Episode 36

full
Published on:

20th Dec 2023

Unleashing the Hidden World of Cybercriminals: The Growing Threat of Cybercrime-as-a-Service

Welcome to Razorwire, the podcast where we cut through the tangled web of cybersecurity to bring you the latest insights and expert analysis. Victor Acin and Oliver Rochford, two esteemed guests, are with me in today's episode.

In this episode, we’re exploring the dangerous world of cybercrime as a service and its implications for individuals, organisations, and even nation-states.

Join us this week as we unveil the dark side of cybercrime. Victor, the Head of Threat Intelligence at Outpost 24, shares his expertise on the rise of cybercrime as a service. Discover how cybercriminals have adapted their tactics, the motivations driving their actions, and the alarming ease with which they operate.

Stay ahead of the game with insider knowledge from Oliver's research, where he discusses the striking similarities between cybercrime services and legitimate tech services. Learn about the techniques used by cybercriminals to infiltrate organisations and exploit their vulnerabilities. 

Whether you're a seasoned professional or just starting your cybersecurity journey, this episode offers some excellent, practical advice for strengthening your defences. We share some effective ways to protect against credential theft, insider threats, and targeted attacks. Hear about tried and trusted remedies recommended by our experts that can make a significant impact on securing your organisation.

So, if you're a cybersecurity professional looking to expand your knowledge and sharpen your skills, join us on Razorwire as we unravel the intricate world of cybercrime as a service.

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen


In this episode, we covered the following:


  • The evolution of cybercrime into an as-a-service model, where specialised services and infrastructure are available to carry out different elements of cyberattacks


  • The low barriers to entry for new cybercriminals of this business-like model


  • The recent rise in credential theft through the use of simple malware toolkits, which allow even unskilled cybercriminals to distribute malware and steal credentials at scale


  • Established cybercrime groups that offer ransomware and even entire cyberattack infrastructure in an as-a-service model. This comes complete with support services for affiliates conducting attacks


  • The flexibility offered to cybercriminals from a modular services model, which offers mix-and-match attack components from different providers specialising in access, malware, ransomware, money laundering, etc. 


  • How cybercriminals choose or decide against their victims


  • How the rise of untraceable cryptocurrencies has removed obstacles to monetising and laundering profits from cybercrime, fueling growth


  • Whether or not having easy access to cybercrime services could facilitate corporate espionage and what examples we have


  • The importance of threat intelligence—understanding the motives, tools and trends in cybercrime—is vital context for effectively securing against the evolving threat landscape




GUEST BIOS


Oliver Rochford

Oliver has worked in cyber security as a penetration tester, consultant, researcher, and industry analyst for over 20 years. Interviewed, cited, and quoted by media, think tanks, and academia, he has written for SecurityWeek, CSO Online and Dark Reading. While working at Gartner, he co-named the Security Orchestration, Automation and Response (SOAR) market, worked on the SIEM Magic Quadrant, and also covered the European MSSP Market. In past lives, Oliver worked for Qualys, Verizon, Gartner,  Tenable and Securonix and is currently Chief Furitist at Tenzir, where he works on product strategy and marketing.


Victor Acin

Victor Acin has been working in threat intelligence since 2016 and is now leading the Kraken Labs unit at Outpost24, performing tasks related to the generation of threat intelligence (mainly reverse engineering of malicious samples and research of global actors) and the development of the department's internal products, such as the malware analysis sandbox. In addition, he has also worked as an ethical hacker, performing penetration tests against web applications, external and internal infrastructure, and mobile devices.  


Resources Mentioned

Outpost 24

NSO

ISO standard

Amazon

Microsoft


Other episodes you'll enjoy


Lessons from an InfoSec Icon: A Fireside Chat with PCI Guru Jeff Hall

https://www.razorthorn.com/lessons-from-an-infosec-icon-a-fireside-chat-with-pci-guru-jeff-hall/


Cyber Insurance: Does It Create More Problems than it Solves?

https://www.razorthorn.com/cyber-insurance-does-it-create-more-problems-than-it-solves/


Connect with your host James Rees


Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.


Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.

With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.

For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.

If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.


Linkedin: Razorthorn Security

Youtube: Razorthorn Security

Twitter:   @RazorThornLTD

Website: www.razorthorn.com


Loved this episode? Leave us a review and rating here


All rights reserved. © Razorthorn Security LTD 2023



This podcast uses the following third-party services for analysis:

Chartable - https://chartable.com/privacy
Transcript
Jim [:

Hello, and welcome to another edition of Razorwire. Today, we are gonna be talking about cybercrime as a service. I have a couple of fantastic guests in the form of Victor and Oliver who are gonna be talking to me about the world of cybercrime as a service. What is it? How does it work? Isn't our nation states involved? What's the capacity for all kinds of different larceny related to that cybercrime as a service, basically, what we're seeing now versus what we could feasibly see in the future. So please Follow us on this journey, and let's talk about it. Welcome to the Razorwire podcast where we discuss all things in the information security and cybersecurity world From current events and trends through to commentary from experts in the field providing vital advisory on what it is to work in the information security in cybersecurity space. So hello again. We have some fantastic Guests here, we have Oliver again who seems to be on most of our videos.

Jim [:

Hello, Oliver. How are you doing, mate?

Oliver Rochford [:

Hi, James. I'm good. Thank you very much. And, you know, Sorry to be omnipresent.

