guy and we're, imagining the companies are in their sort of cyber security operations. Center and it's all about getting into the firewall, but I think that's really changed, as well so, what is that what, we're the threats actually happening, now is it is it only about trying to actually penetrate statistics. Will show more than 90% of the attacks will still start with an attempt to socially engineer your people, I mean it's so silly but it comes down to phishing in passwords, if I can get somebody inside your network to click on a link I don't care about your firewall anymore I'm, past your firewall and I've got a foothold into your network and, then if you have bad passwords, I don't have to worry about either we were kind of talking about, how. Simple it is to put. A fake, website, up yes, send an email to a customer, and say oh could, you please login to our website and they'll, click on that link and they'll put in their username and their password and, they'll do it two or three times nobody I don't know why that didn't work and then, later they'll, log in successfully.
And Totally forget about that but, it could have been a fake website right that now has gathered usernames, and passwords it's a very, easy, attack. And people, don't don't consider how easy it and they have the brands and the logos and all looks perfectly that's. Why you see these major breaches and that's a lot of times they're not gonna really act on that information that they receive they might just sit and wait and I. Always liken it to like a herd so if you're looking at an industry sector and you always look for the weakest one right so they do their research they go online they realize look at this problem this companies struggling this company just merged with somebody else they look for those moments, of vulnerability right. Yeah, which really brings, up a point you know the cybersecurity does transcend. All of those customers. Those companies that are out there a lot of people think it's maybe just focused on large enterprise customer it's not so there was an article in a Denver, Post I read indicated, small, companies, that, suffer, cyber security breach, 60%. Of them are out of business in six months Wow they just can't take that handle. The impact to their business. Enterprise. Companies, can't stand the brand equity destruction. Because they've really suffered a huge cyber security breach so it doesn't transcend. A huge, I think every company that's out there really and, the surprising, thing is those hackers are now becoming more and more sophisticated they're. Like organized. Crime now they're, not the individual, hackers that you might find in a dorm room just trying to cause some chaos and, you've got nation-states, as you guys well know right well but and even as you're saying there are still those individual, hackers but now they're buying, products, that are very high-end, I mean, they're buying really good software and then using it to attack we were talking about like denial of service attacks against like geni platforms, and, they'll they'll do it because they're angry about something that happened in the game but it gets a lot of control and then causes a very large-scale, denial, of service the, other aspect, of that is that ransomware. Is now becoming destructive, and, that, it's not just about keeping your data and then not. Giving it to you it's about actually destroying the hardware if you don't pay the ransom. Interesting. That you brought that up because I think it can be a little bit of a controversial, idea but I'm gonna throw it out there is that is it, really just a matter of when, and it's not a matter of if and, so when you think about the impact of ransomware, and it's easier, and easier to see that and if it really is more, than just, trying to hold your information. Ransom it's actually being destructive. Do. You actually have to really move not just into prevention but thinking about recovery, right Bob cuz I know this is. Something. There I think with today and and again the the statistics will show that there's an attack about a 720. Million attack attempts, every single day every 24 hours so, I think it's almost inevitable, that that companies will suffer some type of a penetration, into, their infrastructure, into their IT infrastructure, the, question, is can, we protect, them or or help them recover so that don't suffer the consequences. Of that breach we want them to be able to recover so, no, longer is it really acceptable, in our view to just have perimeter, protection. Or defense you have to have defense, in depth which means you have to have the ability to not only provide, really strong protection.
And You want to have that but, then also the ability to detect. If there's been some type of a breach because, I think you're the ones that told us that over half the breaches take place inside the firewall so you, know a disgruntled, employee or a contractor, who's been terminated and, and not, terminated, their login credentials, and so those breaches are taking place inside the firewall so what do you have to have then you have to have the ability to detect, that breach and then, also go one step further and recover, from that and if you can do that if you, can provide great protection to keep most of the penetrations, out the breaches out but one, does. Happen, eventually does happen then you can Rika tected, and recover from that you don't suffer the consequences, and you know right and having brand equity and that's that's something we understand they're gonna get in I mean I think we have to understand that they are going to get in I think Bob, brings a good point the, question is how long will take you to detectable right and, I think Kaspersky, report said that they're still on average it's 200, in something days or something you know before you detect that they're even in your network so detecting, them in your network and preventing, the loss of your data is going to be key another statistic that comes up is that it used to be we'd spend about 90% of our IT budgets, on firewalls, on perimeter protection and about 10 percent on internal and that number has changed where. We've seen where more money is now being spent on, intrusion detection whether, it's host-based or network based and we, need to have that understanding that how. Are you going to detect them what's going to be a plan how are you gonna kick them out I mean I really want to ask you guys you're freaking us all out a little bit right it sounds like it's dire but. I can see there's a few glimmers there you're starting to talk about kind of different ways that we're approaching the problem it's, a huge problem right you can't go, up against, it's it's sort of an asymmetric, battle right you can't go against all of these actors with, brute force you, I'm guessing you have to outsmart them so what. Do we what are we trying to do to really outsmart these guys and how, does technology really. Help us protect our own technology and ultimately our information, right, you. Touched on one, glimmer of hope is the fact that we're all working together it's, not only just within law enforcement we're working with public/private partnerships, the FBI's been doing it for a long time through a number of different programs and, that is helped considerably because it's gotten law enforcement, up to speed on what some of the current threats are and.
