D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors

Transcription

1 FP7-SEC Grant Agreement Number Collaborative Project E-CRIME The economic impacts of cyber crime D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME The economic impacts of cyber crime This project has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under grant agreement n E-CRIME Coordinator: Trilateral Research & Consulting (TRI) Crown House 72 Hammersmith Road London 14 8TH T:

2 Project Acronym Project full title Website E-CRIME The economic impacts of cyber crime Grant Agreement # Funding Scheme FP7-SEC Deliverable number: D2.2 Title: Executive summary and brief: Cyber crime inventory and networks in non-ict sectors Due date: 03/03/15 Actual submission date: 03/03/15 Lead contractor: Contact: Tallinn University of Technology Rain Ottis Authors: Reviewers: Tiia Sõmer Rain Ottis Toomas Lepik INT and TUD Dissemination Level:

3 Contents Introduction... 4 Taxonomy and inventory... 4 Costs of cyber crime... 5 Cyber criminal revenue... 6 Legislation... 6 Culture... 6 Journey mapping... 7 Victims of cyber crime... 7 Cyber crime networks and ecosystem... 8 Perpetrators of cyber crime... 9 Conclusion... 11

4 Introduction Cyber crime is growing in intensity, and modern criminals seem to have clear, almost business-like objectives. The issue of cyber crime is complex, and in order to understand it better, deeper insight into all different aspects related to cyber crime it is needed. The current deliverable is a part of the E-CRIME project. In this work package, the aim was to analyse the structures and drivers behind cyber crime, their economies and criminal revenue streams; and to develop perpetrator and victim journeys. We have provided an overview of the cost of cybercrime and cultural aspects related to cybercrime, and presented journey maps for both victims of cyber crime and the perpetrators of cyber crime. The work undertaken is based on literature review and expert interviews, but also a questionnaire to stakeholders developed as part of the current work. This report is being published at an early stage in the three-year E-CRIME project because of its significance to other work packages. The results presented above will feed into WP4 on economic impact and analysis, the gap analysis in WP7 and will be used as additional input for determining critical interventions to deter criminals in WP8. This report presents the results of the work performed in respect of Tasks 2.3 and 2.4 of WP2. Task 2.3 consisted of developing and distributing a questionnaire to key stakeholders in order to collect additional real-life information. The results of this questionnaire were fed into Task 2.4, the aim of which was mapping of cyber crime journeys and structures. Taxonomy and inventory The concept of cyber crime is problematic because it is open to a variety of social, political, practical and scientific interpretations and explanations. The definition adopted for the E-CRIME project initially was broad, including all cyber activities supporting crime in any aspects. However, in the course of project development and initial findings, the consortium has redefined the area of research and the focus for taxonomy and journey mapping to include legal and practical considerations stemming from the selected non-ict sectors (i.e., energy, financial services, health, retail, and transport). This was motivated mostly by the need to develop taxonomy and journey mapping which can effectively be used as an input for identifying not only practical, but also inter- and cross-sector opportunities or solutions to manage threats from cyber crime. For this, the current work had to be firmly based on a shared understanding of what is legally considered as cyber crime, while at the same time being economically relevant to the identified non- ICT sectors. In order to do that we have initially used the Council of Europe Convention on Cybercrime (2001). As a result the work undertaken in this research focused on offences against the confidentiality, integrity and availability of computer systems and data; computer related offences (forgery, fraud); and offences related to infringements of copyright and related rights. The consortium decided not to cover content-related offences, since these are not economically relevant for the non-ict sectors selected for the purposes of this analysis; namely energy, financial services, health, retail, and transport. The final taxonomy developed is presented in Table 1. CoE Convention Alkaabi Subgroup Alkaabi Crime (Article 2) Illegal access 1A - Unauthorised 1. Hacking Access 2B - Unauthorised Alteration of Data or Software for Personal or Organisational Gain 3. Privacy

5 (Article 3) Illegal interception 1D - Theft or Misuse of 2. Misuse of Services Services (Article 4) Data interference 1B - Malicious Code 1. Virus 2. Worm 3. Trojan Horse 4. Software Bomb 2B - Unauthorised 4. Sabotage Alteration of Data or Software for Personal or Organisational Gain (Article 5) System interference 1B - Malicious Code 1. Virus 2. Worm 3. Trojan Horse 4. Software Bomb 1C - Interruption of Services 1. Disrupting Computer Services 2. Denying Computer Services 2B- Unauthorised 4. Sabotage Alteration of Data or Software for Personal or Organisational Gain (Article 6) Misuse of devices 1D - Theft or Misuse of Services 1. Theft of Services 2. Misuse of Services 2C - Improper Uses of Communications 1. Harassment 3. Cyber-stalking 4. Spamming 5. Conspiracy 6. Extortion (not Critical Infrastructure Threats) 7. Drug Trafficking 8. Social Engineering (Article 7) Computer-related forgery 2A - Content Violations 7. Forgery / Counterfeit Documents (Article 8) Computer-related fraud 2B- Unauthorised Alteration of Data or Software for Personal or Organisational Gain 1. Identity Theft 2. Online Fraud 5. Telemarketing / Internet Fraud 6. Electronic Manipulation of Markets 2C - Improper Uses of Communications 2. Online Money Laundering (Article 9) Offences related to child pornography 2A - Content Violations 1. Child Pornography (Article 10) Offences related to infringements of copyright and related rights 2A - Content Violations Table 1. E-CRIME cyber crime taxonomy 5. Copyright Crimes 6. Intellectual property Costs of cyber crime An essential element in analysing the impact of cybercrime is to measure its costs. Most studies looked at for the work within the current research do not provide definitive, widely accepted results. The cost