Jim [:

No. That's good. It's great. It's great to have you back. And, also, we have Victor as well, Victor Asin. Victor, do you wanna kinda Remind those out there listening to the podcast, kinda, who you are, where you come from, because I think everybody knows who Oliver is nowadays.

Victor Acin [:

All right. Thank you, James. Well, my name is Victor. I'm currently working at a company called Outpost 24 as head of Threat intelligence. I'm, leading the team in charge of, doing investigations, research related to threat actors, and the tooling that they're using, As well as, for example, the services that they are selling.

Jim [:

Fantastic. Right. So cybercrime as a service. I mean, where to begin? You know? One thing I will say is is 25 years worth of experience. I mean, being able to see the the the kind of changes from where it was 25 years ago, where it was a few people releasing viruses, that kind of thing, to kind of, like, when people realized that they could start getting card information from ecommerce sites and the sudden explosion of malware related to credit card number theft, that kind of thing, and the migration over to kind of, like, ransomware and and DDoS ing, and it's been an interesting ride. And one of the things I've always had a kinda keen interest in is is just the the the criminal world in general. And I've done a fair bit of studying, and, obviously, I've seen a lot of films about things like, for instance, the Yakuza, where they operate very much like an organization. They have an actual or CEO, usually.

Jim [:

it. And boom, here we are in:

Jim [:

2023, and that is the the reality of the situation. Victor, you kind of you're you're the intelligence guy here. I mean, what are you seeing currently in today's kind of cybercrime, you know, some market situation. We had the ContiLeaks, which were really good insight into kind of how things have been running up until kind of recently. And I kind of got the impression from reading that that there was there was still this little way to go, whether I was still kind of galvanizing these different groups that they would then create in cybercrime as a service for different functions, even down to development. What are you seeing today?

Victor Acin [:

king in cybersecurity back in:

Victor Acin [:

This trend that we're seeing, traffic, as I said, has been on the rise for like, I think 6 months, something like that. And, it doesn't stop growing, you know? And, the most interesting thing I think surrounding this is that they've managed again to bring even or to lower even more The bar, the entry bar, the entry level bar for cyber criminals, right? You no longer need to understand how things work. You can just follow a tutorial that, They will upload to medium.com, about how to distribute malware, and, you can just use the Telegram bot to sort of, generate new samples, Contact the guy in charge of, promoting your YouTube video about, Fortnite skins, And suddenly, you have a a bunch of people who are downloading your your amazing crack for Fortnite and, getting infected with Threatline or Recony. I would say that this is the the latest or most interesting thing that we've seen as of late in regards to services at least. What do you think, Oliver?

Oliver Rochford [:

Yeah. I have a similar view. I did a fair amount of research on a topic at Tenable, but more from an economics point of view. So I did research around the economics of Vulnerability and exploit brokers. I did some research around how that supply chain actually compares to a legitimate one. And it's fascinating because, as you mentioned, James, It absolutely mirrors what we're seeing in tech. You get 20 fourseven support. It's all SaaS based.

Oliver Rochford [:

They're advertising re really very similar in terms of how the marketing looks on darknet forums in terms of giving the features and the benefits and so on, And they're also quite competitive. And as Victor said, it has democratized, you know, the ability to to conduct offensive cyber, operations. I think before, you had people who needed to have the means and the motive. Right? The opportunity is what you make with the means, oddly enough in cyber, but but now You can have somebody who who creates a means and gives it to other people who have the motive. And that that, as Victor mentioned, can be more traditional cybercriminal groups because they have to move Into the digital realm. That's where all the money is. You can't rob a bank anymore. It's I mean, you can, but it's not as easy as it used to be.

Oliver Rochford [:

Right. And and and so a lot of crime has moved into that area. And, of course, that's what you've seen enabled through this entire Very self-service turnkey kind of, service economy. At the same time, though, it has to be said, but there's pros and cons to it. It's harder now if you want to start from scratch. That that ceiling of entry is much higher for a cybercriminal. And Just like we are seeing big game hunting from cybercriminals trying to get MSSPs, we're trying to see law enforcement target Cybercrime as a service operators because then you get a large amount of criminals in one go. So I would say there's, you know, There's pros and cons to outsourcing just like we have, once again, in a real economy as well.

Jim [:

Well, yeah. Because, I mean, we talk a lot at the moment about, you know, third party security, and the concerns around how different services that we consume as organizations you know, it all used to be Cross, when I got back you know, when I first got into tech over 20 years ago, you had your tin. It was in your data center or in your computer room, because we still had computer rooms back then with bloody great big servers that would take 4 of us to carry, you know, to pull out of the rack, just to move. And now we don't have that, and we're very, very reliant on people like Amazon and, you know, Microsoft and IBM, you know, and and various other suppliers for things like cloud services, and various organizations have popped up providing services that are back ended onto that kind of thing. And we have real secure, you know, security concerns. I mean, we recently saw Boots BA and, Carmen, the third one actually offhand. You know, but we had this big hack where where it was a it was a company that that that was on the back end of a third party that was moving documentation around, and they got they got done. Is that the same kind of thing that that that the cybercrime guys are experiencing as well? Because they've gotta have even higher levels of security, because they do compete.

Jim [:

And they're not exactly the most honest of people.

