Building a response to cyber crime

Building a response to cyber crime Oliver Gower Head of Strategy & Partnerships, National Cyber Crime Unit, NCA. April 2016 Leading the UK's fight to cut serious and organised crime

Building a response to cyber crime 1. The NCA s National Cyber Crime Unit Who we are & what we do. 2. Snapshot: The current cyber crime threat and our response 3. Rewind Where have we come from? 4. Key principles of an effective public/private response to cyber crime: i. Strategy: A holistic response seeking long term impact. ii. Technology and data: Delivering at scale. iii. People and Skills: Recruitment, retention & development. iv. Partnerships: Industry & Academia; Intelligence Agencies; Domestic & International Law Enforcement. 5. Operational Case Studies 6. Conclusion: This is not inevitable, if we innovate and work together.

1. The NCA s National Cyber Crime Unit Who we are & what we do.

SECURITY CLASSIFICATION The National Crime Agency Five Commands: Cyber, Child Exploitation, Economic Crime, Border Policing and Organised Crime. Operational resource working against the highest priority serious and organised criminals National Intelligence Hub & Intelligence Led National Coordination & Tasking Strong international presence SECURITY CLASSIFICATION

SECURITY CLASSIFICATION The NCCU: three core functions NCCU sits at the heart of the NCA and has three core functions: 1. Lead & Coordinate the UK s fight to cut cyber crime: Provide a specialist investigative response Work proactively to eliminate criminal opportunities and create a hostile environment for cyber criminals Coordinate the UK s effort against cyber-dependent crime. 2. Support wider law enforcement to tackle cyber crime: Provide specialist operational support & advice, to deliver results and simultaneously mainstream new capabilities. 3. Drive transformation of capabilities across UK to tackle cyber crime: infrastructure, technical capabilities & skills. SECURITY CLASSIFICATION

OFFICIAL Director - Jamie Saunders Deputy Director - Sarah Goodall OBE Mike Hulett Paul Edmunds Oliver Gower G1 Operations Prevent and Protect Technical Transformation Strategy and Intelligence G2 Operations (inc FIs) Investigation Development Team Ops Support Covert Support Unit Tactical Coordination ILOs Internet & Infrastructure Prevent Protect Technical Development Technical Discovery Strategic Relationships International Strategy Projects People Strategy BITSU / Operational Intelligence T D&D Picture of Threat Desk G3 G4 G5 G6 OFFICIAL

UK Cyber Crime Law Enforcement Landscape National Cyber Security Centre (launching 2016), including CERT UK National Crime Agency Lead, support & coordinate the UK s response to serious organised crime. Action Fraud Cyber crime and fraud reporting Regional Organised Crime Units Local Police Forces

OFFICIAL Snapshot: The current cyber crime threat and our response OFFICIAL

Threat Overview Elite cyber criminals mostly overseas Responsible for the most sophisticated and damaging financial trojans 16 major operations against them since the NCA went live: 2 ongoing High profile attacks impacting on UK individuals & businesses TalkTalk Data theft and extortion Ashley Madison Data theft and extortion DDoS against banks & retail Carphone Warehouse, British Gas Data theft VTech Data theft 130+ other significant incidents 2.5 million cyber crimes (Office for National Statistics 2014-2015) Almost certainly an underestimate - under-reporting

Cyber crime marketplace Elements of the cyber crime marketplace

Financial Trojan Business Model

Financial Trojans: key services CRIMINAL VICTIM CRIMINAL VICTIM Development Armouring Delivery Execution Management Monetisation $ Malware Developer Cryptors Packers Traffic Sellers Spammers Exploit Kit developers Web Inject Coders System Administrators Botnet Operators Drop Organisers Mule Herders Mules Stuffers Malware CAVs Spambots Exploit Kits Loaders Remote Access Tools C2 Servers Proxy Layers Call Centres Recruitment Sites Compromised Accounts Development Tools / Software Bullet Proof Hosting Secure Communication Platforms

Threat direction 2016 International Organised Crime Groups increasingly professional and agile. Sophisticated business models. Denial of Service attacks increasingly easy to organise and potentially damaging. Likely increase in data breaches and the exploitation of stolen data for fraud and extortion. To watch the Internet of Things creating new opportunities for criminal. The as-a-service model and criminal marketplace will continue to lower the barrier of entry into cyber crime.

What has NCA achieved so far? Major disruptions against the most serious cyber threats, in partnership with global law enforcement & industry, e.g. Shylock and GameOverZeus Criminal internet infrastructure disrupted Key criminals apprehended Dynamic response to crimes-in-action Thousands of victims protected, thousands more remediated Millions of pounds safeguarded Potential criminals deterred A vastly improved domestic and global network of capability Now focussed on reducing reward / raising risk in long term But how did we get here?

3. Rewind Where have we come from?

The creation of NCA s National Cyber Crime Unit National Cyber Security Strategy, 2011, led to launch of National Cyber Security Programme ( 860m) Strong ministerial interest and backing for tackling cyber crime Saw the need to rationalise the UK law enforcement landscape, with merger of Metropolitan Police s Central e-crime Unit and SOCA s cyber unit: bringing together tactical and strategic expertise within a single law enforcement lead. February 2012 to October 2013, the design and build of the National Cyber Crime Unit, launched on 6 October 2013 Key programme streams: 1. Stocktake, consultation, gap analysis 2. Design document and delivery plan 3. Staffing, technology, infrastructure & funding requirements agreed 4. Delivery: Transition and Transformation, with Shadow NCCU live by April 2013 and Unit launching ahead of 6 October 2013 deadline.

