Cybercrime, -threats and (Belgian) law enforcement...Cybercrime, -threats and (Belgian) law enforcement Walter Coenraets – Head of Service, Federal Computer Crime Unit (FCCU) Central
55
Cybercrime, -threats and (Belgian) law enforcement Walter Coenraets – Head of Service, Federal Computer Crime Unit (FCCU) Central Directorate of the fight against Serious and Organized Crime (DJSOC)
Walter Coenraets – Head of Service, Federal Computer Crime Unit (FCCU) Central Directorate of the fight against Serious and Organized Crime (DJSOC)
THREE QUESTIONS FOR THE POLICE
1. What about the Belgian (EU) situation
(Threats)?
2. What are you (police) doing about it?
What can we do about it?
3. What to do & who to contact?
THREE QUESTIONS FOR THE POLICE
1. What about the Belgian (EU)
situation (Threats)?
2.
3.
CONCEPTUAL MODEL CYBERCRIME
Presentator
Presentatienotities
To make it more illustrative, we developped a conceptual model of cybercrime. In the center of the model we can find the preliminary tools used by cybercriminals.
CONCEPTUEEL MODEL CYBERCRIME
Presentator
Presentatienotities
These tools are used to execute different attaque techniques.
CONCEPTUAL MODEL CYBERCRIME
Presentator
Presentatienotities
At the outside of the circle, we can find the four overarching forms of cybercrime, being cyber espionage, cyber sabotage, digital extortion and digital fraude. they are linked in this diagram to the most common attack techniques.
CONCEPTUAL MODEL CYBERCRIME
Presentator
Presentatienotities
Finaly the figure shows the two main driving forces behind crime, being money or financial motives and power (political/ideological motives) with the aim to obtain and use information or to cause disruption,
The police crime statistics add up the facts of computer crime on the basis of the criminal offence (hacking, forgery in information technology, computer fraud and sabotage). The graph below shows an increase, present since the start of registration, which continues after the atypical peak of 2012 with outflow in 2013, This peak was caused by the police ransomware virus that blocked thousands of Belgian PCs and demanded a sum of money to unblock the PC. Computer science crime is one of the few violations (in addition to terrorism and human trafficking) that have continued to increase in recent years.
FINANCIAL LOSSES Ranking threat in companies
1. Reputational damage 2. Business interruption 3. Financial loss
Reputational damage • 80% of big investors refuses to
invest in hacked companies • Databreach: risk of loss of 1/3 of
customers Source: European 2015 Cyber Risk Survey van Marsh
Presentator
Presentatienotities
When we turn to the financial loss suffered, we see that companies put the damage to their reputation first in terms of threat. Reputational damage is a factor that is difficult to estimate and which can play a role in the long term Nearly 80% of large investors prefer not to invest in companies that have been hacked (FTI Consulting on behalf of KPMG, 2015). Financial and banking institutions, Health facilities and retailers, may lose a third of their customers as soon as they become victims of a large data breach
REPUTATIONAL DAMAGE a data breach is a PR and financial disaster. Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage.
Presentator
Presentatienotities
Example: hospital
REPUTATIONAL DAMAGE
“An organization can minimize the impact by taking appropriate action,” an incident response plan; a crisis management plan, full media training
spokespeople and that a war games exercise
is performed to test resilience.”
DE TIJD – CYBERPOLIS (04/01/2018)
1 out of 13 companies have been victim of cybercrime for the last 5 years
Usually the damage amounts to between €10,000 and €20,000.
Cyber-attacks this year are starting to have the same financial impact on businesses as major natural disasters.
Criminals this year will mainly try to hit hard by stopping companies business for a while. Production companies, logistics companies and webshops in particular are particularly sensitive to this.
Source: rapport verzekeringsmakelaar Vanbreda Risk & Benefits
Presentator
Presentatienotities
In 2017 the number of cyber policies that were taken out doubled compared to the Year before. The total amount of premiums deposited for this purpose rose from EUR 1.7 million to EUR 2.5 million. SMEs in particular have started to take out policies in recent months,’ this trend is expected to continue, Thanks to Europe. �After all, on 25 May the European GDPR Directive will come into force, which stipulates what companies must do to secure their data. �Failure to do so may result in penalties.
ACTUALIA AND CHALLENGES
Presentator
Presentatienotities
In the following slides, I would like to focus briefly on the challenges which we are facing or are about to face in Belgium. These will challenge our specialized police units, which will have to carry out investigations in such cases.
Presentator
Presentatienotities
The 2017 Internet Organised Crime Threat Assessment (IOCTA) reports how cybercrime continues to grow and evolve.