Victor Acin [:

But it's it's it's sort of the same the same paradigm that, companies face right now. Right? Can you, For sure. For example, can you assure me that, for 90% of the companies that have their own infrastructure, their infrastructure, Infrastructure wise only, meaning not the applications, are safer than Amazon's? Is Amazon doing a better job at securing their infrastructure Than, I don't know, some small company that has a small server room or maybe, has in a in a infrastructure provider a couple of services. Right? In the past, what we used to see, at least, was that people had had the skills to, set up a bulletproof server, To deploy a PHP application, to understand how to actually protect it and encode it. Right? And now you have a service, example, Raccoon Stealer is one of the most prominent ones, in which, they they manage the entire thing. You just go there, you pay a monthly subscription and you get access to a really nice dashboard in which you can generate new samples and credentials stolen using those samples get sent to your account. Right? So you have really highly specialized people maintaining those services and making sure that that infrastructure is secure and protected, Well, they are basically getting a fixed pay rate with little, very little risk.

Jim [:

I suppose in many respects, they're not strictly breaking any laws, they're just providing a software service, and it's other people who are using that service. Obviously, that's a bit dubious, but

Oliver Rochford [:

That depends on which region you and I mean, you mentioned the honesty component. And in reality, we're not talking about some shady people sat in a cellar somewhere. They they have offices and everything. And depending on the region, no. It doesn't get classed necessarily as illegal. And then at FEED, most of these groups operate From almost like a safe harbor from a geography point of view, somewhere where people might not, you know, look too closely. Some of them have direct associations With law enforcement, with politics, with intelligence services depending on the region. I I I spoke to a lovely gentleman, ex Met Guy, Working for a bank a few years back who told me that he observes Eastern European politics because when there's a election campaign local, ransomware goes up because that's how we're funding it.

Oliver Rochford [:

And so the ties are actually sometimes very, very close there, but they aren't as dishonest as you'd think, purely and simply because a lot of these operators have been around a long time. They do have multiple businesses. And within that community, within that scene, there's a level of, I would say, honesty among thieves, but there is A public component where we do exchange information. Like, exit scams in crypto are one thing on a darknet exchange. I would say Defrauding a bunch of criminal organizations is a completely different matter.

Jim [:

Well yeah. But, I mean, you know, it was interesting because we had the Vulcan papers released recently, which kind of outlined that there was, you know, a group of individuals in a part of the world who may or may not be having some kind of special operation at the moment, who were very, very well funded by the by the nation state. And no doubt have been doing all kinds of larceny, you know, sanctioned by those guys. But I'm guessing they also did a hell of a lot that was that was off their own back. I mean, why wouldn't you? If you've if you've gotten gotten some money from a government body to go and do stuff that you shouldn't be doing. You know, why wouldn't you get double payout? Especially with with some of the stuff that I was reading that they were heading up to there, and they were doing their own ransomware stuff as well. So they were they were getting paid by their by their government, and they were getting paid by, obviously, by people who were paying the ransom. It's it's crazy stuff.

Oliver Rochford [:

Well, I I mean, you also have to think of the usefulness For nation states to be able to use these kind of services for plausible deniability, you can use a middleman. You don't have to use your own Capabilities that let you get you know, be identified. But an interesting thing, which I thought Victor said about the trend towards, essentially credentials, because With access as a service. And so what happened over the last couple of years is that there's been a a a, like, a huge rise in Cybercrime as a service operators actually asking employees to collude. So they're actually offering money

Jim [:

Yeah. I saw that.

Oliver Rochford [:

Credentials. Yeah.

Victor Acin [:

Yeah. Insights.

Jim [:

And, of

Oliver Rochford [:

course yeah. Yeah. And and and I think that's a part of it. And the other part is also this modularization, the fact that you can you can you can hire you can almost build your own Attack chain by plugging together different services. And you need access. Right? That's that's a part of it. Once you have access, you're still going to have to deploy some kind of ransomware. Then you're gonna have to take you're gonna have to manage for ransomware.

Oliver Rochford [:

And then once you get the ransom, you actually need to take that money and launder it. And each one of these components, you can buy an off the shelf service. And it it also for you in terms of how do you identify a threat actor if they keep mixing and matching it? And more importantly, they can keep changing how they act. They on the fly, by just swapping in a different module or different service, they can actually fundamentally change what they're doing. They might start on your network doing cryptomining. But by, you know, buying something else or deploying a different module, all of a sudden, it's ransomware. That also makes them very, difficult To counter.

Victor Acin [:

And I mean, and that also has a really that's actually an issue that, the threat intelligence industry is dealing right now, because even simplifying it Way more by now, you know? There's a lot of, cybercrime or ransomware groups that are providing the ransom as a service, as as you as you very well said, Oliver. And, most threat intelligence companies are providing TTPs and intelligence regarding that random that ransomware as a service as a group. But in reality, each affiliate is the one that has different, you know, models around the different procedures. Not all the TTPs belong to the to the ransomware, but To the affiliates themselves who are maybe purchasing, as you said, from an EIP and initial access broker, Citrix, access so that they can get a foothold on a network and a company to deploy the ransomware. Right?

Jim [:

It is crazy because I've I have seen that they've also some or a lot of them have got rules of, know, rules of engagement as well. It's like you do not go for children's hospitals, you know. You you you don't go for for that kind of I mean, there are some that still will do that, but but there was, like, one instance where there was actually a a message come back from the ransomware people saying, yeah. I'm really sorry. Here's the decryptor. We've looked at you, and we realized that you're actually a kid's hospital. We don't want this. Have the decryptor back.

