by Florian Skopik (AIT Austrian Institute of Technology) and Kyriakos Stefanidis (ISI)
Cybercrime has grown to a profitable multi-billion-dollar business. The number of reported criminal offences is continuously rising every year. The reasons for this development are the ever-increasing dependency on IT technology for almost every business, the opportunity for attackers to operate in the dark, and the continuously growing attack surface. With the adoption of new computing paradigms, such as cloud computing and the Internet of Things, not only new opportunities for legitimate businesses arise, but also new ways for criminals to make profit or to attack and de-stabilise a country’s economy or society. In recent years, we have witnessed the rise of ransomware attacks on a large scale, Distributed Denial of Service (DDoS) attacks with high volumes that have never been observed before, and data leaks that massively harmed global businesses. Besides stealing business-critical data, harming or blackmailing individuals or organisations, large-scale attacks on critical infrastructures of a region or nation-state have become a severe threat. Some examples are the recent attacks on the US-East-Coast Colonial Pipeline, one of the largest US pipeline operators, and the use of cybersecurity attacks on Ukrainian infrastructures. Finally, the ever-growing de-stabilising disinformation campaigns and cyberwar practices in general are increasingly shaping social and political conflicts. Thousands of high-impact attacks have already demonstrated the vulnerability of complex interconnected systems.
The predicted developments for the coming years are worrying. The use of ransomware has picked up pace and many security companies expect a rapid rise regarding their variations and frequency. Attacks on operational technology (OT) are evolving from rather simple process disruption, such as shutting down a plant or factory, to compromising the integrity of industrial environments with intent to cause physical harm. Further, the pandemic led to remote working on a large scale, which changed the IT environment tremendously. Home devices that employees use to access office networks are usually not subject to the same security restrictions as corporate devices. This complicates efforts to control and monitor employees’ digital behavior, applications, and data outside the carefully monitored business environment. Nearly half of the organisations moved business-critical functions to the cloud as a direct result of the pandemic. While this migration to a professionally managed environment will increase security for many customers, problems arise at the interfaces between a company’s own systems and highly virtualised remote data centers. This increases the attack surface in many cases. Additionally, such a migration changes common security workflows. For instance, detecting and preventing malicious activity in a multi-tenancy cloud tremendously differs from doing the same in a traditional on-premises setup. Last, but not least, we currently witness the effects of geopolitical events on cybercrime activities. State actors may actively encourage criminals to carry out cybercrime activities, or launch attacks themselves, because they are cheap, reliable, scalable, and hard to attribute. Coping with these situations seems overwhelming, however, we are not defenseless. Research on new concepts, methodologies, technologies, and tools is vital to protect our digital infrastructures from adversarial activities.
In the fight against cybercrime there are several European agencies, organisations and initiatives that help the law enforcement agencies (LEAs) both at the level of operations and also technical capacity. Europol’s European Cybercrime Center [L1], since 2013 provides operational and technical support to LEAs, provides training and capacity building to the relevant authorities, and helps with the collaboration of LEAs with the other cyber communities, bodies and agencies such as ENISA, CERT-EU, etc. The European Union Agency for Cybersecurity (ENISA), since 2004, was founded to enhance the capability of the Member States to prevent, address and to respond to network and information security problems. It also supports the cooperation between the national Computer Security Incident Response Teams (CSIRTs)[L2] via the CSIRT Network. In this special theme, we have included articles from European CSIRTs as well as LEAs that describe their novel approaches in incident response and fighting cybercrime in general.
The articles in this special theme cover five broad areas of cybersecurity and more specifically cybercrime. Therefore, we divided them into five different groups. The first group includes general law enforcement investigation processes as well as the evolution of cybercrime from a technological and business point of view. Then we have several articles that cover technical approaches to detect and counter cybercrime activities. A good proportion of them uses Artificial Intelligence (AI) and Machine Learning (ML) as their enabling technologies. Besides the technical approaches, we have a group of articles that focus on novel incident response and threat intelligence processes. We conclude with a group of articles that present educational and awareness-raising initiatives.
Evolutions in cybercrime and law enforcement investigation processes
IIn our first group of papers, we deal with the operational and business side of cybercrime and law enforcement. Markatos discusses the technical drivers of cybercrime and how it becomes more organised by using established business models such as *-as-a-service or alternative forms of wealth transfer, such as cryptocurrencies, to scale up their business. On the other hand, from the law enforcement side, King et al. present a novel approach to counter terrorist financing that instead of the common “follow the money” strategy, proposes a “follow the actor” approach for financial investigations. Tsakalidis et al. also show how financial investigators use a BPMN-based investigation process for copyright-related cybercrime offences.