EUROPOL: IOCTA 2017
cybercrime continues to take new forms and new directions. difficult to attribute cyber-attacks to
particular groups need for a coordinated EU LE and
cross-sector response to major cyber-attacks on critical infrastructure.
Presentator
Presentatienotities
Ransomware continues be one of the most prominent malware threats in terms of the variety and range of its victims and the damage done.
EUROPOL: IOCTA 2017 require a coordinated and harmonised
effort by LE, policy makers, legislators, academia, civil society and training providers to effectively tackle cybercrime
clear that continued, close cooperation with the private sector is essential to combat cybercrime in an agile, pro-active and coordinated manner with a comprehensive and up-to-date information posture at its heart.
RANSOMWARE - CRYPTOWARE One of the biggest challenges in cyberspace facing businesses, governments and citizens alike is ransomware or cryptoware, known to you all. The Wannacry campaign is still fresh in the memory.
RANSOMWARE - CRYPTOWARE
Europol: Significant threat for the EU (Private and
public sector) Trend More frequent and targeted More specialised Via attachments at phishing mails Higher ransom (doxware)
Source: Barkly (Jonathan Crowe), 2017 Ransomware Trends and Forecasts, Feb 2017
Presentator
Presentatienotities
Europol considers it to be one of the most important threats to the EU. We will certainly have to deal with it even more in the future, with the following trends. An important factor in combating this is prevention, as well as the exchange of information between victims and law enforcement, so we can trace the perpetrators or offer decryption keys to the victims through thorough investigation.
RANSOMWARE - CRYPTOWARE
TIMELINE RANSOMWARE
Presentator
Presentatienotities
The timeline compiled by F-Secure on the number of known Ransomware families gives a good picture of the rise in the threat posed by Ransomware. This timeline runs until the end of 2016 and shows the enormous growth in ransomware families.
CRYPTOWARE
Presentator
Presentatienotities
There are many examples of ransomware attacks and damage. Significant is the following example The attack with the Petya-ransomware at the end of June has cost the Danish multinational Maersk an estimated $200 to $300 million, as announced today in a second quarter financial report.
RANSOMWARE - CRYPTOWARE
Presentator
Presentatienotities
Safonweb The document is divided into the following chapters: Ransomware: A description of the given ransomware. Prevention: What steps can you take to protect yourself from ransomware? Victim of ransomware?What to do when you are a victim of ransomware.
SOCIAL ENGINEERING
Social engineering is the use of deception to convince a person to either unwittingly divulge sensitive information or carry out some act which they otherwise would not normally do.
Presentator
Presentatienotities
While this sounds simplistic, many crime areas, both cyber-dependent and cyber-facilitated, rely heavily on social engineering tactics in order to be successful. The reason for this is simple: IT security systems are objective, operating by measurable rules and parameters and are therefore harder to breach with a direct technical assault. Conversely, humans are subjective, and that subjectivity can be exploited in order to bypass those technical security measures, relying instead on the victim’s trust and lapses in judgement.
CEO FRAUDE Both large and small businesses are
targeted. Between June 2015 and January 2016, the
FBI reported an increase of 1300% in losses for companies
Google and Facebook also suffered losses of up to 100 million dollars.
In Belgium, a bank paid 70 million euro to unknown criminals.
Damage due to this type of fraud: $3 B.
CEO-FRAUDE
ESPIONAGE - IP German industry is under attack, and
they may not be aware. Germany warns of nation-state cyber
espionage threat Report from Germany's domestic intelligence
and security service says Russia, China and Iran are targeting German companies and interests
Source: csoonline.com 27/07/2017
MOBILE MALWARE
Presentator
Presentatienotities
In 2016, Europol launched a major prevention campaign on mobile malware, which was joined by the federal police. The reason for this is that criminals see these often poorly secured devices as an opportunity to carry out their cyber attacks via this route. The campaign aims to make everyone aware of the risks associated with using smartphones. While security software is gradually becoming established on fixed PCs, this is not yet the case on smartphones. The cyber criminals also know this.
MOBILE MALWARE
Presentator
Presentatienotities
One of the campaign fiches warns against ransomware attacks on these devices. There is no need for further explanation that a smartphone gives access to very large amounts of data, accompanied by a great dependence on the user, which is also a target of criminals.
INTERNET OF ZOMBIES
Presentator
Presentatienotities
Another challenge is the internet of everything. A huge number of devices that are part of a network and are often not or not sufficiently secured. A dreamed entry vector for cybercriminals. The Internet of Zombies represent a cottage industry for privacy violators rich data source transforming the IoT into a dangerous Internet of Zombies. Following the success of the Mirai malware and its subsequent availability, we will see an increasing number of largescale DDoS attacks originating from a variety of insecure IoT devices.