Victor Acin [:

I mean, that's sort of a Robin Hoodian approach, right, David? They've had this sort of rules of engagements for a long time, in which, for example, they would not target, Eastern European countries when they were operating from them, you know, and they detected, for example, the language of the keyboard and that sort of thing. Why do you not attack a children's hospital? Because you don't want to attract, you know, the wrong kind of attention to to yourself.

Oliver Rochford [:

Which they did, right, during COVID. If you remember the executives of all this, you remember. And, indeed, that's when we saw these rules of engagement about not targeting health care organizations, but it didn't last long. If you look, health care providers are still in the top 5 victim targets. Right? And so I think some groups say we don't target them. That's an opportunity for other groups, isn't it?

Victor Acin [:

Yeah. Yeah.

Oliver Rochford [:

Yeah. All of a sudden, you have a greenfield. Yeah. Yeah. And and not attacking your own home turf. We we we have a we have a term for that in English, the crapping your own nest. I figured I figured self serving rather than you know, I I grew up in a pretty rough neighborhood, and Nobody stole anything in our neighborhood either. It's just it's just neighborhoods that are lying.

Jim [:

Yeah. You'd you'd attract the wrong attention from the wrong people, You know, never never in your own place. It's like, it's like organized crime in London back in the day. There was heavy restrictions from the boys at the top as to what you could do underneath. You know, we've all seen the the films of the craze and all the rest of it, and they did regulate their own criminal employees, underlings, people who are associated with them. I mean, they were still bad guys. Don't get me wrong. But they did, in many ways, help out their own communities.

Jim [:

You know,

Victor Acin [:

that's that's what what you're seeing right now as well. Right? Yeah. Cybercriminals are not hiding usually, in the countries that you operate in. On the con on the contrary, they're sort of heroes of the people, you know? They usually have money. They can bring value. They can hire People from their own country, maybe their own city, to operate that, that criminal infrastructure. And, they are relatively safe from the police as long as they don't, you know, overextend themselves to to a certain degree.

Oliver Rochford [:

Yeah. I mean, no extradition. Some people think if there's no extradition treaty, it's not a crime. Yeah. And so so from that point of view, And and you're right. And that that and that's what I meant with the honesty. These people aren't they're not some shady criminals. They are living, in many respects, almost like a legitimate Businessperson, that kind of life.

Oliver Rochford [:

They hire people. They have staff. In some countries, they are operating from call centers.

Jim [:

To pay the tax.

Oliver Rochford [:

Right. They are major major employers and patrons in the area. Exactly. And that's and that's and, of course, if it's in a country that that doesn't have strong relations With the countries they're targeting, we don't have extradition treaties. They don't have any legal agreements. It is almost like a get a jail card. Right? But they can't travel. That's one aspect.

Oliver Rochford [:

of Bitcoin, but you mentioned:

Jim [:

people popping

Oliver Rochford [:

in and saying, Setting 0 days selling 0 days. We never had 0 days. That was garbage from packet store, but that's when that 0 day selling started. And, indeed, within about 5 or 6 years, you had a professional zero day broker economy starting to build up, That was how all of this stuff really kicked off. It was in in iterative increments, right, until it become very, very professional. But What's interesting about this whole thing is just that it didn't blow up until they were able to monetize it. Because My favorite example is Rob Robert Rodriguez. He got 20 years for credit card fraud.

Oliver Rochford [:

I was on in the IRC channel when they hacked the backdoor to get in To to the retail, networks where they were skimming the cards, none of us knew what they were doing. That was the irony about it. Right? But they were talking about it at the time. They had to work with criminals. They needed people to clone cards, go into a shop, buy something, and sell it at a loss on eBay. There's a limit to how bad you can scale a business. Amazon vouchers as well. Amazon won't send goods to certain countries because of that.

Oliver Rochford [:

It was only until you had an untraceable digital currency that hackers were able to cut out the middlemen. All of a sudden, you didn't need traditional criminals. You could do this by yourself. And that, to me, was a fundamental change in enabling criminals to be able to do this. We wouldn't be having this conversation if if all they could use was Amazon vouchers. Yeah.

Jim [:

I mean, out of interest, I mean, you know, I see things have gotten a lot more dangerous than they were. You know, the the I mean, it was always gonna be obvious as you As you kinda mentioned earlier on, Oliver, you know, gone are the days where you go into to a bank with a a sawn off and you stick it up the nose of the teller and say, give us what's it, you know, give us what's in your in your vault. They probably don't have anything really in the vault anymore, not not not comparatively to what they used to. So the next logical step was obviously to move into cybercrime because it is it is a very easy comparatively easier thing to do with a lot less risk associated. You're not gonna get shot if you're in the States or, you know, whatever. You you you can do what you need to do from wherever it is you you you reside. And as we've seen the expansion of these as a services, we've got access brokers, we've got developers for malware. Because like you, Oliver, I mean, You know, I remember times when it was, you know, 1 or 2 sort of malware developers who would build something and then try and sell it on, you know, one of the the the what we call now the dark web forums.

Jim [:

But now it's whole teams and banks of developers developing it, as as Victor said, as a service with support, with, you know, all this kind of stuff. Has this, in your opinion, made things a lot more dangerous from a cybersecurity sense? Because Go back 20 years, we were worried about a virus, or we were worried about very, very different things to what we're seeing today. And The whole kind of lockdown period made it even worse because a lot of people in the world weren't making money because they were all in the same situation. So it drew a lot more people to those gangs. So, actually this might be a good one for Victor.