Then It's also enabled, kind of the trusted relationships so when we do we'll come across an. Oddity. Or something new we, were able to at least communicate. That to our partners whether, it's through a national. Pin, or flash that we usually push out or, just a one-on-one discussion, maybe with a trusted, industry partner within a company, that's in our AOR yeah, and so what we're really trying to push for is is we've been reactive, and. Really what cybersecurity has been over years has been the old whack-a-mole, game where. You wait for something to pop up and you hit it and knock it back down and wait for something else to pop up but, what we're trying to push more for and that's why you know working with you know you know companies, is for a more proactive, you, know and getting ahead of the head of it so we were talking about like a I you know and using artificial intelligence in, an attempt to predict what. Hacker will do and I, think there's a lot more products, entering into that space of saying you, know I want to know okay so somebody's, knocking on the firewall somebody's knocking on my router somebody's trying to log in what, are they going for and you can see trails, of where they're going and I think as we start to get better about analytics, I think we've got a much better future on that and they're along those lines you know we collect a lot of data and have three years on cyber investigations, whenever we arrest somebody your images. Server or do a search warrant in the old days we would just kind of worry, about the target they were looking at and didn't really look at the information that. Nowadays, it's. The data analytics it's looking, at the data that in and the relationships, at that person may have had who, they communicated, with making, those ties and and oftentimes you do work, with our private sector partners I mean okay how can we better look at this data so, that we can actually get more value out of it right using AI to sort of find the answers that might have been hidden in plans in plain sight right and. So Bob I'd like to think maybe ask you to tell us a little bit more about kind. Of what, is the infrastructure, in, an IT company whether it's a big company smaller. Medium business what should people look for, when, they think about how, to really, set up a system that can handle these, kinds of attacks great that's great questioning, and I don't want to leave the topic of this daunting, cyber, security breach problem, without saying, that you know it is critical, it is important, and as we've talked to CIOs, and CEOs it. Is probably, the one thing that keeps them up at night Thank You Majan but you know all is not lost we, have a lot of great. Technology we've, done a lot as has the industry and we've been collaborating with these guys, like these gentlemen here, because, as they identify they're, on the cutting edge of, identifying. These attack, vectors. And as they identify where the new hackers, are going or their new attack vectors, they, work with us and then we help design a new, technology.
And Protocols, to defeat those attackers, before they actually get to where they think that these guys think that they're going so, I think the next horizon as. We've done in the past working, with you guys we've in design. Security, protection, down into the control plane or down into the firmware this is actually one of those trends that the FBI had identified a few years ago working with us and so we created a what we call our HPE silicon, really trust and so we've embedded that which really goes. Right down into the silicon, into our own HPE silicon, and embeds. The firmware there to protect that from any type of malware a ransomware. I think in the future, you know we'll continue to expand, that that'll be one way that will provide a greater and greater protection, and I think there's probably an, area, of artificial, intelligence or machine learning that will, continue, to expand and we've got some good examples of, that now with our aruba introspect, that actually does use artificial. Intelligence, to help determine. If there's a bad act or some type of nefarious behavior and then quarantine. That person, out until, they can be Rivera, fide and and, we're just here this month announcing, our HP, emphasize, and will continue to expand, that into the artificial intelligence, in the security, arena, to help provide that advance, protection, to, help those companies, route. Out those bad, actors before they do any damage this is an ID issue anymore right, and that that has to be that has to be the understanding, is that you, know for years we left cyber security in the IT field and everybody sort of ignored it it's now a board issue it's, now it's now an executive issue and whether its GDP are in Europe or whether it's other regulations, going on the United States the SEC is starting to put more regulation, on reporting. These these events, to shareholders, and when. A breach occurs it's, a five to eight percent hit on the stock price weight so that is a tear right off the top and. That's just the way it is but then the reputation, damage, is a long term and one thing I've been hitting on we were kind of talking, about earlier is I'm, not necessarily going to go after the big company directly I'm, gonna go after your subcontractors. And so, one issue that we've kind of run into is like construction, companies so, construction, companies are doing all this work for these large oil companies, but, they have no certain no cybersecurity built into their networks so, all I need here to get, a foothold into, you know a construction. Company and wait for them to log into the. Big whale companies network and I can piggyback into, there so, it's not just the large companies, that's all of their subcontractors it's, all of their supply chain we've. Got to make cybersecurity, built. Into the business problem and then it really sounds, like it's it's, something that also has to be built into sort of corporate governance it. Has to be something you train your employees on right. Because it going back to your point about ninety, percent of these you. Know ransomware attacks are coming in because of social engineering but, then your employees, or your subcontractors. Employees, are the ones that, on the frontlines of that right there the first line of defense room and that's amazing, when we go into you know we'll go into an investigation.