INTERNET OF ZOMBIES
Presentator
Presentatienotities
The following example illustrates the danger posed by poor security. �The Mirai Botnet involved the contamination of a very large number of IoT-controlled devices that were all linked by the criminals to each other (part of a so-called botnet) to carry out a joint attack on a targeted system. Within the first minute, 834 devices became infected and started scanning to other targets. Within ten minutes, the number of infected devices had risen to 11,000 and after twenty hours there were 64,500. The botnet peaked at the end of November with 600,000 infections. By the end of February this year, the last month of the observations, it had already shrunk to 100,000 devices. Most of the affected systems were found in Brazil, Colombia and Vietnam, followed by China. The Mirai malware was responsible for the longest telecontrolling failure in the EU last year. This is the first time that malware has caused the longest telecontrolling disruption, so let the European Network and Information Security Agency (ENISA) know in a new report
STOLEN DATA – CLOUD Stolen data is one of the fastest selling commodities on the dark web.
Presentator
Presentatienotities
An additional challenge is posed by the huge amounts of data stored on servers or in the cloud, which are a very attractive target for criminals, either to be taken hostage or to sell or to damage. Stolen data is one of the fastest selling commodities on the dark web. One of the key influencers of price is the amount of information available in every cache of stolen data.
APT CAMPAGNES
Presentator
Presentatienotities
Then there is the threat posed by the so-called advanced persistent threats, or APTs. These are complex campaigns often carried out by other states, but the tools of which are now also in the hands of criminal organisations. Often the purpose of this is to steal information in an illegal manner, but as mentioned earlier, it can also be used by criminals to cause significant damage or for financial gain. As mentioned, the Belgacom case is the most famous infection with an APT in Belgium.��From these newspaper reports, we can get a lot of characteristics of an apt: the persistance, the stealth, the focus, the sophistication��Use was made of slashdot profiles and linked in order to infect the system
.BE: APT MAGNET
Flame
TeamSpy
Aurora
CosmicDuke
MiniDuke
Animal Farm
Duqu
Carbanak
The Mask
Regin
Epic Turla
Red October
Equation
Energetic Bear
Wiper
Stuxnet
Crouching Yeti
APT1
Havex
Apt5
Turla
… Across all branches of industry
Presentator
Presentatienotities
Belgium is called an APT magnet by security firms (Kaspersky): lots of international organisation HQ’s, big trade port of Antwerp … Several other campaigns with Belgian victims we investigate(d) on We find victims in all industry branches Those who were covered by the media only are a very small fraction (Belgacom, Ministry of Foreign Affairs, Professor Quisquater…) Even in small and medium enterprises in specific activities, branches of internationals… No industry is safe You should be aware, resilient
CYBER SABOTAGE
Source: Illustration by Rob Donnelly
Presentator
Presentatienotities
One of the biggest threats is that cybercriminals penetrate systems to actually cause damage in the real world, with both material and physical consequences.
CYBER SABOTAGE
Destructive goal, also in real world Terrorists: ddos & defacements :
future? Arabic Hacker group: 1 Mio documents Verizon 2016: Water plant (hacktivists) USA sept 2016: Kosovarian hacker IS Europol: critical infrastructure Dec. 2016: Ukraine electrical plant
There are several examples of cybersabotage. We can make a rough distinction between three groups in terms of perpetrators, namely - Terrorist/ideological perpetrators - criminal organised groups of perpetrators - individuals either as perpetrators or targets In recent years hacker groups have emerged that have ties to with IS, this is evidenced by a. o. a report from Europol and Flashpoint. Both reports agree that the techniques used are currently mainly limited to defacements and DDoS attacks.� Security Analyst Summit in February 2015 informed Kaspersky that she has discovered an independent group of Arab hackers, whose attacks mainly support terrorist movements. The group would have stolen up to 1 million secret documents worldwide, including security firm personnel lists.� In 2016, Verizon described a case study about an investigated security leak at a - perhaps American - water station. The hackers managed to manipulate the system that controls the amount of chemicals added to the water supply. Although no clear motive was found for the attack, the available traces were found to lead to hacktivists.� September 2016, a Kosovo hacker in the United States was sentenced to 20 years' imprisonment. He broke into the computers of more than a thousand American government officials, including many soldiers, and passed on the stolen information to the Islamic State. A US Justice spokesman said:"This case of cybercrime demonstrates for the first time, through the combination of hacking and terrorism, the great and real danger to our national security.� Europol states that it is clear that critical infrastructure is an' ideal' target for terrorists because it can be used to make many victims.� Critical infrastructures in sectors such as energy supply, transport, telecommunications and the financial sector are a particular focus of attention. The Hague, 15/06/2016� It should also be borne in mind that organised crime may also target attacks on critical infrastructures or vital sectors for purposes other than terrorists, such as terrorist attacks, which are often for financial gain. ransomware or threats of sabotage. � The threat also exists at the private level. For example, many - not to say all - internet connected devices or applications are' hackable': cameras, door locks, thermostats, etc. But there are also applications that can pose a threat to the physical integrity of the person in the event of abuse, such as e. g. pacemakers, self-propelled cars.
