By Adrian Leppard CBE, QPM, Templar Executives
I spent 32 years in policing and now deliver cyber security and investigations in the private sector. The WannaCry ransomware attack has made me reflect on the issue of PREVENTION.
It’s no accident that British Policing is regarded the best in the world. The current intelligence led model took a decade to develop. It’s not perfect by any means but behind the scenes it is very clever at prediction and prevention. It seems that in the world of cyber security we still have way to go to become as effective.
Let me give you an example. After we developed the National Police Intelligence Model in the late 1990’s, analysts would routinely create Target Profiles that helped better understand the methods of crime types, crime patterns and indeed specific criminals.
To address house ‘break ins’ policing realised a few of things. Most are committed by offenders with chaotic lifestyles. They take drugs and then cruise likely areas before breaking into a house that looked right due to its location and whether it potentially contained items they could easily sell to get more money for drugs.
We knew that if we caught them the best thing to do was to get them off drugs. That was cheaper than doing more surveillance on them, so we worked with health providers. But to catch them we needed to understand their methods. They seldom broke into the first house they looked at and if challenged they always had a plausible story for being there. So analysts started looking at other events in other locations that had occurred before the burglary to find intelligence on the suspects.
If they got away with a break-in there was a high likelihood they would strike again within half a mile of that location, so police built targeted prevention campaigns in that area.
They also created Market Profiles for crime types to better understand the criminal business enterprise and targeted the pinch points. e.g. the receivers of stolen property. And they better understood how criminals progress from minor theft to ‘break-ins’ and sometimes robbery and rape.
The result, house break in offences were halved in the UK and more serious offences were also solved.
So how does this link to the recent WannaCry ransomware attack?
Whilst we hadn’t seen a worm combined with a ransomware encryption attack before, surely we could have predicted it. Criminals never stand still and are always looking for the next method. Cyber Security Operations Centres (C-SOC) need to be supported by intelligence analysts that have skills beyond simply analysing data traffic.
Wiki-leaks published their Vault 7 list of known ‘Zero’ days that the CIA had purportedly been storing up in March this year. Once the code was ‘out there’ we could predict that it would be developed further by attackers. Good analysts with black/white hat experience in a C-SOC can try to create new attack methods and Vault 7 would surely have been a good place to start once it was published.
I’m sure further analysis will show that variants of the WannaCry code were being used in other preliminary attacks and were probably being discussed or sold on the ‘dark web’. Good security analysis needs to look beyond the immediate point of attack risk in order to create a good predicting intelligence picture.
I’m also certain the code will be developed further to create new attack methods targeting other known system vulnerabilities. Good Cyber Security Information Officers will be asking for this assessment from their teams as well as addressing the immediate vulnerabilities in their organisation.
Government agencies will I’m sure be looking at the criminal business enterprise behind the WannaCry attackers, but good enforcement, even when it can reach the offenders does not have the necessary preventative effect in this growing area of criminal enterprise. Businesses need to protect themselves, but from what, and by how much, is a science we need to get better at.
Cyber security risk management needs to be guided by an accurate assessment of both the attackers and their methods, as well as an organisation’s or individual’s vulnerability. This needs structured and professional analysis with weighted assumptions in order to produce relevant and costed proposals for decisions by budget holders.
It is no longer possible to simply deliver a cyber security solution to an organisation the way it may implement a new IT system. Businesses are facing an asymmetric threat that needs an intelligence led response. Threats and vulnerabilities are constantly changing and therefore the control measures need to be responsive and flexible as do their budgets. Some are already there but most have a long way to go to put in place the C-SOC analytical capabilities and response strategies that are now required to ensure corporate information assets remain secure.