Victor Acin [:

In time, and we will see, this is going to get, this is going to get worse and worse and worse. We're we're looming an economical crisis, and, When the times are tough, you know, that's always a precursor for crime, even more so when, the crime itself is low risk. And, as we've been saying, the entry entry barrier is lower and lower and lower. Right? 20 years ago, the guys are stealing skimmers, or still stealing credit card from websites or from point of sale, devices with, with malware. They had to understand How to operate the malware, how to understand, how to get into that, into that point of sale system. Right? You remember the I think it was Target, credit card theft, some years ago?

Jim [:

On the QSA, and it's it's one of the the the signature stories that that a lot of QSAs kind of talk about when we're helping customers kind of go through that process to get to that audited Full point. It was it was crazy how that happened and how that that panned out. I just spoke to some of the some of the people who were involved in in, investigating that. It was really, really interesting how how, how it all occurred. And you look at it now and you think, oh, so simple, really, you know, back then it was It was kind of crazy stuff. You know?

Victor Acin [:

But now you can just hire a guy to do it. Right? Yeah. You can just pay, like, €500 to get access to to one of those devices.

Oliver Rochford [:

I mean, it's interesting because, as I said, I mentioned, like like, the the the motive is for revenue. Right? And and and and the means, essentially, is the fact that you now have this fantastic Supply chain, you're just off the shelf. You can pay for it. If you have Bitcoin, you can buy anything you want. Really, what enabled that is the fact that there are safe harbors for them to operate from. It's this combination of things. But what it comes down to, really, it's I always look you know, coming from Gartner, for me, this is always an economic problem. In reality, if you look at Shoplifting.

Oliver Rochford [:

We don't eliminate 100% shoplifting. We try to make shoplifting so cumbersome and expensive that it dissuades the majority of shoplifters from doing it. And, indeed, there's a spend of, like I think, I think they're basically spending about a dollar to prevent, you know, you know, roughly $12 worth of theft, something like that. So there's an economy equation. But when you look at countries where these groups are operating from, you have highly skilled, highly educated people. There's no local economy for them to tap into. They can't necessarily get a visa somewhere And for them, turning to this, it's semi legitimate. It's a gray zone without an extradition treaty.

Oliver Rochford [:

So if you can basically improve Their economic position, there'll be less incentive for people to do that, and that's a part of it. So poverty drives cybercrime in certain regions Very much because that is the easiest opportunity you have of translating your technical skills into something that resembles a technical career, even if you're in that gray Black zone of the economy. Right?

Jim [:

Well, this is it. When you've got hungry kids at home and, you know, you're you're relying on on getting something through the door. And you're in a country where there's not so much help if you are out of work, then you've got no choice. I mean, any one of us, I'm guessing, with kids would would do that. It would period of time where you'd go right. I've got I'll feed the kids now. You know? I've gotta feed myself. Gotta pay my rent.

Jim [:

Hopefully, obviously, we wouldn't, but let's face it. Any parent isn't gonna sit there and go, oh, well, they, you know, we'll just leave it there. But I I think one of the things I wanted to ask you guys, actually, is I mean, you know, we're very heavily focused on cybercrime nowadays, and we we are talking about cybercrime as a service. Is there the possibility? Because let's face it. Espionage has been going on for many, many years between organizations. Yeah? Now does this give you know, if Our organization is using the same cybercrime as a service functions to attack their competitors. I'm not stupid enough to think that it doesn't work, and I have seen it in my career in the, you know, in the past. I've been part some of those investigations.

Jim [:

I mean, it wasn't a massive thing back then, but, you know, people would feasibly occasionally take take a pop of one another. But now you can get somebody else to do it. You can pay somebody else legitimately to just go and do whatever attack you want. Victor mentions, you know, people who are losing their jobs, giving over their credentials for their employees because, you know, they don't care anymore. They're they're on their way out. Are we potentially gonna see this moving into a more corporate espionage style of possibility because we do have this whole west and east thing going on at the moment as we you know, you'd have to be under a rock not to have seen that one. Where where what are we looking at now?

Victor Acin [:

I mean, I would say that, in regards to western against, or west against east, The espionage is happening already. We actually had a very interesting discussion, among the team about whether We've been seeing a trend of ransomware attacks that target low value companies, short of, low value ish companies, and, they demand Really small payouts, right? And, the discussion was about whether this was a smokescreen for an operation to try to camouflage, for example, data theft. I would say that, in that case, you know, in a in a seeing it from the east versus west, whatever theft that happens, I Would say it's nation sponsored. In the end, or at least nation state sanctioned. Right? As in, for example, China, looking for companies who might have interesting intellectual property, you know, means production, that sort of thing.

Oliver Rochford [:

AI. I I mean, I I so there have been some accounts about corporate actors rather than corporations utilizing private intelligence services, private tech to agencies, and and I would say, by extension, some of these cyber act services. But, normally, they were personal vendettas. It was not a company policy. So it was like 1 executive against another executive is one example. If you Google for it, it was a big company. Like, there's a big case for that. I just don't wanna don't wanna say your name, but And, of course, there's I'm I'm aware of 1 incident.

Oliver Rochford [:

the the first kinetic impact:

Jim [:

And that was that was them tablet that

Oliver Rochford [:

was that was exactly. Because because who who else It's going to get interested if a steel company loses a contract or or or creates bad steel, another steel company. It's normally something where there's a commercial interest. And, you know, they were competing against, a lot of foreign companies for subcontracts. Those are the 2 incidents that I'm aware of. To be honest with you, is this something that you would know? Because the industry is there. There is a private intelligence industry that's growing. There's a private mercenary industry that's Growing.