CYBER SABOTAGE
Seattle - Boeing has taken a patent for a technology that simulates cyberattacks on airplanes to train pilots. Boeing thinks that cyberattacks may be a real threat to flight safety and pilots should be trained to determine and withstand them.
18 januari 2018 airlinerwatch.com
Presentator
Presentatienotities
18 januari 2018 airlinerwatch.com
CYBER SABOTAGE
Presentator
Presentatienotities
7 july 2017 Criminals have managed to penetrate the computers of at least twelve American power stations, including a nuclear power station in Kansas. That is what the US Department of Homeland Security and the FBI are saying. It is not clear whether the ultimate goal is industrial espionage or sabotage of the energy supply. Nor is it known who is behind the attacks. The FBI speaks of attackers who pose a sophisticated, persistent threat, indicating that the service takes state hackers into account. The attackers tried to penetrate the networks with targeted e-mail, among other things. In doing so, they focused with malware on people with increased rights within the networks and systems for power plants.
CYBER SABOTAGE
Presentator
Presentatienotities
another example of cyber sabotage dates from 16 June 2017. A group of cyber criminals has been hacking North American casinos and mining companies for a number of years now, in order to steal confidential information and squeeze out the companies. When not paid, the criminals sabotage production systems. They also leak the stolen data to journalists and blogs, in order to force victims to pay. The group is called FireEye FIN10 by the American security company FireEye FIN10 and has been active since 2013. Canadian organisations in particular are targeted. It is not entirely clear how the criminals get access to the networks, but two hacks were used with targeted phishing emails. After a machine has become infected, the attackers move laterally through the network and sensitive data is collected. The attackers then claim between 100 and 500 bitcoin, which is currently equivalent to more than 200,000 euros to 1 million euros, otherwise they risk disclosing the data. Production systems were then sabotaged for certain victims who did not pay. Important system files, including the Windows directory, and network systems were deleted.
27 December 2017 - Business insider Technology of the next decade The World Economic forum surveyed over 800 experts and executives to find out what the future will actually look like. Here are 7 amazing technologies they think the world will see by 2030.
THREE QUESTIONS FOR THE POLICE
1.
2. What are you (police) doing about
it?
3.
Presentator
Presentatienotities
The next question is what is the police response to all these challenges? A comprehensive answer would lead us too far, but I would like to draw attention to some of them.
CHALLENGES
Recruitment Resources Training/expertise Information exchange Legislation
Presentator
Presentatienotities
The biggest challenges that need urgent response are to be found in the following five areas. Recruitment Resources Training/expertise Information exchange Legislation
SOLUTIONS? USSS … as a community we need to get better at sharing information on threats and incidents. This includes sharing not just the IOC’s, but also working with law enforcement to investigate and bring the perpetrators to justice. It also requires sharing the more general context of cybersecurity incidents to inform prioritization of cybersecurity actions and law enforcement efforts to counter particularly damaging threats.
Presentator
Presentatienotities
An essential element in the fight against cybercrime is the exchange of information between partners. It concerns both information about incidents that have occurred as about possible threats. I would like to refer to the quotation from the USSS The professional and comprehensive way in which intelligence is collected by specialisted companies is not possible to the same extent by the police. Nevertheless, the police also sits on a mountain of information gathered both on the basis of their own investigations and obtained through an extensive network of partners. In my opinion, it is essential to strengthen public private cooperation in the field of information exchange, to the benefit of all parties involved in trying to obtain a more secure cyber society.
THREE QUESTIONS
1.
2.
3. What to do & Who to contact?
Presentator
Presentatienotities
The last but not least question is who best to contact within the police if you are a victim of cybercrime?
CYBERINCIDENT: WHAT TO DO?