4. Principles of building a successful public/private response to cyber crime Despite our successes, we have much more to do. We have learnt many lessons since October 2013 about the ingredients for an effective public/private response to cyber crime in any jurisdiction worldwide: i. Strategy: A holistic response. ii. Technology and data: Delivering at scale. iii. People and Skills: Recruitment, retention & development. iv. Partnerships: Industry & Academia; Intelligence Agencies; Domestic & International Law Enforcement.

Strategy: A holistic response. Protect the UK public from cyber attacks Stop cyber criminals in the UK Disrupt serious organised cyber criminals worldwide Increase the cost of criminality and reduce access to services UNCLASSIFIED

OFFICIAL Tackling Cyber crime - Our Toolkit PURSUE: Criminal investigations and disruption activity targeting the top tier cyber threats and supporting the response to the medium/lower level threats. PREVENT: Stopping individuals becoming involved in cyber crime at home and overseas Awareness, Intervention, undermining confidence online or real-world. PROTECT: Helping businesses/the public to avoid becoming victims Primary PROTECT to improve security practices; Secondary PROTECT to mitigate compromises at scale; Tertiary PROTECT to design out weaknesses in new systems or products. PREPARE: Responding effectively to major cyber attacks and mitigating their impact; building capability to deliver a 4P response at home and overseas. OFFICIAL

The Strategic Response Protect the UK public from cyber attacks Stop cyber criminals in the UK Disrupt serious organised cyber criminals worldwide Increase the cost of criminality and reduce access to services

The Strategic Response Protect the UK public from cyber attacks Stop cyber criminals in the UK Disrupt serious organised cyber criminals worldwide Increase the cost of criminality and reduce access to services

OFFICIAL Technology and Data OFFICIAL

Technology and Data - Ingest and analysis of bulk data to build the intelligence picture & build networks. - Mitigation of threats and vulnerabilities at pace and scale. - Developing in-house technical solutions: keeping pace with the criminals, e.g. dark net, e.g. mobile forensics. - Create an in-house Technical Development team to innovate solutions and drive change.

People & Skills: Recruitment, retention & development 1. A diverse workforce is your biggest strength: - Traditional Investigators - Technical expertise, e.g. programmers, engineers - Partnerships specialists - Financial investigators - Data Analysts - Behavioural experts 2. Be innovative in attracting officers, and invest in their development: - Career pathways for cyber officers - Qualifications and Masters courses - Secondments and exchanges 3. Accept staff turnover will increase, but make a virtue of it: - Industry network, symbiotic - Specials 4. Invest in a dedicated resource to manage your cyber expertise.

Partnerships: Industry & Academia; Intelligence Agencies; Domestic & International Law Enforcement.

NCA/Private sector integration

Industry partnerships Information and intelligence sharing to pursue criminals Reporting through Action Fraud Live-time sharing through CISP (CERT-UK) Sharing sensitive intelligence with the NCA via Section 7 Crime and Courts Act 2013 Integrated operational response Involving industry in operational prioritisation, planning and delivery Capability development Developing new tools and techniques in partnership, not in isolation.

International law enforcement Cyber crime is inherently international we need to work together to understand the threat, prioritise the response, deconflict and deliver joint operations. International mechanisms for cooperation are critical to our success Europol s EC3 and JCAT delivers joint operations INTERPOL s IGCI builds capacity worldwide NCFTA & IC4 in the US coordinate operations and international relationships We must support each other to build capacity and build emerging cyber crime capabilities worldwide

5. Operational Case Studies

Case Study 1: Trend Micro

Case Study 2: Microsoft and Symantec - RAMNIT Botnet

Case Study 3: Dridex International action involving FBI, Europol, Shadowserver amongst others Developed by criminals in Eastern Europe to harvest online banking details. A number of global financial institutions with varying payment systems have been targeted; total global losses currently stand over 100 million & UK losses at 20 million (much higher amounts safeguarded). Last year, the operation developed and deployed a sophisticated technical solution to disrupt Dridex, significantly reduced harm caused by the botnet. In parallel, judicial activity apprehended a key nominal. Existing infections contained. Meanwhile, NCA have worked with press and industry to signpost internet users to specific websites, where industrydesigned clean-up tools & security advice are available. Successful, but the criminals are resilient! This is an on-going operation involving partners from both law enforcement and industry at a global level. Now targeting other vulnerable aspects of the business model.

6. Conclusion We believe This level of threat is unacceptable & NOT inevitable. Protective security is vital but, alone, is insufficient we must disrupt the criminals: reducing the rewards, & raising the risk. Law enforcement and industry must do more to work together, to deliver a joined-up, synchronised response. We must share more intelligence on the most significant cyber attacks and the most serious cyber criminals. We must use these relationships and technology/data analysis to scale up the response, to deliver 4P outcomes at scale and at pace with an ever-evolving threat.

Oliver Gower Head of Strategy and Partnerships NCA s National Cyber Crime Unit. oliver.gower@nca.x.gsi.gov.uk +44 (0)7752 543724