Oliver Rochford [:

I'd be surprised if cyber is included in that package, especially when you look at people like NSO. Right? We we know that there's some of the some of the the we're we're starting to see a light onto that. So yeah. But are there many known incidents? Yeah. Fair corporate spying scandals all the time. Uber were were caught installing, like, software into their driver's cars. I don't know if it's Stop that bad. Yeah.

Oliver Rochford [:

The the most of the incidents I've become aware of with industrial spying involve no technology at all. It was usually getting somebody on the payroll.

Victor Acin [:

I was about to bring up, you know, the incident that we had here in Spain with NSO and, Pigasus. I'm not sure if, that reached you guys.

Jim [:

Yeah. Do you wanna you know, just in case people out there didn't kind of see what happened there, do you wanna kinda give a quick overview as to to what it was?

Victor Acin [:

Yeah. Sure. Base basically, Is the government of Spain basically paid, NSO, for a spyware, that came fully packaged, you know, with 0 days and that sort Stuff so that they could spy on politicians. Right? So who's to say that, really big corporations don't have access to that sort of technology? You know, who's to say that, they cannot contact NSO? Allegedly, you know, they're not supposed to sell only to or they're supposed to sell only to authorized, you know, Authorized government and that sort of stuff. But who's to say that, right, Amazon or or Google or one of the big ones Is actually is that an isn't actually paying, you know, for for this sort of software to maybe, infiltrate competitors' Infrastructure. I mean,

Oliver Rochford [:

the the modern way is that you don't have to try to infiltrate when you just download your software. But Well, yeah. Of course.

Jim [:

Well, the I mean, the other thing is, you know, we did have, like, a spat in the UK of newspaper organizations hacking phones of celebrities, and what have you. I mean, it's a slightly different thing from from some of the stuff that we deal with, but it's it's still in the same kind of remit. It's still,

Victor Acin [:

You know? I would I would say it's still cybercrime. Right? They're in the end, they are doing, like, cyber

Oliver Rochford [:

Exactly. Well, where's the cutoff? Where where where on that spectrum do we say it it's it's a crime or it's a gray zone? I don't know. You know? It's hard to say. Yeah.

Jim [:

So do you guys think this is this is gonna get more and more dangerous as we go on? I mean, we're seeing a massive rise in information security awareness And, I mean, jeez, every single day there's another breach, of some form or another. And we're kind of hitting a period where it's getting so easy now to conduct these or to pay somebody to go and do it. Are we really facing this this this serious, serious problem? Because, I mean, let's face it. The economy of the world isn't exactly in the greatest space at the moment in time, and it's not gonna take a lot to to tip it up. Is this gonna potentially be some some yeah. Cause some serious, serious problems going forward? Be it cybercrime, be it espionage between organizations or nation states or whatever. We're we're trying to fight this battle here on a scale. We we don't we don't have the tools necessarily to deal with this kind of level of of of crime.

Victor Acin [:

I mean, I would say that right now, it would require massive shift, at a maybe even a state level To actually put a stop to the snowball of cybercrime, right? Because right now, most companies, I mean, The best approach that you can follow right now is to basically be more secure than, than the other companies, right? It's not, about Everyone being protected. It's about me being a less interesting target for cyber criminals. You invest just the necessary amount of money To deter that cybercriminal from coming into your company and maybe looking at that competition. Right? As opposed to, strengthening All companies in the same way aren't trying to, you know, sort of, create this net of, of security in which everyone is at the same level. Hopefully, you know, Really high one. So that's, it's not worth it anymore to hack companies. But as long as we are not on that level, you know, there will always be someone who's weaker and someone Who cybercriminals can go after.

Oliver Rochford [:

Mhmm. I I agree with Victor. I've written on this, I think, 5, 6 years ago, the fact that this isn't just a technical solution. Right? As Victor mentioned, you're trying to increase the cost to the criminal of conducting a cybercrime. But in reality, like, There's a limit to that, but but you can achieve as a company. There has to be also further, pressure on them from a legal point of view, Not only from a law point of view, but also enforcing those laws and then punishment. And there has to be large global consensus on this. You have to I I I used to like the the the legal status of pirates.

Oliver Rochford [:

It was Hostess, Humanus, Gineris, enemy of all mankind. Nobody gave them shelter officially. That was our whole idea, Andy, because they preyed on everybody, in theory. And so this kind of a concept for for for cybercrime operators, because they do tend to, On average, probably on most people, right, is something which I think we need. But the whole idea is to disincentivize people even going into this field From multiple levels. Make it harder to succeed. Make it more painful if you don't, if you get caught, And make sure that people have different alternatives rather than going into crime to begin with. It'd probably eliminate all of it, but right now, it's disproportionate.

Oliver Rochford [:

This is the background level of cybercrime is so high that insurances say they can't insure you. That gives you an indicator of how high it actually is. We can't hedge for risk. Right? And so so we have to do something, but everyone has a part to play. Government, enterprises, law enforcement, everybody has a part to play here, but we increase that cost.

