Organised Crime Cyber Criminals using old school tactics

In 1699 a new wave of criminality was sweeping across England; it was a time of confidence tricksters. At the behest of William III anyone pretending to be a scholar on their way to university; seafaring men pretending to be returning home after shipwreck; strolling minstrels, actors, fencers, and bear-wards; those claiming to be collecting for charities, leper houses, hospitals or prisons; palmists, conjurors and those impersonating Egyptians all became subject to a new law in an attempt to outlaw those who were skilled at impersonating others.?

In the Trojan war in the twelfth century BC, the legend of the Trojan Horse took shape, whether the Greeks constructed a huge wooden horse and hid a select force of men inside, or if it was a battering ram, or another sort of siege engine, even a boat. Whichever Greek poet you believe, the strategy of getting your enemy to invite you into their securely protected place by hiding your malevolent intent was the main action in the sacking of Troy, and the turning point of the Trojan War.

Three millennia later and metaphorically, a "Trojan horse" has come to mean any trick or stratagem that causes a target to invite a foe into a securely protected bastion or place. A malicious computer program that tricks users into willingly running it is a "Trojan horse" or simply a "Trojan". Three hundred years after William III tried to outlaw criminal impersonation, the most effective way to conduct a successful cyber wire attack is to impersonate a supplier.

There is extraordinarily little that is new in the ideas of criminals even as technology, and digitisation evolve, it is merely the method and delivery systems that have changed. Which is why the two main cyber attacks affecting UK companies in 2022 are impersonation and ransomware.

In modern cyber crime impersonation attacks come in many forms whether that is domain spoofing or email spoofing.

Domain Spoofing:

Domain spoofing, a common form of phishing, occurs when an attacker appears to use a company's domain to impersonate a company either by creating a false domain by setting up websites with slightly altered characters that read as correct, or by developing websites that spoof entire pages from the original and targeted website, in order to fool clients, customers, suppliers, even employees.?

Emails spoofing:

Email spoofing involves an attacker fabricating the header of an email to closely resemble that of a person and/or organisation that they look to imitate. Attackers have developed a variety of sophisticated spoofing techniques to evade organisations’ defences and conduct targeted social engineering frauds such as Business Email Compromise attacks.

Trojans today have a type of malicious code or software that looks legitimate but can take control of a single device or server, or even an entire network. The malicious code is designed to damage, disrupt, steal, data or in case of a ransomware attack, entering a system through, for example, a malicious attachment, embedded link in a Phishing email, or a vulnerability in a network service.

The latest iteration of ransomware is double-extortion Ransomware

Double-extortion Ransomware:

Ransomware attackers continue to threaten businesses at an increasing scale, speed, and sophistication. Ransomware has become more fashionable within cyber organised criminal gangs, as they are able to more easily find and target booming, poor corporate security and the expansion of ransomware-as-a-service (RaaS) meaning that access to compromised networks is cheap, thanks to a rise in the number of initial-access brokers and RaaS tools.

Double-extortion relies on criminals not just encrypting data and holding the owner to ransom, but exfiltrating the data first. By exfiltrating the data first, the criminals can threaten to release the data should you not pay the first ransomware demand, rendering standardised data backups and data recovery plans obsolete.

In light of the new methodologies it might be anticipated that new technologies, a new way of integrating artificial intelligence or machine learning into cyber security, or maybe to embed an as yet untested new technology into cloud-based servers, or to protect digitisation through yet to be invented secure links to the internet, but most of these ideas are still in development, and do not serve as yet as a robust method of defending against cyber attacks.

The answer is to find the precursor of attacks, as with the Trojan horse, if King Priam had listened to his daughter Cassandra, the soothsayer of Troy, when she insisted that the horse would be the downfall of the city and its royal family. But Cassandra was ignored, and Priam killed as the war was lost. As with the new laws of 1699 that for a time looked to make conjurers and minstrels outlaws, the precursors can come in many forms, and so the more comprehensive the search is the better, even if at the beginning it reveals numerous false positives.

