Everyone has heard of CryptoLocker. Has anyone thought about how their lives would change if computer crime became a whole lot more like CryptoLocker and a lot less like just about everything you've worked on in your careers?
Think about this for a minute: If I am a victim of ransomware and if I act now, I can pay a few hundred bucks to undo the mistake of clicking on a dodgy email attachment, and no one would be the wiser. $300-$500 is about what a well-qualified computer forensics or incident response practitioner is going to change – if you’re lucky – for one hour of their time...and no amount of forensics knowledge of skill will get you out of a ransomware jam...
This last point is important. Our own experience dealing with ransomware cases drives it home: the genius behind ransomware is that it is – whether intentionally designed that way or not – the best lesson in computer security economics ever. Unfortunately: people are not learning the lesson. Too many of them refuse to pay the ransom. Usually it is based on moral grounds: Paying a ransom is giving in (in some jurisdictions doing so is itself a crime) and "letting the bad guys win" (they already won). But absent current backups from which to restore your data, paying the ransom is your only option. “Computer security” or incident response cannot save you if you’re a victim of ransomware. I know of cases where people would rather let their businesses flirt with failure, or surrender supposedly “priceless” memories in the form of family pictures, rather than part with $300. Don’t think about the organization you work for, think about the team you’re on in that organization. Now think about how long and painful it would be to manually reconstruct every document you’ve ever created.
Now think about the computer security industry today. What are some of the major themes it is promulgating?
- “increase attacker costs”
- “Active Defense”
- “Find evil”
- “Assumption of breach”
How are computer criminals responding?
For starters, committing computer crime is always going to be cheaper than fighting it. The bad guys cooperate. They don’t care about jurisdictions or inter-agency politics. They appreciate and understand the value of time and money. Ihave no idea how much it cost to develop your average ransomware, but I think it is safe to say that the people who code it probably make several orders of magnitude more than their investment.
Find evil? Every year the Verizon data breach report drives home the point that people are indeed finding evil…roughly a year after its landed.
Active Defense is not a bad idea, but who has dealt with an organization that is capable of doing it effectively? More to the point: who here knows an organization – out side of the government - that actually wants to make the investment necessary to bother with Active Defense? If you’re going to try to attribute some activity, the end-goal should be some kind of legal or economic or political action. I’ve never dealt with a commercial concern that wanted to exercise that level of effort. Computer crime is estimated to cost billions of dollars each year, but we don’t put away nearly enough computer criminals of note; there is a reason for that.
Assumption of breach is probably the only thing that defenders are saying that makes sense. Again, back to the Verizon report: people aren’t just owned, they’re constantly owned. Our own experience supports their findings: we’ve never done a security assessment that didn’t reveal the customer was riddled with evil they never even knew existed; we’ve never done and IR for a specific issue and didn’t uncover an issue the customer had no idea about.
Back to the Industry
- Computer security is hard
- Computer security expensive
- Computer security requires highly specialized skills and increasingly rare talent
Back to the criminals:
- Undoing a ransomware infection is a few hundred bucks
- A caveman can do it
- Attacking down the food chain (the people who least understand and/or are prepared/able to deal with threats (small contractors).
Here is the problem: what happens when the computer criminals decide to punt on complex schemes and adopt the ransomware model for all their activities? What am I talking about? I’m sure if all of us in this room spent five minutes we could come up with some great options, but these are a few I came up with to get your creative juices flowing:
- CryptoLocker in reverse. Pay me a minimal amount of money in a given time-frame or I’ll publish your sensitive or proprietary files online for everyone to see. Same problem as CryptoLocker: cops can’t help you, incident responders can’t help you, forensics can’t help you…maybe you can count on the good will and sense of fair play in your competitors…
- Live in a country or community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door. Complicit in some kind of action that I find offensive? I’m going to go Stubenville on you.
In each of these cases the victim is faced with a dilemma: pay the morally or ethically-repulsive ransom, or deal with epic amounts of embarrassment, harassment, or worse. This is the age when employers are making hiring decisions, or firing people for their comments and images of their actions on “social” sites, which is something you could never get away with in meat space.
What, if anything is going to save us? Perhaps the more important question is: do we deserve to be saved?
- The one thing we all know we can count on is legislation. Legislation to combat computer crime isn't going away, but it’s going to become increasingly useless in a practical sense. The CFAA is a pretty blunt instrument, or at least its used that way, but any attempt to refine it or come up with a more granular approach is going to run straight up against the legal version of Moore’s Law, which is to say by the time a new, well-crafted bill against ransomware-like activity becomes law, ransomware will become obsolete. But legislation is something people know how to do, so its what they do, rather than come up with something else.
- As long as insurance companies are going to write data breach policies, there will always be a demand for some level of security. But cyber security policies will be a lot more like health insurance policies: we’ll write you a policy if you’re old, fat, smoke, drink too much, and skydive five days a week and swim with sharks on the weekends…but we won’t offer much coverage and it will be expensive. As long as that price is less than a SOC-worth of hardware and a platoon of people with a lot of letters after their name, people will pay it. As long as businesses can pass along the expense associated with fines and penalties, they will.
- I’ve been doing this a long time and I’ll be honest with you: people are not getting smarter about security at a fast enough rate. Just when someone knows what she’s talking about, she gets promoted and now you’re working with a guy who read an article about “cyber crime” in the magazine in the seat pocket of the plane he flew in on. As long as this trend continues, we’ll always be able to maintain more or less the status quo.
Back to my point though: do we deserve to be saved? Are you doing anything novel? Are you doing anything truly different? Or are you doing things ‘the way they've always been done’ or because ‘that’s policy?’ Some of you don’t have much of a choice: you’re law enforcement officers and you have a protocol you have to follow or you’re not doing your job. Nothing wrong with that except that crime fighting is radically outpaced by actual crime. To the extent that we’re a community, we need to think about developing and promulgating some new, sound, ways of doing things:
- Work at scale. In the US we have the Marshall’s Service, which hunts fugitives; every major police department also has a fugitive squad. Normally they hunt people down one at a time, but every once in a while they hold a “criminal contest” whereby they send a letter to the last known address of all the fugitives in their database telling them that they won a prize and come down to (innocuous office that is clearly not a police station) to collect. Of course the police are waiting behind closed doors because, surprisingly enough, some fugitives are dumb enough to show up. The digital world analog is botnet takedowns, which MS and others have done. We need to do more at or near the same scale as the bad guys…that’s the only way you have any hope of raising attacker costs: when they’re fighting people in the same weight class and who have similar skill levels.
- Restoration, not Conviction. Most victims of computer crime don’t want to prosecute. They don’t want to involve Law Enforcement. Not saying that’s good or bad I’m saying tactics, techniques and procedures (and tools) need to start reflecting that reality. If you’re a cop and you have to be involved in a case and it has to be worked a certain way then by all means, but everyone else: are you really doing right by your customers if you are driving them towards a LE-approach when all they want you to do is to make the pain go away and get back to business? That may mean less revenue for you, but are you about security or are you about money? Which leads me to my last point…
- Retire a problem. You've heard the phrase: “if you’re so smart how come you’re not rich?” Well I have a variation on that phrase: “if you’re such an expert how come you haven’t solved something?” Now not every computer security problem can be solved, but there are problems that can be minimized, trivialized. Even if you could outright “solve” a computer security problem, what then? Are we going to run out? There is nothing wrong with making a living, but there is also no shortage of opportunity as long as you don’t mind killing one cash cow in order to milk another.