Global and Americas Leader, Forensic Technology & Discovery Services, Fraud Investigation & Dispute Services (FIDS), EY.
The Future of Cyber Crime, and What Enterprises Can Do About IT
May 29, 2015— The CyberWire was able to hear David Remnitz speak at 2015's inaugural Billington Corporate Cybersecurity Summit in New York. Mr. Remnitz served as a founding private industry member of the Electronic Crimes Task Force for the US Secret Service. Prior to joining EY, Mr. Remnitz led FTI’s global technology (eDiscovery and data analytics) business. Internationally recognized as an expert in eDiscovery and disclosure, information security, investigations based on electronically stored information and supporting corporations under inquiry in their response to US and international regulators, law enforcement and other third parties, we caught up with him after the conference to discuss the future of cyber crime, and what enterprises can do about it.
The CyberWire: We've seen that cybercriminals have tended to stick with familiar modes of operations—why should they change what works? Do you see this continuing, or should we expect something new?
Remnitz: Organized crime seems to be getting more sophisticated. We see, as we break down hacking groups, that they range from individuals (who are getting better tools and improving their skills in the cyber underground) to hacktivists (getting together around a particular cause) to organized crime.
Organized crime in particular is getting more sophisticated, with some access to tools comparable to those used by state sponsored entities. We're noticing a significant rise in the price of exploits on the black market.
Some of the malware we're observing now can detect and sample its environment. It sees anti-virus tools, anti-malware technology, even sandboxing, and it modifies its behavior accordingly. Some of the more advanced examples are now capable of self-destruction—with damage to the infected system—when they detect themselves coming under examination.
We're also seeing criminals exploiting subtler vulnerabilities, and enterprises moving to outsourced, secure clouds in response.
But the criminal markets are becoming more unified—there's a good deal of collaboration going on among cyber criminals.
The CyberWire: You mention that you're actually seeing the price of exploits going up in the black market. That's surprising—we would have expected to see signs that criminal tools were becoming commodified.
Remnitz: There's some commodification of baseline malware, but the higher value tools are getting pricier. Specialized tools targeting more attractive targets like healthcare, banking, and energy sector industrial control systems are fetching a higher price.
The CyberWire: And when you say criminals are increasingly coordinating their activities, do you mean that they're forming cartels, or that the black market's invisible hand is operating?
Remnitz: We're seeing a little of both—of course the black market's shaping criminal activity, but there's a significant amount of cooperation going on as well, and that's interesting.
The CyberWire: Do you see areas in which better enforcement or security have led them to change their approaches, or their targets? For example, we hear that medical records are now worth more on the criminal market than pay card information. Do you agree, and why or why not?
Remnitz: A good question. There's no doubt that some kinds of personally identifiable information, and in particular credit card data, are significantly discounted in comparison with medical records, the value of which has risen on the criminal market to several times that of the credit cards cyber criminals traditionally targeted. Medical records contain highly valuable bits of information, and they're priced accordingly.
Retailers and credit card companies are now much more sophisticated in their response to cyber crime, and credit card theft is consequently less lucrative. But medical records, network credentials, intellectual property, and internal communications are now where the money is.
The CyberWire: Are there any lessons you'd draw from recent high-profile insider breaches?
Remnitz: Organizations are doing a lot more monitoring of the underground to see who's working against them, and then tailoring their defenses based on this intelligence.
The CyberWire: What role should corporate culture play in developing an insider threat program?
Remnitz: Well, this is an area of great interest, post-Snowden. It involves a very complex array of stakeholders: executives, compliance officers, human resources, procurement (a new stakeholder, particularly concerned with the insider risk from trading partners and the supply chain), and others. The people involved go well beyond the traditional CISO or CIO. An organization will find itself looking at public information, the dark web, and peer-to-peer networks. The tone has to be set from the top: the C-suite needs to lead education of the company as a whole.
The CyberWire: FBI Director Comey told us at Georgetown a week and a half ago that the feds were getting better at "imposing costs" on cyber criminals, through "shaming, indictment, or sanction." We just heard much the same from Assistant Attorney General John Carlin at the Billington Corporate Cybersecurity Summit. What do you think?
Remnitz: I agree—I think they are getting better. The FBI, the Secret Service and Interpol have become an important team. Both US and international law enforcement have become much more active in public identification of, and indictment of, cyber criminals. It's had a modest impact so far, but the more it happens, the more positive the effect will be.
We're just beginning to see how sanctions can halt the flow of criminal money. It's just the beginning, but the signs are promising.
The CyberWire: Are there steps you’d recommend enterprises incorporate into their response plans?
Remnitz: Yes, there are several. The first point, of course, is following proper hygiene. The best practices the information security profession has evolved over the last ten years or so set the proper tone. It's important to put lawful, allowable, Internet monitoring in place.
Beyond the incident response plan, it's important to have a cyber breach plan. This would be a much more finely tuned plan that would enable an organization to activate, communicate, and test its response to a breach. Such a plan should also improve your ability to bring in the right professionals quickly—executives, outside counsel, public relations, law enforcement, etc.—and bring them in with well-defined roles.
Tabletop exercises, drills, and war games can all be valuable. Use them to address all the foreseeable effects of an incident. This sort of continuous, repetitive basis for effective response is becoming more common.
The CyberWire: Do you see any utility in using a red team, or an opposing force, in cyber drills, and in preparing your response plan?
Remnitz: Sometimes what we call "military-grade" offensive teams can be quite useful. In particular, they can provide experiences outside those customary in your industry. Are you a retailer? Consider bringing in someone with financial sector expertise.
Other things an organization might consider include when to exercise the kill-switch option. At some point you may need to decide that the company should disconnect from public networks and even its supply chain. The kill switch is going to become more important as attacks become more destructive. We heard people touch upon that trend a bit at the Billington Summit, and the likelihood of continued destructive attacks is clearly increasing.
Overall, a company should think closely and clearly about how well placed it is for disaster recovery, and that will be a good place to begin work on its cyber breach plan.
The CyberWire: Thank you, Mr. Remnitz.