And You'll do a little bit of triage and you'll find it goes back to a individual. Clicking on an email and that is you know patient, zero if you want to call it things and, if they were like well I clicked, on it because that's my jobs to check email and they, had no concept that, that one. Email could. Explode, this ransomware, into a corporate network and knock their network down for three weeks that's, the human, element you talk about which is always, tough to really govern, and control and, train it takes a lot of effort, to make sure that people, understand, that because a lot of those phishing, emails can look quite compelling, they look like they're coming from your CEO, your CFO, and they say hey we're going to be in trouble unless you click here to release payment to them so you feel compelled as an employee to do that or your employee that finds, a box of USB sticks that are out in the parking garage and they say payroll, information so, the first thing you do is plug that into your computer, and you know boom you're infected, with the ransomware buyer so it really does take a really. Concerted effort, for all companies with, regard to this human element to make sure that they're training, all the time on these latest advances, that hackers are using and they're really sophisticated and sometimes they're really simplistic like in the US and it doesn't matter what industry you're in right, now Real Estate's being hit really really hard by you know fraudulent, emails I just there's a guy suing a title, company for eighty eight thousand dollars that he lost because. That he thought he was get providing a down payment on a house and the. Title company had sent an email with all of the information login. Information completely, open, and exposed. His information, so, it's an understanding, that I don't care what industry you're in that. We can't hide behind that it doesn't matter what it's healthcare finance, you know real estate law, firm law firms you're. Gonna be hit start. Planning for what you're gonna do on cybersecurity, not, when you get hit because every tries to plan when they get hit and that's a bad day and, your make it a worse day but you want to have a plan before it ever had occurred right you, know it's interesting because we talked a lot about the trends, in this area you, guys bring up AI which, is of course very buzzy, everybody's looking for ways to use, AI to kind of run their businesses better tackle problems differently there's, another trend that we're really seeing out there which is the proliferation, of IOT, applications. We're going to see so much of the data being created, the edge what, does that mean for the security risk because again that's you, know if you only had to do perimeter defense on a data center right or your corporate, networks, or things like done once, you have these, devices that are out there in the field, thousands, of them they have computing, capabilities, themselves, I can imagine that that completely, changes the risk calculations, yeah our our data indicates it's some 70% of data in the future we'll never see the inside of a data center it's going to be out there in edge devices likely, for the most part of it and other locations, not necessarily inside, a nice secure data center so we got to move all these security. Protocols, and technologies out. To the edge where that information is being actively, processed. And make sure that those are protected, yeah and it can't be a bolt on and that's the other thing that we're really pushing for is is that, these devices need to have security built in from you know cradle you, know to grave and.
