Collective approach to cyber risks

Cybercrime landscape: a branched, structured and collective threat

Galvanized by their profits, by state sponsorships and the many opportunities developed by the rapid but insufficiently secure digitization of organizations, cybercriminal structures have gradually become multinationals of crime by their size and operation.

Let’s take a closer look at how international cybercriminal organizations work:

The cyberattacker department is in charge of identifying and exploiting security flaws, often human, in organizations. These flaws will serve as a gateway to launch an attack on the IS or steal information.
This department works hand in hand with another department, that of fraudsters, in charge of exploiting these flaws for an often financial objective. These intrusion vectors and stolen information have multiple uses:
- Spoofing of mailboxes to commit fraud against the president or the supplier;
- Making fraudulent transfers by taking control of user workstations or using banking malware;
- Use the data collected to give credibility to your speech in the context of social engineering fraud;
- Extortion by threatening to make the attack public and/or divulge stolen information.
Substantial resources are at the disposal of these industrialized cybercriminal organizations: real call centers dedicated to telephone fraud, high-performance communication tools, voice imitation or telephone spoofing software, etc.
Ransomware operators do not hesitate to use the cybercriminal ecosystem, whose industrialization allows them to outsource a large part of the resources and tools necessary to carry out their operations. In addition, collaboration between operators of different ransomware is sometimes observed [1].
Once the fraud has been committed, it is a question of quickly circulating money from account to account, taking advantage of heterogeneous international legislation and the time needed for banks to coordinate and carry out a recall of funds. A myriad of other services are then taken into account: money laundering, terrorist financing, prostitution, drug trafficking, etc.
In order for money to flow from account to account and for them to remain active for a short time, cybercriminals must ensure that accounts are opened regularly in a large number of countries: this is the mission of the recruitment and retention department. Their action is essential: recruiting “little hands” to open accounts, sometimes under their real identity and withdraw money from ATMs.
For this recruitment, they are accompanied by a marketing department that acts in particular on social networks (Instagram, Snapchat, etc.) and on forums to recruit mules. In this way, they manage to convince individuals, often destitute, through the lure of profit and easy money.

Exposure to risks is thus ensured by temporary and interchangeable recruits. While the masterminds can develop the organization, benefiting from constantly growing revenues and a rapid international strike force.

If cybercrime were measured as a country, it would cause damage totaling US$6 trillion worldwide by the end of 2021 and would therefore be the world’s third-largest economy after the United States and China. These cybercriminal organizations therefore benefit from very significant financial and human resources that allow them to act fluidly and quickly, often by collaborating with each other, to target isolated companies.

Faced with this global threat, the organization of a collective response is an absolute necessity.

[1] Status of the ransomware threat against companies and institutions, CERT ANSSI, February 2021

When the collective threat weakens: the response of French companies and institutions to the ransomware threat

RaaS or Ransomware as a service, such as Sodinokibi (aka REvil), DoppelPaymer, Maze, Netwalker and Egregor, are available on cybercriminal markets through an affiliate system and make up the majority of ransomware attacks [1]. RaaS illustrates this concept of a threat common to many companies, to which the response is too rarely coordinated. Indeed, if they sometimes specifically target a company, they are very often opportunistic attacks in a massive, low-cost, “simplest” approach. The ANSSI also states in its report that “ransomware attacks follow a relatively similar chain of infection”.

RaaS is concrete proof that the lack of inter-company information sharing on the threat and response strategy is a real opportunity for attackers. If each company targeted by a cyberattack could provide the salient and conclusive elements to be taken into account in detection, incident response and investigations, companies targeted by the same types of attacks would save precious time to develop the appropriate response. In addition, the growing collaboration between operators of different ransomware is an alarming element that should call for a rapid and effective collective response.

[1] Status of the ransomware threat against companies and institutions, CERT ANSSI, February 2021

The role of authorities in collecting and centralizing information on cyber threats: a necessary impetus but an insufficient solution to the scale of the problem

The information sharing that the ANSSI deploys, in particular via its CERT, is a very useful source of information for French companies. Nevertheless, sharing information on the threat and the solutions to be deployed in an almost instantaneous and effective way is currently mission impossible for the ANSSI, for obvious reasons of human and economic dimension. Faced with cybercriminal groups acting massively and quickly, their scope of action remains limited. It is impossible for the agency to provide support to all companies of all sizes targeted by cyberattacks throughout the country.

In addition, the feedback of information from companies is far from systematic. In order to preserve their reputation, companies are sometimes reluctant to indicate the attempts (failed or not) of which they have been victims.

There is a real challenge for law enforcement agencies in identifying, exploiting and communicating information on cyberattacks, which police officers and gendarmes are required to collect through complaints received by companies.

The awareness of gendarmes and police officers who are required to take all types of complaints is still too insufficient to make those concerning fraud and cyberattacks usable, particularly when they involve a technical dimension: incomplete or erroneous description of the modus operandi, lack of questions on key elements, random transposition of technical elements essential to the attack plan.

In addition, a discouragement effect in the face of a judicial system that is unsuited to dealing with the challenges of cybercrime does not give rise to a very favourable dynamic.

So, if units specialized in digital technology do an excellent job. However, they are undersized and cannot currently rely on a territorial network mature enough to deal with cyber-risks without borders. The coverage of the territorial network of French companies remains incomplete and a variety of administrative complications hinder a coordinated and collective state response.

