Strategic Management of Cybercrime Making Crime Pay

A/Prof Paul A. WattersResearch Director ICSL

Overview

Use business planning activities to interpret current cybercrime tactics within a strategic context

Understand the key drivers for management in cybercrime organisations

Predict how new threats to cybercrime might change or curtail future organisational planning

Business Planning

Cybercrime organisations are like any other business What cash return is sought by their

investors? ROI

What are the (non-cash) critical success factors?

Risk management – threat of arrest, seizure of capital

Business Planning

How do we know they operate like a business?

Business Analysis Steps

1. What do we do?2. To whom do we do it?3. How do we do it?4. How can we beat or avoid

competition?

What do we do?

Goal is to maximise revenue through fraud Identify most vulnerable targets

The unemployed or desperate Identity schemes which maximise return but

minimise risk Low or nil cost to operate, minimal risk of

detection or arrest Scheme proceeds laundered through

legitimate businesses Cheque cashing fraud, mules

To whom do we do it?

Identify asset-rich countries with sophisticated banking systems Must have easy means to “cash out” Attack launched from countries with no

extradition treaty with target Local “protection” from government,

police, legitimate business as cover etc Individual loss < minimum thresholds

for investigation (no loss aggregation)

How do we do it?

Example: Implied Obligation?

How do we do it?

How can we beat or avoid competition?

Principle of specialisation Writing kits or running attacks? Diversified industrial – very 1970’s

Strategic HR Hiring the best talent

Partnerships Strategic outsourcing where it makes sense

Trade organisations Sharing knowledge, intelligence and expertise

freely

Strategy from tactical data?

Key challenge to measure the threat landscape Mapping of campaigns to identifiable

groups Estimate of potential impact

Quantitative – dollars lost Qualitative – harm to reputation,

confidence in banking

Phishing Campaigns Australian Data

Volume

Optimised threat management

Can we use data mining to optimise response to threats? Best allocation of resources to different

types of threat Existing kits = takedowns, resource

management New kits = forensic investigation, focused

intelligence discovery/updates

An Example: New Threats

Frequency

S

FTW

TM

S

01020304050607080

1 2 3 4 5 6 7

Frequency

An Example: New Threats

Exp smoothing a=0.2

0

5

10

15

20

25

30

0 20 40 60 80 100 120 140 160 180

Exp smoothing a=0.2

Time

Volu

me o

f new

att

ack

s

No Simple AnswersOnly 5% of variation in new case volume over time accounted for by linear model!

Profiling – Know Your Enemy

Summary

Cybercriminals operate as businesses Analysing cybercrime data helps us

interpret the threat landscape Understanding of current activity levels Prediction of future types of activity Reveals the drivers and business planning

choices undertaken by criminal groups Simple techniques only achieve so much

More sophisticated algorithms needed to improve predictability