6 estimates usually cover known direct costs related to detected cyber crimes, or provide speculative extrapolations of single cases to overall population. The criminal revenues and direct losses, reported by the victims, provide important information in relation to cyber crime. Direct losses are the monetary equivalent of losses and damages directly felt by the victim of a cybercrime. These can be money withdrawn from victim account, time and effort to reset credentials, but also hidden costs (i.e. distress suffered). The criminal revenue is the monetary equivalent of the gross receipts from a crime. But there are also indirect costs of cyber crime: the monetary equivalent of the losses and opportunity costs imposed on the society, such as loss of trust in online banking, reduced trust on electronic services, or efforts to clean infected devices. An important element is also defence costs, or monetary equivalent of prevention (security products, browser extensions, security services, training). Even though defence costs cannot be accounted to any particular criminal attack, the are still part of overall cybercriminal costs. As a result of work undertaken, we would like to emphasise the importance of indirect losses and defence costs in analysing the cost of cyber crime. The collection of new data, to be conducted in work package 4 and the economic framework to be developed in work package 6 of the E-CRIME project, should take into account a need to consider indirect and defence costs together with direct costs. Cyber criminal revenue While much is written about the costs of cyber-crime, the headline figures available typically focus on the negative economic impact to the victims. However, published research into how much profit specific cyber-criminal entities are making, is sparse. The cost to an individual or organisation from a cyber attack does not directly equate to the amount of tangible profit the cyber-criminal receives. Based on our research we can conclude that at least some types of cyber-crimes are profitable, otherwise there would be much less of an interest in it. However, in order to build an accurate picture of true numbers of cyber criminal revenue, more openly available research in understanding such costs and true profitability is required. Legislation Successful fight against cyber crime requires a well-working interplay between a number of legal aspects. This paper looked at substantial and procedural criminal law, investigative measures, regional and international information exchange, jurisdiction, and operational mechanisms for international cooperation. Legal aspects are especially important, since cyber crime in most cases involves many jurisdictions, with parts of the crime taking place in different countries. Culture Culture can also play a key part in cyber crime. However, the key problem with the investigation of culture as a motivating factor in cyber crime is that culture is not a simple, easily-defined entity. It involves a wide range of factors, including morality, religion, politics and many other belief systems and ideologies. The aspect of cultural dimensions in connection with cybercrime is vast and we have looked at ways this has been linked to cyber crime in existing literature. The use of cultural aspects in connection with cyber attacks may augment the existing solutions in finding the origin of attacks, but it would fall outside the scope of this research.

7 Journey mapping Central to the work in this research was journey mapping. This map -style of output has been adopted and applied within a number of different disciplines where it is often referred to as a script, a predetermined, stereotyped sequence of actions that define a situation in a particular context. For the purposes of E-CRIME project we have developed eight journeys from the victim perspective and nine journeys from perpetrator perspective, representing a sequence of events within a select number of cybercrimes. The selection of journeys was based on commonalities between different crimes as provided for in existing literature and the results of expert interviews. Victims of cyber crime Cyber crime acts are distributed across different cyber crime categories, with victimisation rates higher than conventional crime. The current research looks at victimisation, before looking at crime victim s journeys. The cyber crime victim journeys were looked at within three general types of offences (offences against the confidentiality, Integrity and availability of computer systems and data; computer related offences (forgery, fraud); and offences related to infringements of copyright and related rights). Within these, we described the relevant cybercrime victim journeys, providing reference to the corresponding perpetrator journeys. Victims of cyber crime can be affected through their own action during regular use of information technology: using (receiving and opening infected messages, attachments or links), browsing the web (visiting infected websites), using removable media (infected USB-s, hardware), etc. Alternatively, one s devices or systems can become infected, if these are not patched or updated, if unsupported software or hardware is used, or if systems are poorly managed. Once affected by a criminal act, the victim will face damages. Their accounts may be hijacked, their identity may be stolen, they may lose data or intellectual property or it can become unavailable to them, data and devices may become encrypted, they may suffer direct financial losses, there might be damage to their reputation, or their computing power and other resources may be abused. After gaining victim view on cyber crime and drawing respective crime journeys, the paper continues with a look at the perpetrator view. The criminals seem to know which end-results they want to achieve, and how to reach these goals. They are sometimes willing to spend a lot of time in research and in planning their actions. On the other hand, a criminal action may also emerge during the course of other (criminal) activities, by accident. There are also some cyber crimes that do not tangibly benefit the criminal: attacks related to hacktivism are typically not motivated by personal gain. An illustrative victim journey can be seen in Figure 1.