Faced with this observation, it is essential not only to rely on initiatives from the authorities but to consider them as a complement to the implementation of a global and structured response by private actors. This response must involve the sharing of information first of all (state of the threat, response strategies, etc.), as well as the provision of the appropriate skills.

Sis ID and the EU approach to the fight against fraud: what lessons can be learned for cybersecurity?

What response should be given to deal with this scourge? “Together we are stronger” is a proven adage for collaborative solutions such as Waze. To counter cyberattacks, the way it works is to be similar: alone in the face of fraud, the response is less, whereas together, the battle deserves to be fought. Collaboration between companies is a way to share each other’s experiences and knowledge, so that fraud can be detected and prevented in time.

A solution like Sis ID offers this mode of operation for France and internationally. The first collaborative platform in the fight against fraud, it brings together a collective of companies, institutions, banks, insurance companies and software publishers whose pooling of data and transactions enriches a collaborative database.

Each user can check the reliability of a company identifier/bank details pair and obtain a result in real time. The threat of fraud goes beyond borders, it concerns all countries without distinction. Sis ID provides a global response to a problem that knows no boundaries. It integrates other collaborative solutions such as SEPAMail DIAMOND to guarantee the reliability of controls for all bank details, in France and internationally.

How can a community-based approach be applied in the fight against cyber threats?

The completion of several major projects and the emergence of collective functioning initiatives in the face of cyber threats should be noted, both in terms of preparedness (awareness, training, sharing of knowledge on the state of the threat) and incident response. The state of the art of collective and community cybersecurity initiatives suggests very positive developments:

The establishment of a French cybersecurity sector: Through the National Cyber Strategy, the government is launching a call for projects to French cyber players in the field of “Cyber Threat Intelligence” in order to create a common base of knowledge in the field. By supporting these projects, the government is encouraging the development of new solutions that help in the fight against cyber threats.
The alliance between several cyber risk providers. In this respect, we can mention the development of an open and sovereign XDR platform project announced last September by HarfangLab, Sekoia and Pradeo. Their alliance aims to provide a global threat detection and response offering that aggregates their respective solutions: a threat detection and response (EDR) solution for HarfangLab that focuses on protecting computers and servers, securing mobile applications for Pradeo, and the intelligence and context SIEM platform for SEKOIA.
The creation of an ambitious Cybercampus in the La Défense district is also a sign of the willingness of public and private players to combine their skills to deal with the threat.
The growing attention paid to mid-caps, VSEs and SMEs, the preferred gateways for attackers, due to a mismatch between their financial resources and their security needs. Particularly targeted by cyberattacks, they also make it possible to target the large companies with which they work. In June 2021, the Senate issued 22 proposals to strengthen the cybersecurity of mid-caps, SMEs and VSEs [1]. They aim to propose in particular the opening of an anonymised collection of complaints in order to encourage companies to report cyberattacks without damaging their reputation, or a cyberscore for digital platforms, a cybersecurity reference framework applicable to VSEs and SMEs and a packaged offer of cybersecurity solutions accessible and adapted to these audiences.
The establishment of an international coalition, in particular via a meeting of some thirty countries organized in early October 2021 by the United States in order to accelerate international cooperation on this subject.
The many examples of cyberattacks where service providers and partners make their technical and investigation teams available to support the victim company in its incident response, investigation and remediation actions.

[1] Corporate cybersecurity – Prevention and cure: what remedies against cyber viruses? Senate Delegation for Enterprises, June 2021

Dealing collectively “internally”: the importance of de-siloing organizations

Cyber threats are no longer the prerogative of CISOs but concern all levels of the organization. People are the first barrier to cyber risks and fraud. In addition, while being the victim of a cyberattack requires the company to manage a “technical” crisis, a cyberattack is above all a business crisis: halt or severe slowdown of activities, problems with the continuity of banking activities, legal notification obligations, increased risk of fraud, taking emergency HR measures, etc.

In this sense, it is essential to:

deploy cyber risk awareness, good IT hygiene practices for all company functions, also in the form of practical tests (fake phishing tests)
integrate more business functions into alerting and notification procedures
train the various functions on the cyber threats specific to their activity and on their role in the event of a cyber attack.
to train IT teams, decision-makers and functions involved in cyber crisis management to make them aware of the subject, their role and enable them to identify the resources they need.

Internal sharing of skills and useful information is essential to improve threat detection and response. Training through exercises must also make it possible to test “in situ” interdepartmental communication and the consideration of each other’s problems in concrete scenarios.

Sis ID and Alcyconie join forces to offer their expertise in the face of cyber risks

Today, protecting yourself against cyber threats requires awareness and the implementation of dedicated solutions. A company cannot protect itself alone against this threat, which requires cross-approaching. Alcyconia and Sis ID work together to ensure reliability and cyber security for their customers and mutual users.

Alcyconie is an independent pure-player company in cyber and digital crisis management and communication, certified Qualiopi for its training activities. Our in-depth knowledge of cyber issues and threats enables us to prepare organizations to manage complex situations and to advise and support decision-making, technical and operational teams in the event of a proven problem. Our exclusive approach, cybercrisis management as-a-service, covers all stages of crisis management: crisis preparedness, cyber crisis training and simulations, cyber crisis monitoring and communication, 24/7 on-call service, unique PIA® crisis simulator.

Sis ID offers the first collaborative platform for securing payments and fighting fraud. Together, they provide complementary services of awareness, training, training and tools to deal with cyber and fraud risks.

Article written by Claire Juiff and Laurent Sarrat