Jim [:

Victor, I mean, what what are your thoughts? I mean, is the cat out the bag now? You you mentioned the snowball effect earlier on, and, I mean, I'm certainly starting to see this, and I have concerns. Because, as I've said before in other podcasts where we've discussed cybercrime, because we've done a few of them now, We are fighting this endless battle. We don't you know, they they got a whole different set of ethics and morals, obviously, because they're doing something. But they're also not as constrained as we are. We don't have the budgets. And even when we do have the budgets, we've got to selectively choose. And and you mentioned, Victor, being a little bit more you know, a bit more secure than, you know, your nearest and dearest competitor or the the the the people underneath. You know, even getting to a reasonable level of security these days can be pretty expensive.

Jim [:

I mean, you look at the price of GRC tools. If you want a GRC tool, and they are rising in cost as well, which is a bit crazy. You know, you're not gonna get much, you know, much change out of a 100 k or 150 k. And to to some Some security people, that's pretty much either half or most of their budget. There's no much not much else you can do. Yeah. You can you can do all the hardening you like and all the or the 3 aspects of security.

Victor Acin [:

If you can. Right? Because if you look at how companies, for example, are growing nowadays, They do not have the the speed of startups that they need the speed they need to have, you know, both in in, in an infrastructure point you and, you know, software development and that sort of stuff. It doesn't leave room to secure, your infrastructure and have proper security in place and Be competitive with other startups that are doing the same. Right? And the same goes for big companies. Right? You make an acquisition. There there was this company, we'll call it Panoply, And, a big player actually, bottom. And that's already a really huge risk because you do not you do not you do not properly understand how that company, you know, manages their Structure. Right? And what they are doing? And, we've we saw at the beginning of the year how, after doctor was selling accesses to Panoply.

Victor Acin [:

And, you know, like a couple of days ago, they've published most of the stuff that Panoply had. And now you've made an acquisition. That's part of your property. And due to decisions that you did not make from a security security standpoint, now that is a risk to your to your own company. So even if, we try to spend money and we try to privatise, many times it's not really possible to achieve that Level of, of, maturity that you expect, or not only that possible, but, you know, really, really hard.

Oliver Rochford [:

But but, I mean, in terms of ransomware, right, without Tried and trusted, remedies to harden yourself against ransomware. Right? Network segmentation, restricting access, and so on. Exactly. So so having a worst case scenario, having disaster recovery and so on, it's not a though you can't. But I think, nowadays, It it's probably easier to start a new company than try to retrofit back onto an existing legacy company. I'm wondering I think that's also where there's a big, You know, a bit cut off. But but it's it's it's not impossible because the reality is that a lot of these attacks, they are pretty automated. It has to be said.

Oliver Rochford [:

It's not as you know, Human operator will get involved if it's worth it, but not for the opportunistic stuff. They're not gonna do it on every single small business. It doesn't scale itself. And and the other aspect is to ask yourself, like, what is the main attack factor that they're coming in via? What's credentials and phishing? As a small business, if you focus on those, if I had a limited That's why I focus my resources. You eliminate a large percentage of attacks that way. It's not perfect, but, you know, You can't achieve perfect. You have to do risk reduction. Yeah.

Jim [:

Mhmm. Until people start downloading dodgy copies of things with cracks. Yeah. Cool. Fantastic. Right. Well, I mean, you know, are there any kind of final conclusive thoughts to this? I mean, you know You know, are we gonna see things get a lot worse before they get better in your opinions, or is this is this reality now? I I don't think with the as you guys say, without the whole world kinda coming together and doing something about it, which, let's face it, we've never done anything like that before for any of anything else, Not even bleeding climate change, you know, whether you believe it or not. But what are we looking at here?

Victor Acin [:

I I will I don't want to sound, how do you say this, buzzworthy, sort of. You know? But, I think that we're really close To a new revolution similar to what we experienced in the in the industrial revolution within artificial intelligence. And I would expect that in the following years, Thanks to AI, we will be able to sort of imitate that, those cyber criminals and sort of be able to democratize as well, cyber threat intelligence or cyber cybersecurity for all companies in a cheaper and more accessible way. That's what I would like to think. You know, that thanks to That support will be able to provide, you know, solutions that are cheaper to make and cheaper to operate so that people do not need to have, you know, a 20 fourseven SOC On their company to manage, tens of thousands of alerts and sort of sort of sort of sort of sort through those really quickly with less experience. That would be my take. Hopefully, we are close to that point.

Oliver Rochford [:

So I I think, I'll be honest, it depends to me a little bit on the geopolitical because I don't like making predictions about AI. For me, that point where I can't make predictions about the impact is like the singularity occurs way before AGI, Way before, where you can't predict which ways it's going. And I don't know how attackers and defenders are going to utilize it in response to one another, so we'll see. But in the short term, I think that based on the the macroeconomic situation, based on the geopolitical situation, it's going to get worse before it gets better, partially, because it's going to be an extension of economic warfare. And rather I'm not saying that there's gonna be nation states Enacting it. They're just gonna let it happen. The question is how finance responds to this. What does our financial system look like in 5 years? If you can work that out, you can work out what cybercrime looks like.

Oliver Rochford [:

If we move to a system where everything is on a ledger and you can trace every single transaction, it's gonna put a bit of a damper into that whole thing. If we don't, if we carry on with basically currencies that you can just shift around without knowing who's behind it, we're gonna carry on seeing an uptick in it because The incentive is too great. Why would they stop? Like, we're just this is just kicking off as an industry. Other people are gonna start seeing the money that's being made in there, And we're still looking at a phase of diversification in terms of cybercrimes, and it's not present in every geography. Like 10 years ago, I think 1 in 5 Germans had a credit card. People were saying Germany is better at protecting themselves. There was just no money to get got. Now they've got more credit cards.

