The CISO's Role in Fighting ExtortionHow Emerging Attacks Are Putting New Pressure on Security Teams
Extortion campaigns waged by cybercriminals, such as the distributed denial-of-service group known as DD4BC, are expected to become even more damaging in 2016, says John Miller, director of the ThreatScape cybercrime division at iSight Partners.
In this interview with Information Security Media Group, Miller explains why extortion campaigns involving threats of DDoS attacks or data exfiltration are putting additional pressures on CISOs to enhance internal network and database protections, as well educate employees about extortionists' attack techniques. Senior executives and boards will demand that CISOs understand emerging extortion threats and develop multistep plans aimed at mitigating risks, he adds.
"This has certainly been an area of increasing focus for the financial sector as a whole during the past year," Miller says. "And the pressure is really throughout organizations to be better prepared and better understand these types of risks."
Until recently, most larger organizations didn't pay much attention to the potential for extortion attacks, Miller says. That's because most campaigns had been waged against online-gambling sites and other businesses that don't have strong relationships with law enforcement, he says.
But as numerous extortion attacks waged against leading banks prove, any prominent corporation is now a potential target, Miller says.
"Based on the trend that we have seen in the last year, we'd say that almost any sector, and especially prominent organizations within those sectors, could be victimized by one of these attacks," he says. "Any organization should have at least thought through what they need to do in the event they have to deal with one of these incidents."
Preparing for Extortion Attempts
Miller says good preparation involves a multipronged approach because extortion campaigns vary in their strategies.
While the vast majority of extortion campaigns threaten DDoS attacks unless a ransom is paid, some involve the threat of malware infections and network penetration aimed at stealing or encrypting sensitive corporate data, he explains.
To mitigate risks to corporate data, organizations need to use network segmentation to "ensure that sensitive data is only available within the network to the parts of the network that actually need to be able to access that data," Miller says. They also should use air-gapping to help ensure that sensitive data is not accessible from the public Internet.
"Of course there are many other steps that organizations can take to secure sensitive databases and other information as well. ... One of the hopeful measures that companies can take is ensuring that any employee who has a public-facing role and could be contacted by an extortionist is aware of what to do."
Miller says employees should be advised to forward all communications directly to the CISO or someone else well-qualified to deal with extortion threats. "What we've seen is that these extortionists don't necessarily contact someone who would be making the decision within an organization about how to handle extortion," he explains. "They may contact anyone who has a public-facing presence. So making sure that employees are informed of what to do ahead of time can be very helpful."
Extortion attempts that involve DDoS attack threats are more challenging for organizations to mitigate, Miller says.
"It's so trivial for an attacker to obtain DDoS capabilities; there's really nothing that an organization can do to stop an attack from being launched against them," he says. "The approach is more of trying to ensure that traffic is being filtered as well as possible, and that systems are optimized as much as possible."
During this interview (see link below photo), Miller also discusses:
- How DD4BC's attacks evolved last year and why that evolution is so concerning, even after arrests tied to DD4BC;
- Why the threat actors behind extortion attacks are not always linked to cybercrime; and
- Why banking institutions are among extortionists' favorite targets.
In his role as head of iSight Partners' ThreatScape cybercrime division, Miller provides actionable intelligence about financially motivated cyberthreat activity. He directs analysis of topics such as credential theft malware, payment card abuse, ransomware, money laundering and mobile threats. Previously, Miller worked in threat intelligence analyst roles focused such issues as DDoS and South America-based malicious activity.
(Editor's Note: FireEye announced Jan. 20 that it has purchased iSight Partners.)