Reporting to the CERT.be The CERT will offer support /refer to
support services The CERT will advise you to file a complaint
with Law enforcement
Filing a complaint with Law enforcement Police Examining judge
Presentator
Presentatienotities
If you are a company, are a victim of cybercrime, and wish to make a report and seek advice about the possible approach, then the appropriate channel for this is Cert. be. If you wish to file a complaint, you can of course first and foremost do this with the police.
Local Police
187 forces
LCCU
Federal Judicial Police
Districts
14 RCCUs
DJSOC
FCCU
FEDERAL COMPUTER CRIME UNIT
Presentator
Presentatienotities
On this slide we see a very schematic overview of the possibly involved police services if you are a victim of cybercrime. As being a first-line police, as a rule the local police will be your first interlocutor when you wish to file a complaint. Their task is to contact asap the right specialized police service. Within each district we have a regional computer crime unit (14 in total) and at the central level we have one federal computer crime unit in Brussels. The distinction between the FCCU and the RCCUs lies, on an operational level, mainly in the fact that the FCCU is responsible for handling files of attacks on critical infrastructure and vital sectors, but immediately involving the RCCU of the affected district. All cybercrime files that fall outside this scope should be handled by the RCCU, whereby assistance is always possible from the FCCU.
YOU FILE A COMPLAINT, WE OFFER…
•Secrecy of judicial inquiries •Reputation in your control
Confidentiality
•Immediate action •Task force methodology
Timely response
•Experience in many/large cases
•Government as a target Expertise
•CERTs, security firms, national and international networks/organisations
Independent
Networked
Presentator
Presentatienotities
We know from experience that companies are rather reluctant to call on the police, partly out of fear of interruption of their business activities. That is why I would like to list a number of added-value benefits associated with police intervention. Why should you get us involved. CONFIDENTIALITY: Police are bound by a duty of professional secrecy that is essential in such cases of cybercrime, taking into account, among other things, the importance of avoiding damage to reputation and, of course, to prevent cybercriminals from being told that they have been spotted. In the Belgacom case, all information in the press was released by Belgacom or other involved parties, not by police TIMELY RESPONSE: Rapid action can be taken by means of probing forces. We work urgently… Task force… EXPERTISE: We or our partners investigate cybercrime cases (and even APT cases) on a regularly basis The government infrastructure itself attracts many APT actors We do the judicial investigation > Private firms will not go after actors If your breach gets known: we, also thanks to our national and international network, can give you information/confirmation whether it was a sophisticated/targeted attack… INDEPENDENCE – NETWORK: Vendor-independent but in contact with all major vendors. Good contacts with CERTS, (inter)national organisations…
WHEN TO FILE A COMPLAINT?
During office hours Local police RCCU FCCU : 02/743.74.74
Outside office hours Local Police Emergency number: 112
Presentator
Presentatienotities
I am well aware that if your company is the victim of a cyber incident, the local police can offer you little assistance in this matter. As I said, they will then immediately get in contact with the RCCU, but it is obviously not a bad thing if, during the hours of service, you also have the contact details at hand from the judicial police from your district. Under the motto "know your allies", this can save you valuable time by contacting this service directly. The advantage of being present at my presentation is that you now also have the phone number of the FCCU if you have serious problems in the field of cyberspace. We can then put you in direct contact with the competent RCCU or with Cert.be, either deal with the case itself if it falls within our work domain or bring you in contact with the local police, but with the necessary advice for filing a complaint.
PREVENTION! PREVENTION!...
Presentator
Presentatienotities
To conclude my presentation, I would like to stress the importance of prevention. With the right preventive approach, one can already avoid a lot of misery about cyber incidents. A well-developed prevention approach to protect against cyber incidents must be a priority in every company, also in view of the major risks involved and the possible impact.
PREVENTION! PREVENTION!...
Presentator
Presentatienotities
The Centre for cybersecurity Belgium and the Cyber Security Coalition, with our cooperation of course, have published a good guide on incident management which can be freely downloaded. This is not only a guide to handle incidents when under fire, but also includes a holistic approach describing proactive actions, detection, incident handling, communication and how to recover from a cyberincident. A must-read for every organisation: victims and future victims One chapter on… Basic principles Six chapters describing different phases in incident management Readiness Detection and identification Incident handling Communication Follow-up and closure
CP Walter Coenraets Head of Unit
Federal Computer Crime Unit Direction for Serious and Organised Crime - Federal Judicial Police Koningstraat 202A – 1000 Brussels +32 2 743 74 74 [email protected]
wcoenraets
Presentator
Presentatienotities
I would like to thank you for your attention and if there are questions, these are very welcome.