8 Figure 1. General victim journey The research undertaken within the current project looked at the cyber crime victim journeys from the Council of Europe s Cybercrime Convention (2001) as a starting point. We describe the journeys in cases of offences against confidentiality, integrity and availability; computer related offences (forgery, fraud); and offences related to infringements of copyright and related rights. Content-related offences (such as offences related to child pornography) are outside the scope of the current work. Victim journey maps for the three types of offences are provided. Cyber crime networks and ecosystem As it seemed obvious that different organisational structures are involved in cyber crime, we looked at literature concerning this. The players in black markets come from all over the world, there are international criminal organisations, but also virtual criminal networks. We looked at four main types of cyber criminals: international criminal organisations, foreign intelligence agencies (i.e., states), individuals and small criminal groups, and legitimate organisations. The cyber criminal ecosystem is very big, there are many players, it is disjointed and constantly changing. Based on the research into cyber crime journeys, we were able to identify the key roles in the cyber crime networks and economic structures. However, it has to be noted that one person can perform many roles simultaneously, or less sophisticated crimes may not require the full range of roles in a criminal ecosystem. Therefore,

9 the cyber crime network and economic structure map developed for the current research is a generalization that may not fit to each specific criminal network. It is challenging to describe the entire ecosystem of cyber crime, as it is very big, there are many players, it is disjointed and constantly changing (RAND Corporation 2014). Based on the research into cyber crime journeys, we were able to identify the following key roles in the cyber crime networks and economic structures. However, since the same person or group can perform multiple roles simultaneously, the resulting map is a generalization that may not fit to a specific criminal network. In addition, some less sophisticated cyber crimes may not need the full range of roles described below. Therefore, the map should be viewed as a guide and not a strict blueprint (see Figure 2 below). Developer Criminal Service Provider Monetization Service Provider Organized Crime Black Market Victim Intermediate victim Infrastructure Provider Criminal Zero Corruption Figure 2. cyber crime network and economic structure map Perpetrators of cyber crime Having looked at the victim view, and then at cyber crime networks and economic structures, we continued to look at the perpetrator journeys. Crimes can be seen as a process, where resources are required and decisions are made, constituting the modus operandi of a crime. From the perspective of the criminal, we grouped similar actions under broad terms: preparation, execution, and monetization. The preparation phase of a crime includes pre-attack actions, i.e. initial decision, deciding the worthiness of attack, identifying victims, and conducting targeted reconnaissance. It also includes the choice of an attack method, including the cyber criminal undertaking an analysis of their own means and abilities, and deciding on whether to use outsourcing or buying solutions from such service providers. The execution phase includes creating an attack plan and executing the attack, which comprises of entering or interfacing with target system and the actual criminal activities (i.e. distributed denial of service (DDoS), extortion, espionage, etc.) themselves. The monetization phase includes both payment in some form and the laundering of this payment, finally ending in personal

10 gain for the criminal. In this work, we provide a general crime cycle, and thereafter specific crime cycles for building a botnet, extortion (ransomware), espionage (APT/ APA), malware development/ 0-day exploit development, VoIP attacks, cryptocurrency mining, DRM cracking, and click fraud. The selection of criminal journeys to be mapped within this project was decided after combining initial research with expert interviews. We believe the journeys mapped within this research cover a wide area of cyber criminal activities, by representing major criminal modus operandi. These maps help identify the cyber criminals modus operandi, an account of how they operate within a crime cycle from preparation to monetization and exit. Figure 3. General cyber crime cycle including motivation Based on literature review and expert interviews, but also a questionnaire to stakeholders developed as part of the current work, eight cyber crime journey maps were drawn up: - Building a botnet; - Extortion (ransomware); - Espionage (APT/ APA); - Malware development/ zero-day exploit development; - Cryptocurrency mining; - DRM cracking; - VoIP attacks; - Click Fraud

11 For each journey, a mapping was conducted in three principal phases of cyber crime: preparation, execution and monetization. These maps help identify the cyber criminals modus operandi, an account of how they operate within a crime cycle from preparation to monetization and exit. It will also provide a sense of the processes and practices through which cyber crime occurs. Conclusion This report stands alone as a specific piece of work relating to the completion of two specific tasks within work package 2, but it should be remembered that it is one deliverable among many that will present a comprehensive view of the current state of cyber crime.