Oliver Rochford [:

We're we're starting to see an uptick in financial crime. That is still to occur in other places. If I look at India or Africa, where we're using maybe mobile mainly mobile payments, they skip that whole, you know, physical bank kind of thing. I think we're gonna see variations there as well. That's for the next 5 years. So I think we're gonna see an uptick in all of this rather than than a downtrend. After 5 years, Who knows? A prima deluge, you know, or the singularity, you know? Yeah.

Jim [:

No. I I I must admit, I I kind of agree with both of you there. I think, You know, it it is it is getting to a frightening state, and I think it is very difficult to predict where it is gonna go. Maybe next 6 months will play out, and we'll have a little bit of a better idea. But for now, I think for the rest of us trying desperately to secure our environments, Seriously review your defense in-depth. Do whatever you can to to to shore up your defenses and make sure that that that, You know, you can convince the pa sorry?

Oliver Rochford [:

Test it. Test it.

Jim [:

Run simulate. Run run run a wall over

Oliver Rochford [:

the size. Get someone in to to to, You know, emulate it. See how you'd fare. Don't rely on your backups in the worst case scenario. Try to restore them now. Do all of these things. You know, we we have this this lovely Prussian yeah. There's a lovely Prussian military saying, sweat saves blood.

Oliver Rochford [:

So put that Sweating. Save yourself from the worst damage. Know what you're gonna face in advance, then you can do something about it. Yeah.

Jim [:

And, also, as a you know, get some get some threat intelligence. Understand who the the people you're you're fighting, what they're doing, that kind of thing. I mean, we we you know, I just without jumping back into the whole conversation. I've had help from from you guys before with regards to some of the stuff that we've seen. Got some great intel as to what the trends are for those particular groups, what you can expect from those types of groups, and and intelligence is becoming such a key aspect of InfoSec now.

Victor Acin [:

Well, I think the new ISO standard, Has a, a requirement of threat intelligence.

Jim [:

It does. But it's gonna take a while to filter down into companies in at large. And To be honest, whether you're whether you're going down the ISO route, whether you're not, I still think nowadays it's gonna be a key part of your defense in-depth.

Victor Acin [:

Yeah. Most most definitely. Even more so, taking into account what we're talking about before, right, about the costs and and Understanding your risks, understanding, what part of you is most likely to get attacked, and then being able to protect that first Mhmm. Will definitely Peter versus the strategy.

Jim [:

This is it. And as as Sun Tzu said, you know, if you only know yourself and you don't know your enemy, you're only gonna win 50, you know, 50 percent of the battles. If you don't understand yourself and you understand your enemy, then you're you're well, he says you're gonna win a 100%. I'm bit dubious there, but on that one for for modern cyber modern technology, but you're gonna have a much higher level of security. But, anyway, we've hit the top of our time together. As per usual, it's been an absolute pleasure debating and talking about these topics with you. I'll be tapping you guys up For more further info and maybe jumping back on other podcasts coming up on a semi regular basis by the sounds of it. So thank you ever so much, guys, and it's been an absolute pleasure, to to have you on board.

Victor Acin [:

Thank you very much, James. Oli, thank you.

Jim [:

Fantastic. And to all of you out there, thank you ever so much for for being a part of the podcast. Look after yourselves. Everybody out there, have a great day, and we'll Speak to you again soon. Thank you for listening to the Rose Wild podcast. If you like podcasts, if you love Vodcast, please feel free to subscribe. And if you have any questions, please get in touch. Thank you very much, Have a great day.

Show artwork for Razorwire Cyber Security

About the Podcast

Razorwire Cyber Security
The Podcast For Cyber Security Professionals
Welcome to the Razorwire podcast where we share information, best practices and up to date news in cyber security and infosec.

Our mission is to help you become a better cyber security professional and support our vision of creating an agile community of cyber professionals who are stronger than ever before.

This show is first and foremost about sharing knowledge and benefiting from collaboration. We bring you the advice and wisdom of both your host, James Rees, and his guests to build on the strength and depth of your own knowledge and experience.

Your host James Rees is an information security veteran with over 25 years of industry experience and is the founder of Razorthorn Security, delivering expert security consultancy and testing services on a day to day basis to some of the largest and most influential organisations in the world, including many in the Fortune 500.

The Razorwire podcast is for cyber security professionals looking for new ideas and the drive to improve their response to cyber security events. Through collaboration, we can strengthen our defences.

For more information about us or if you have any questions you would like us to discuss on the podcast email podcast@razorthorn.com or head to www.razorthorn.com

About your host

Profile picture for Matt Cheney

Matt Cheney

Matt is a podcast & content creation coach with over 17 years of professional experience. He has delivered content for global media platforms, brands, broadcasters, and apps, producing EMMY award-winning music features, BAFTA nominated animations, and iTunes chart-topping podcasts, among other projects. He has edited & mixed over 650 hrs of TV, recorded 10,000 hrs of narration and podcasts, and produced 10,000's of media assets for brands such as BBC, SKY, Nike, O2, Audi, RCA, Amazon, Google.
As the former Head of Audio for Vice Media UK and Rapid Pictures Post Production in London, Matt is well-versed in media and technology, as well as in leading and training creative teams.