That's Where you, know we're working of course from our standpoint I know you know Europol, is working the same thing but, securing, the IOT we saw a very large attack, a couple years ago using web cameras where, an attacker was able to get R and a Mariah at, software into web cameras, and then, turn all those into an attack surface against some major networks, on the east coast of the United States. Exactly. So the devices themselves are throughout the network connectivity, of course is potentially a threat lots of opportunities, there we've, obviously talked about the fact that there is still hope right. And so I kind of I want to leave everybody feeling a little bit better about this problem even though it is always a little bit fun to kind of think about kind of the true cybercrime, but maybe, there's everybody just to wrap up I want to know what you would like to see going forward in the future maybe, Eric and James from your perspective, in terms of what you see from, the government. The policy perspective or you know just having, people walk. Away with some really key tips for their businesses in their own lives and then maybe Bob you can bring us home because I'd love to hear from you about what you think where, the technology, directions headed too so maybe, Eric if you want to go. From. A capacity. Building you're. Seeing. New areas, of. Like. Africa or Asia that are popping up and we're, trying to train them as best we can getting, them up to speed because as more and more fibers being laid in some of these areas you're, going to start seeing more criminals. Use that as it's an attack vector so, working with the government host governments improving. Legislation, including, training we're, currently, doing some of that we're trying to do more organizations. Like Europol, or Interpol obviously, the FBI have been doing that and trying to collaborate on doing. That sharing resources to help train that's. Obviously very helpful I think as we touched on earlier I think if more boards, and more executives, understand, that, this is a real problem and if they support there's a security. Apparatus within their company to. Harden them get. More involved, in the understanding, what the threats are and, and cyber. Can be very intimidating but I think if you strip off the base you know that kind of the, scariness of it it really boils down to organized. Crime groups nation-state. Attackers, and if you understand, that then you'll have a better appreciation. For what your people are doing to improve the, company, I'm. A technical Intel, and. So what. I'm looking at is we need to be able to share more of that technical thread information, and, that needs to the, problem is companies right now when they get hit don't want to talk to anybody they want to kind of put it under the rock they seem to avoid it and, there's reasons, for that so we need to get better about being able to share that technical. Threat information so, if company, a gets hit and they provide it - whether it's us or another another, group we, can then go to other companies and say this is a very recent attack, that occurred, you, need to do X Y & Z to harden yourself up and, that allows us we've got to be able to share that information across, across, the industry and. So that's one of the group that's where I really been trying to work on is is better on the communication, side better, on the liaison, side and we're, we, US FBI, Europol our partners, in this it's. Not necessarily, about we made we're going after the criminals most of their going to be in other countries, but. We, want to go after protecting. The. Infrastructure, protecting the companies so that they continue, business can I add one more thing I was a little bit a lot of successively. Where. Companies, have have come forward and said, that they have been attacked and, in most cases they've been nation-state actors and so we've actually had some successful, we were indicted representatives. From other foreign governments because, of their the nature of their work and the attacks they made but we couldn't have done that if not, for the willingness the companies to say hey listen this is a problem, we want everybody else to understand, it and we don't mind being named in this because in the long run I think it's gonna help the, industry, as a whole the shame, makes, it worse and especially. In the criminal as we as criminal. You know get issues, get larger and larger the, the large targets, need to be you, know more open. To, talking to us so that we can break some of these criminal elements we have we have better success than breaking down criminal, and, wrestling criminal hackers, that we even do with the nation-states, let us do what we do best and arrest the criminals and. Let's let's share the Intel and we.
Should Be incorporated, in any kind of risk analysis, or assessment, so if you're if you're out there and you're looking internally, you should have contacts. Whether it's you know even, if we always joke around even if it's going out to lunch every once in a while with your local FBI rep and if you have that you know who to call when you're having a problem that you come in and they can help you partner it's. A very tangible, piece. Of something right. Let, me say that I've really appreciated, the collaboration, and I see this cyber, security protection going, in that direction more, collaboration, with agencies, like we have here today as they, identify these, new threat vectors then we can help design in security, technology. And protocol, to help protect against that I don't, want. You to think we haven't done we've done a lot of stuff it's our big focus, at HP, is protecting, from edge to cloud and everything through the value chain all the way from the supply chain through, shipping. Receiving to operating. The equipment and to finally, the end, of life we call that a cradle to grave approach, so we, definitely, focus on that and I think that cyber, security is somewhat analogous to a chain link and the, chain is only as strong as its weakest link and so we've got to make sure everything, is strengthened, and strong and has cyber security protection, storage. And networking, servers, and your supply chain and the edge devices, in the cloud it's, all got to be holistically. Strengthened, and that's what we're doing I can tell you that you're right a lot of companies don't like to talk about security. Breaches or what they've had happen, to themselves but I can tell you for a fact that there are a lot of companies, out there with, some of this new cyber security technology, that's available in. The past may have separative, reach today, they don't because they're deploying a lot of these new technologies, so we really, are making, a big difference between, the agencies, and the public, sector and the private sector working together collaboratively, we're, really helping to protect customers. And I I see this going further by extending. These base. Hardware. Base protection. Technologies. More, broadly across, our, infrastructure. Edge, devices, storage. Networking, all that as well as deploying more artificial intelligence, and machine learning throughout. A whole series of that value, chain I think that's really the future, direction we're, going to stay one step ahead of those, bad actors so that we're going to prevent any we're gonna skate to where the puck is going so we can make sure that we protect our customers and, now they breached I like that we're gonna try to outsmart them, we're not gonna go straight up against them we can do that for the private. Sector we can definitely outsmart, fantastic. Guys this has been a fantastic conversation, really. Rich and you know it's really inspiring I think also to see that, there is this active collaboration, between the private sector in the public sector and you know really nice to see that there's that openness on both sides as well so I think we, can all sleep a little better at night hopefully even though the news seems a little scary I think there's some great tips on ways to make. It a little bit less scary so thanks. Very much thanks for joining us on the element podcast presented by Hewlett Packard Enterprise.