It is the need for a comprehensive cyber security strategy that drives Crossword CyberSecurity. To complement our consulting and CISO teams where our cyber security experts supply cyber security leadership to help our clients to identify their current cyber security maturity, the threat landscape, what needs to be protected and the level of protection needed, as well as the regulatory requirements they need to reach. Our cyber experts develop and design cyber security strategies for our clients to ensure that the new and existing software and hardware is implemented correctly, and supported through updates and patches, to ensure that our clients overall risk profiles are reduced over time and the maturity levels of their cyber security are raised.

The goal of delivering a comprehensive cyber security service is made easier by our managed Security Operations Centre (SOC) service Nightingale.

As a managed SOC Nightingale is focussed on detecting cyber threats and data breaches by detecting the precursors to cyber attacks in their infancy and to respond to them before they cause damage and disruption.

Nightingale is not one service, but a combination of thirty-two separate services, from Domain Impersonation monitoring which finds the registration of domains that aims to identify potential impersonation attacks that use fake or spoofed domains which may be being used currently, or in the future, to fraudulently misrepresent a brand, business, or IT systems of vendors and suppliers. It also detects Internet domains which have a deliberate resemblance to current domains or brands for the purposes of finding potential cyber or defamation attacks, including phishing attacks and business email compromise attempts.

To combat Double Extortion Ransomware, Nightingale includes Machine Learning Anomaly Detection where machine learning and AI platforms are provided as part of our analytics, which run continuously to detect behavioural anomalies and indications of compromise. Collecting and analysing raw threat data requires advanced analytics and technology. Machine Learning and AI allows our cyber security analysts and engineers to analyse more unprocessed data from more devices than ever before. Coupled with our compromise detection service which is deployed to detect insecure infrastructure and to identify malicious activities across networks and systems by checking lists of malicious IPs or domains and comparing this to legitimate traffic across known organisational systems, blacklisted traffic becomes an indicator of potential compromise. Nightingale further watches global exploit databases used by attackers for the presence of our clients’ systems to mitigate and remove any exposures.

The development of Nightingale’s compromise detection is that the aim is to keep our clients off the radar of cyber criminals, and this is enhanced by another element of Nightingale, our Advanced Threat Intelligence service, which works by gathering and supporting security related records and information pertaining to potential and confirmed sources, activities, and attributes of malicious activity. Nightingale gathers threat intelligence information from all of its customer’s activities using data analytics along with integrating multiple external and community data sources, including IP addresses, URLs, web domains, file hashes, executing processes, and applications.

By understanding and identifying the distinct types of cyber attacks: whether that is account compromise, unauthorised access, ransomware, network intrusions, malware infections, sabotage, security policy violations, Nightingale as a managed SOC service.

Nightingale monitors logs, devices, cloud environments, and network for known and evolving advanced threats, with our cyber security analysts and engineers dedicated to monitoring, detecting, and investigating threats across our client’s entire enterprise. In some cases, remediation of detected threats can be conducted by the outsourced security team, but in others, the SOC team works in partnership with internal IT teams to remediate detected threats.

The combination of our innovative threat intelligence, industry expert cyber security analysts, and best of breed cyber security monitoring and vulnerability management service ensures that Nightingale delivers a service capable of being offensive and defeating cyber criminals.

Nightingale as a managed SOC service removes the need for our clients to worry about the complexity needed to design, implement, configure, test, manage, maintain, upgrade, and operate an internal SOC, Nightingale increases the speed, efficiency, and effectiveness of threat detection and response capabilities far beyond that of internal security teams, freeing up internal teams to work in partnership with Crossword to remediate detected threats.

The threats our clients face are not new and the concept of using a SOC to identify threats is not new, but as the threats evolve and will continue to evolve the only solution is a comprehensive service, and Crossword through Nightingale offers the most comprehensive managed SOC service.

?.

?