Johannesburg, 31 May 2022
Large countries aren’t the only ones being targeted by cyber crime, including ransomware and double extortion attacks. Smaller countries are increasingly being affected too.
“The targeting is opportunistic,” says head of security research at Orange Cyberdefense, Charl van der Walt, speaking during his keynote address at the ITWeb Security Summit 2022, being held in Johannesburg this morning.
And while the majority of attacks might happen in the US for example, it’s not a question of threat actors specifically looking for US entities to attack – they are “throwing mud at a map” as it will stick where the map is biggest, obviously. US is simply the single biggest economy.
He says there are some notable exceptions, such as India, Japan and china who are underrepresented in terms of the size of their economies. “The hypothesis there is not that those places are more secure, or that they have better technologies, or that their security service providers are just on top of their game, but rather because this is a crime of extortion .– it requires the attacker or the criminal to understand the business of the victim. The barrier here isn’t technology, but rather language, culture and business ecosystems.”
So what can be done to counter crimes of this nature?
Van der Walt, says firstly, we can try to demotivate attackers. “But what can we do to take them out or slow them down? It seems that law enforcement efforts are going to be ineffective, and takedowns of ransomware groups such as REvil have been ineffective, so what we are left with here, is slowing the flow of money.”
He says efforts in the US, for example, to regulate cryptocurrency exchanges, or to mandate the reporting of ransomware payments, are a step in the right direction. "They will demotivate the attacker from attacking American businesses.”
However, all that’s going to do is swing them around to places that have no controls of this nature in place.
Make your business unattractive
Next, van der Walt says we can look at the suitability or the attractiveness of the victim.
“How do you make yourself less of a target when you walk around in Joburg? You don't wear your Rolex. So there are some basic things we can do, such as decrease vulnerability, and decrease the relative value of our assets to us.”
It's important to remember, he says, that what they're stealing is something that's of value to us, not something that's of value to them. “So when we have resilient backups, and we know that they work, and when we have resilient systems that are redundant and can operate even when one part of the network goes down, that reduces the value of that technology to us, and makes us less suitable as a victim.”
We can also reduce our attack surface, and give attackers “less to shoot at”, and we do better when it comes to finding bad actors and stopping them when they're in our environments. “That’s something we can do to reduce our attractiveness as a victim."
Guardianship in cyber space
In addition, he says we can look at guardianship, at what it is, and where we can find it in cyber space.
“Traditionally, what we've done is look at guardians as things in the real world. “We would look at locks and keys and cameras and gates and stuff like that. And in cyber space, we generally also view guardians as things – antivirus, IPS and next generation firewalls and all of that. But my argument has been that those things haven't been that effective in stopping crime.”
It is Van der Walt’s argument that is the informal social guardianship, where communities, families and neighbourhoods band together and watch each other's backs, is more effective.
This idea hasn't been explored enough, and it ties into the theme for this conference, he says.
“The reason the technology doesn't work, and I say this with all due respect, is because effectively we are dealing with a massive criminal ecosystem of hundreds and thousands of individuals, many of whom are in former Soviet republics, that are making billions of dollars by having built their entire livelihoods from this form of extortion.”
You can’t stop them
Van der Walt says they will not be put off by the fact that you have a better lock on your door, it’s simply not an impediment to a form of crime that is so powerful, and so deeply systemically rooted. “It's not going to stop them and that's why we need to think of other ways.”
Cohen and Felson, researchers who developed the theory of guardianship emphasised and focused on the idea of community or informal guardianship, and one of the ways that that manifests in the real world is in this idea of neighbourhood watch. While not bulletproof, a neighbourhood watch has a measurable and consistent impact.
We exist in a complex web of interdependent relationships, where our security has an impact on others and their security has an impact on us.Charl van der Walt
What are the tenets of a neighbourhood watch?, asks Van der Walt.
“Take the Clifton neighbourhood watch programme, you'll see they follow all of these principles. The first is they describe themselves as a cross-domain partnership between SAPS, the community policing forum, local authorities, security providers, and above all, individuals and families who want to make the neighbourhood a safer place.”
The second thing, he says, is that it is organised under a constitution that is governed by law.
“The City of Cape Town has a set of regulations that describe how neighbourhood watches work, so there's a formal structure that these initiatives fall into. And then, finally, they have constant communication. All these initiatives are community led, and they start with the affected communities, not the providers or the police or the government.”
They're highly visible, and require continuous engagement, which is why they drive cars around and put signs up to let the bad guys know that people are watching and engaging.
“They use intelligence and they use that intelligence locally, and talk to each other the whole time.”
A cyber neighbourhood watch
The question, is how can this translate to cyber space?
“Last year in the UK businesses got together and said that they are all concerned about this threat. And collectively, they said let's do something about it, through a community led initiative, by a community formed in cyber space.”
However, the question of community is a difficult one, adds van der Walt.
“We're at this point that is single dimensional and we’re not thinking about it. When we think community, we tend to think industry. The question becomes how to get together with banks, gaming companies, and more. The idea of community can, and should be myriad things. We don't exist in a in a series of single supply chains that start at one point and end with us, or start with us and go somewhere else.”
The reason the technology doesn't work, and I say this with all due respect, is because effectively we are dealing with a massive criminal ecosystem.Charl van Der Walt
He says we exist in a complex web of interdependent relationships, where our security has an impact on others and their security has an impact on us. “Therefore the starting point for a community led initiative is to recognise that your community is diverse and complex, and that it can include your top suppliers, and can also include your region or your industry, or the peers in your business. It should also include various players in government, academia, and suchlike. So let's think about community not just in terms of our industry, vertical or our immediate supply chain, but in a small, robust, broad-minded way.”
In ending, van der Walt says let’s start by managing supply chain risk in the traditional way, so let's make sure our suppliers are conforming with security standards and getting ISO certified, for example. "Just the basics. Let's do that.
“Then let's go a step further and identify in our ecosystem, those whose security is important to us, and invest in them by sharing our knowledge, by advising them about vulnerabilities and best practice, and hold masterclasses that they can invite other businesses in their community to participate in. Let’s hold workshops and sessions, train them up and share how they're tackling problems.”