Interview: The SecureWorks detectives uncovering the 'who and why' of cybercrime
What is it about financial organisations that makes them attractive targets for cybercriminals? Barry Hensley, SecureWorks' chief threat intelligence officer and Alex Tilley, SecureWorks Counter Threat Unit's E-crime intelligence lead, talked exclusively to SecurityBrief.
Tilley focuses on what he calls the 'who and why' part of cybercrime, working out who they are, how they're evolving and what they're trying to steal while other teams focus on the network analysis.
Hensley is responsible for SecureWorks' Counter Threat Unit, the security analysts and the response team. Together, all three teams work to investigate threats for client protection.
"If we look at the types of malware and various bank customers that it's targeting, often it hits Australia first. When we looked back at previous campaigns it suggested that, but we never had enough evidence. The last two information stealing malware, SecLoader and TrickBot, both started out hitting Australian banks first," Tilley says.
According to SecureWorks, TrickBot targeted 46% of all Australian banks. Tilley says that those banks are good at fraud detection, so perhaps attacks see it as a testbed.
"It's a well-regulated and fairly static banking community here to you can test things. If it works here then it will probably work in most places around the world," he says.
He states that attackers are mostly after banking credentials - individual logins, business banking credentials and wealth management credentials. They then use those credentials to steal funds.
"They're going after where there's a lot of money, rather than consumer accounts. They're after six-figures in a transaction, shifting that off to an intermediary and then off to wherever it goes," he says.
While there are some groups that use credentials for espionage, the main focus is the money. He says that if attackers get a lot of stolen data, it makes sense that they'd use it for other things but by and large, it's definitely financially-motivated.
The Gold Evergreen Group was behind the TrickBot malware, an Eastern European group that has been on the scene in various forms for a long time. Tilley explains that it has evolved from basic phishing to advanced techniques, and they're getting better all the time.
"They're using the latest and greatest way to make their money as they come online. Eventually they were writing their own malware."
The group is widespread in different countries, but Tilley says that the sheer size and dynamic nature of the group is what has kept them alive. It's about what works in the most profitable way.
Moving the focus back to financial services, Tilley says that wealth management platforms should be subject to the same level of scrunity as banks, otherwise attackers will look to wider pastures for their money.
Hensley says that there was a day when organisations could just buy threat intelligence like signature-based counter measures and firewall protection from various vendors and apply them to their own business, but those days have long gone. This is the new world of adversaries.
"Somehow these adversaries have become a SysAd on a network. How do you detect an adversary that has legitimate credentials and is moving laterally undetected based on the security controls? The more sophisticated the threats are, the more opportunities for nation states and adversaries," Hensley says.
On the topic of business email compromise scams, Hensley adds that from a financial perspective, it's interesting to observe that credit unions have relationships with companies to the point of automatic purchase execution. If a CEO is travelling, it opens up opportunities for malicious intent.
"That relationship might be a benefit but in this case it's a risk. Everyone assumes that the email that looked like it was from the CEO wasn't actually the real one," Hensley says.
But no matter who or what the group is, defending against these adversaries is the bottom line. Hensley comments that there have been some knee-jerk reactions to get adversaries out of the network. They then miss other potential points of entry.
With data privacy and data breach notification laws becoming more popular, organisations won't be able to afford knee-jerk reactions and will have to instead focus on better all-round security. They'll also be forced to talk about security, Tilley says.
"People start looking at other countries and asking 'how did they do it, what did they do wrong and how do we get ready for that here," Tilley says.
Hensley adds that it's important for their own company that they need to understand and be the threat experts for their customers. And understanding the tactics that those adversaries use is crucial to SecureWorks' success.