Insights from the FBI on Fighting Cyber Crime
If your company experienced an IT security breach, would you contact law enforcement? According to an unofficial poll by the FBI and Trend Micro, about 60% of people said yes. I'd venture to guess that a portion of that 60% would only report the incident because some law or industry regulation requires them to do so.
The FBI Cyber Division wants to change that perception. This division of the national law enforcement agency is focused on breach prevention as much as it is on following up after a criminal cyber attack has already happened. In order to prevent breaches, the agency needs participation from companies that have been victims of attacks to share intelligence and other resources.
Trend Micro recently hosted a webinar entitled "FBI Insights on Fighting Cybercrime." Jon Clay, senior manager of Threat Research with Trend Micro was joined by FBI Special Agent Mark to discuss how the FBI Cyber Division works, what types of attackers it pursues, what indicators of compromise they have seen in previous and current attacks, and how companies can work with the FBI to help foster mitigation through collaboration.
The FBI focuses their pursuit on the upper echelon of cyber criminals and the global cyber crime syndicates. These are the groups that are making the most sophisticated malware to perpetrate advanced persistent threats (APTs) as well as the groups behind state-sponsored cyber attacks. Yes, they are after data they can monetize (such as payment data) but they also want to steal intellectual property, trade secrets, business strategies and defense plans.
Special Agent Mark says the attackers' sophistication evolves daily. "They have a mission to complete and they will complete it," he says.
A high level of attack sophistication requires high level response and scrutiny. This is why the FBI is extending beyond its traditional mission of investigating crimes that have already happened in an attempt to prevent future crimes from being successful.
The FBI needs your help and wants to collaborate with you. Special Agent Mark says civilian companies have a lot of intelligence about attack attempts that would be good input to the FBI's knowledge base. Also, Mark says, many large enterprises have the resources to analyze newly discovered malware to understand its characteristics. If companies could do this analysis and share the results with law enforcement, then the FBI's team can turn their attention to learning who the actors are behind the malware and initiate criminal indictments, even if the criminals are outside the U.S.
"We have to stop the actors, not just disrupt their infrastructure," says Mark. "They can always rebuild the infrastructure, but they can't replace the people so quickly. Our goal is to put the criminals behind bars so they can't do their dirty work anymore."
As we all know, many of these actors are in countries that the U.S. doesn't have official agreements with in order to arrest and prosecute people. That doesn't deter the FBI. The Cyber Division was behind the recent indictments of five Chinese military hackers.
In the webinar, Special Agent Mark shared some of the indicators of compromise that his team has observed in recent and current attacks they are investigating:
- Large outbound flows over anomalous ports
- Unexpected commands
- Late night unexplained traffic
- Login failures
- Administrative accounts being used for outbound flows
- Port/protocol mismatches
This list isn't all-inclusive, but it is something that enterprises can be watching for and can set their defense devices to alert on.
Mark discusses a couple of techniques that he recommends companies adopt:
- Pervasive sandboxing, done in real-time, to open or "detonate" malicious attachments and links that come in via email, CDs and removal storage devices. Mark says that spear-phishing is still a top method that criminals use to get a foothold inside a private network.
- Adaptive access controls that go beyond the simple logic of "you either have access or you don't." Administrators should apply more sophisticated rules that say when, where and how people can have access.
- Deception and diversion, in which fake data or information is staged on the network under the assumption that attackers will get in. If they want data, give it to them—just not the real data. Mark says a lot of companies and government agencies have set up these kinds of "watering holes."
- Real-time intelligence from multiple sources that is refreshed frequently helps to prime the defensive devices such as firewalls and IDS/IPS.
Special Agent Mark refers people to the Department of Homeland Security website for resources on how to defend against cyber crime. And if your company suffers a breach, contact law enforcement. Remember that we are all in this together, and your collaboration with the law officials might spare someone else the pain of a breach.