InFraud aftermath: Is your cybersecurity team big enough?

rugby team

On the 7th February, the U.S. Department of Justice announced the indictment of 36 suspects involved in an online transnational cybercrime organisation referred to as the Infraud Organization. The DOJ claimed the group was responsible for more than $530 million in losses. The suspects worked from a number of countries, including the United States, UK, France, Canada, Pakistan, Russia, Egypt, Italy and Macedonia.  The activities of the organisation included:

  • Purchasing and selling personally identifiable information (PII), including dates of birth, addresses, passwords, social security numbers and credit card details
  • Advertising other stolen property for sale
  • Selling and sharing malware
  • Sharing information on illegal activities

What I found interesting was a few of the elements disclosed: Firstly, the organisation had been running for seven years, so it had quite a life span.  Secondly, it involved more than 10,900 members. (It seems that only some of the top operatives were indicted.)

So is this just another dark web company being closed down, or can we learn some lessons from these indictments?

The first point that comes to mind is the sheer size of the operation. That there were so many people involved in this criminal operation puts the efforts of cyber resilience teams into perspective.   No commercial organisation has that number in its cyber resilience team and probably only a few governments could claim to have invested as heavily.  This typifies the asymmetry of resources between those who attack and those who defend and maintain. The difference can probably be ascribed to the fact that the activity serves as a profit centre for the attackers and, conversely, a cost centre for the defenders.  With a cooperative attack team of nearly 11,000 members, this organisation would overcome any major enterprise.

In addition, the network created allowed for operational agility with online transfer of assets — the products or outcomes of the criminal actions as well as the sharing of intelligence to optimize activities.

None of this is really news. The model for cybercrime has been developing steadily over the last decade or more. It is the reaction that is becoming increasingly important.

If the attackers can stand up large resource teams, then so must the defenders. Each individual in an organisation has to be co-opted into the cyber resilience team. This team will need continual training, measurement and reinforcement to raise awareness and create lasting behavioural change.  The individual’s responsibility to secure the organisation has to be stressed as well.  It is no longer possible to simply tell users how to behave; they need to understand that it is their duty as the frontline defenders.  This way of working has a common benefit within the organisation and a similar attitude at home will help them defend their own personal interactions on the Internet.

Agility — being able to rapidly deploy new solutions to capture a market advantage — is a commonly used word in the IT sphere.  The same principle applies to cyber resilience. CISOs have to be as agile as the attackers and need new ways of deploying solutions to provide controls. Many of these solutions will come from cloud-based providers that deliver security on a consumption basis, with rapid implementation and set up.

Agility will also be a keyword when reaching out into the organisation and building a consensus for defence and resilience. Businesses driving digital transformations require a security function that matches their speed of change. This in turn ensures support from top-level management for programs to build the whole workforce into part of the defence team.

So there are indeed lessons we can learn from the take down of large criminal teams. We need to work on building our defence teams from every aspect of the business. We need to ensure we deliver with speed and flexibility. In short, we have to think like the bad guy.

Chris Moyer is Vice President and General Manager of Security for DXC. He has spent more than 25 years building business and technology solutions for clients in several industries across multiple geographies. In previous roles, he has led solutioning, transformation projects and delivery assurance. He is also a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter and LinkedIn.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: