Why Should I Care?

• Mature Cybercrime Ecosystem

  • Costly & intrusive incidents happen every day, and each is associated with attacks from one or another hostile actor. For most hostile actors, this activity is just business.
  • Hostile actors have a range of motivations, including, but not limited to: money/profit, espionage (industrial, nation-state, or other), blackmail, destruction (data, or capability), exploitation, revenge, political gains, hactivism, terrorism & more.
  • Hostile actors have a range of personas, including, but not limited to: nation-state espionage, non-nation-state espionage, cyber-criminal (targeted), cyber-criminal (broad-based), insider, hacktivist, terrorist, nuisance.

• Increasingly Interconnected Systems

  • The systems used to deliver the 'stuff' and services that we all consider part of our daily lives continue to grow more complex and interdependent.
  • That complexity and interdependency results in more attack surface.
    • That increasing attack surface provides adversaries expanding opportunities to exploit vulnerabilities.
    • Common design & implementation practices continue to produce weaknesses and deficiencies in the components of the underlying systems that we build and deploy.

• We are losing control

  • Consider: "Who controls the technology you use?" and "who controls the technology that controls your data?" "Why do you trust them to behave in your best interest?"
    https://github.com/mccright/rand-notes/blob/master/There-Is-No-Cloud.md

• Vulnerabilities are all too common

  • Example: U.S. CISA Known Exploited Vulnerability (KEV) list https://www.cisa.gov/known-exploited-vulnerabilities-catalog (and "why" at https://www.cisa.gov/binding-operational-directive-22-01#what-is-the-difference-between-vulnerabilities-listed-in-the-national-vulnerability-database-nvd-and-those-in-cisas-catalog-of-known-exploited-vulnerabilities-kevs)
  • Example: US-CERT Weekly Vulnerability Summaries https://www.us-cert.gov/ncas/bulletins and their other data feeds https://cve.mitre.org/cve/data_feeds.html
  • Example: "Microsoft warns of time-travelling equation exploit – are you safe?" 10 Jun 2019 Arbitrary code execution via EQNEDT32.EXE https://nakedsecurity.sophos.com/2019/06/10/microsoft-warns-of-time-travelling-equation-exploit-are-you-safe/ and CVE-2017-11882
  • More Recent Cybersecurity Issues In The News

• Much effort goes into reactive security measures like intrusion or data loss detection and response capabilities.

  • Reactive measures [simple logging, alerting, incident response...] fail to address the foundational risk management challenges that require a holistic approach based on sound systems security engineering techniques and security design principles.

• A more holistic approach can make our systems more attack-resistant; capable of limiting the damage from disruptions, modification, breach, 'injury,' and other threats.

• It can also help make our systems and services more inherently resilient -- more able to continue support of critical missions and business functions after they are compromised.
  REFERENCE: "Rethinking Cybersecurity from the Inside Out." By: Ron Ross, November 15, 2016. https://www.nist.gov/blogs/taking-measure/rethinking-cybersecurity-inside-out

A Brief History of Cybercrime.

A Brief History of Cybercrime 1962 - 2023.
https://arcticwolf.com/resources/blog-uk/fascinating-decade-in-cybercrime/

Risks in Context:

Cybersecurity Risk In Context:

Risk Continuum Raw:

Risk Continuum Example:

FBI Releases IC3 2019 Internet Crime Report

https://pdf.ic3.gov/2019_IC3Report.pdf
The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released the 2019 Internet Crime Report, which includes statistics based on data reported by the public through the IC3 website. The top three crimes types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, and extortion. FBI urges users to continue reporting complaints at www.ic3.gov to help law enforcement better combat cybercrime.

In 2019, IC3 received a total of 467,361 complaints with reported losses exceeding $3.5 billion. The most prevalent crime types reported were Phishing/Vishing/Smishing/Pharming, Non-Payment/Non-Delivery, Extortion, and Personal Data Breach. The top three crime types with the highest reported losses were business email compromise (BEC), Confidence/Romance Fraud, and Spoofing.

Year	Complaints	Losses
2015	288,012	$1.1 Billion*
2016	298,728	$1.5 Billion*
2017	301,580	$1.4 Billion*
2018	351,937	$2.7 Billion*
2019	467,361	$3.5 Billion*
2020	791,790	$4.2 Billion*
2021	847,376	$6.9 Billion*
2022	800,944	$10.3 Billion*
2023		$____ Billion*

• Rounded to the nearest million.
  Table contents from: https://pdf.ic3.gov/2019_IC3Report.pdf and https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

For an update on BEC, see "The Confidence Game Shifting Tactics Fuel Surge in Business Email Compromise" (May 2023) from the Microsoft Threat Intelligence teams:

Microsoft’s Digital Crimes Unit has observed a 38 percent increase in Cybercrime-as-a-Service targeting business email between 2019 and 2022.

See their interesting write-up on attackers’ theft of credentials using of platforms like BulletProftLink, phishing-as-a-service like Evil Proxy, Naked Pages, and Caffeine to deploy industrial-scale phishing campaigns.

2020 Numbers

---

• 95% of cybersecurity breaches involve human error https://www.cybintsolutions.com/cyber-security-facts-stats/
• 68% of business leaders feel their cybersecurity risks are increasing https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
• Data breaches exposed 36 billion records in the first half of 2020. ("worst year on record") https://pages.riskbasedsecurity.com/hubfs/Reports/2020/2020%20Q3%20Data%20Breach%20QuickView%20Report.pdf
• 86% of breaches were financially motivated and 10% were motivated by espionage. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
• 70% of breaches perpetrated by external actors Verizon Data Breach Investigations Report, DBIR. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf
  • 55% of breaches were associated with organized criminal group's initiatives DBIR
  • 72% of breaches involved large business victims DBIR
  • Web applications were involved in 43% of breaches DBIR
  • 45% of breaches featured hacking DBIR
  • 17% involved malware DBIR
  • 22% involved phishing DBIR

Ongoing Lists of Breaches of "Unsecured Protected Health Information"

Your health care data is increasingly successfully targeted by cyber-criminals.

• "Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information" - As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
• USA Today database of "Health Care Data Breaches."

LEARNER Resources:

Excellent historical piece that helps provide some context for thinking about what is happening in the cybersecurity realm today.
"The Worm That Nearly Ate the Internet." https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html By Mark Bowden, June 29, 2019

Mitre Att&ck threat list: https://mitre-attack.github.io/attack-navigator/enterprise/
Common Attack Pattern Enumeration and Classification (CAPEC™) Taxonomy http://capec.mitre.org/data/