Machine Learning and AI to detect cybercrime activities
Many fields of computer science use AI and ML as enabling technologies for their purposes. Security and privacy follow the same trend. Ferreira et al. present an SVM-based digital forensics tool for the detection of deep fake images. Part of their work is also a comprehensive dataset of images and videos suitable for digital forensics. Mayer proposes a privacy-preserving anomaly-detection method that is suitable for confidential data analysis by third parties. The approach is based mainly on collaborative learning and synthetic data. Han and Li focus on ML in resource-constrained edge devices. Similarly, Buttyán and Ferenc focus on malware analysis specifically for resource-constrained devices (IoT) and present their ML-based approach. Again, on the topic of malware analysis, Iadarola et al. discuss the trustworthiness and explainability of deep learning techniques and how/when a security analyst can trust the predictions of those. Ceolin is also dealing with AI trustworthiness but focuses on the field of information quality and the spread of mis/disinformation online.
Further technical approaches to counter cybercrime
Although many novel approaches harness ML in different ways to become more effective, we must not neglect further technical solutions. Kern and Skopik ask the question of what log and network data need to be collected in the first place to spot adversarial activities at all, e.g., by the means of ML-based intrusion detection systems. Landauer et al. discuss an approach to flexibly create testbeds in a model-driven manner. These testbeds allow to benchmark and validate the effectiveness of intrusion detection systems before they are deployed in productive environments. Folino et al. introduce an approach based on the popular ELK framework to collect data that reflect digital user behaviour footprints and subsequently detect anomalies in these data.
Timestamps of files are a great source of information for forensic investigations of cybercrime activities. Luh and Galhuber discuss tools to detect timestamp forgery, which is essential for reliable results of investigations. Often malware is being used in criminal activities. The analysis of malware to better understand their mode of operation and potential harm is a time-consuming task. Thus, Kochberger et al. introduce a meta-framework for automating static malware analysis.
Effective security processes, incident response and threat intelligence
Technical means to cybersecurity are essential, but effective standards, processes and procedures are of at least equal importance. A vital component of cybersecurity is establishing situational awareness. Knowing and understanding emerging trends helps to detect changes in the threat landscape and may have a considerable impact on security governance. Kohlrausch demonstrates the augmentation of security metrics with stochastic models to keep track of trends, which is a cornerstone of justified decision-making. A prerequisite of situational awareness is the collection of information in the first place. Sharing of incident handling information, the automation of incident response processes, as well as the relationship between these two topics, to assist human operators in their work is therefore at the centre of Nitz et al. and their European SAPPAN project.
Furthermore, the concept of model-driven DevSecOps, as introduced by Ponsard et al. demonstrates the application of an internal model-based analysis and automation approach together with the external threat intelligence sharing for attack prevention, detection and recovery. Cobley et al. pick up the specific topic of mobile forensics and introduce a standardised approach to forensics investigations, as well as accompanying training that is developed in the course of the European FORMOBILE project. Alexakos et al. discuss a cybersecurity solution for a very special application context. They particularly focus on procedures for attack propagation monitoring and root cause analysis in Internet-of-Vehicle ecosystems.
Education and awareness
The last group of articles deals with educational initiatives and measures to raising awareness. Since criminals often target people instead of technology, e.g., in phishing campaigns, it cannot be stressed enough how important it is to educate people of cyber risks. Luh and Eresheim introduce PenQuest, a digital multi-player game that allows users to emulate cyberattacks on a game board. It is intended to assist risk assessment, support the reconstruction of adversarial events, and gamify security education. Hense et al. introduce an approach to an educational Cyber Defence Centre (CDC) that trains students in a simulated environment where they gain skills in detecting attacks, closing vulnerabilities, and responding to security breaches in a realistic setting. Bassi et al. focus specifically on schools and provide cybersecurity awareness-raising solutions, such as games and workshops, for pupils of all ages.
As the nature, motivation and targets of adversarial activities are quite diverse, we require a broad arsenal of counter measures. This issue of ERCIM News introduces many promising concepts, methodologies and solutions helping us to withstand and fight cybercrime activities. We must keep in mind that adversaries need to discover and successfully exploit only one vulnerability, being it technical or organisational, while defenders need to fix all of them to stay safe. Furthermore, with the introduction of novel computing paradigms, emergence of new technologies and IT’s pervasion of almost all aspects of our lives, we must aim to improve current solutions and conduct further research to adapt them to a changing world.
AIT Austrian Institute of Technology
Industrial Systems Institute (ISI)