A glance at Percoco’s Lifecycle of cyber crime – RSA 2013

Watching Trustwave’s VP Nicholas Percoco speak at RSA 2013.

To be honest, I’m having problems on linking his speech to the proposed theme. Yes, it touches it, but it’s kind of something else.

The text below is my tentative on writing about the highlights. [SPOILERs Alert below!!!]

In the first two minutes, you learn about how the world is 7Bi populated, but “only” 1Bi has some kind of IT device, plus information hosted on 25Mi databases. Oh, and of course, criminals don’t want single victims. They need profit and they only can get it if they “fish all around”.

BTW, you can definitely skip from 1’45” to 3’10”, his story about family fishing (real fish). That’s really something not necessary for a RSA conference.

Until minute 4′ you will also learn about which countries have potential victims (a lot of 1st world countries plus some BRIC etc)

On 4’03”, a good info. Companies (in average) take 210 days until they realize they had a breach and start doing something to stop the problem. 5% of companies (good at security) realize a problem in 10 days. But 20% of companies could take TWO YEARS to detect they have been hacked (wtf).

At minute 5′ some jibber-jabber. The “attackers” can be anywhere. Ok, let’s skip that too.

So, jump to minute 6′ and we will hear APT + Zero Days versus common mistakes used by attackers to get in. He’s now talking about how not a single investigation performed by Trustwave found an attack using advanced tech attacks (one very good and impressive conclusion). Investigated actions were actually based on:

– Remote Access

– SQL Injection

– Legitimate Account usage (yeah, people still publish webportals with admin / admin as user / password) – some people beg to be hacked…

– Web-based attack (Java, browser, flash vulnerabilities)

– Malicious files

– Remote file inclusion

– Remote code execution

– Authorization flaw

– Physical theft

We are now close to minute 8′ and we hear that “six major cyber gangs” are running the main crimes around the globe. Well, can I have some names here?

Now, what is really bonded to speech’s title, the life cycle. The process starts with “greed, good living..” and go on like this:

Greed –> Victim identification –> Infiltration –> Propagation –> Aggregation –> Exfiltration –> Buyer identification –> Data Liquidation –> Recycling.

We are now close to minute 13′ and things start to really move away from the process described above.

The attack demo is indeed interesting, but I don’t saw it as a cyber crime life-cycle. Plus, the path to folder “Work” seems different from what was found at destination FTP’s rar file. I sense some BS here.

At minute 17′, he brings Erik Rasmussen from US Secret Service to answer questions sent from people on twitter. Now, I can say, the theme is really gone (the questions & answers are not even interesting…).

Sith Cat not amused

Ok, it was a 30 minutes (pretty quick) presentation, but this should be used to actually cover the cyber crime’s process explained above in a deeper way. In the end, it was a sum of screens from different subjects.

Plus, I have always a foot behind when a presentation includes a Secret Service or CIA agent. This may sound obvious, but they are not going to tell you the good stuff. They will speak about public statistics, numbers, what happened on big investigations already covered by news and blah blah blah.

The real good new strategies of attacks or investigation methods will always be classified information and SS / CIA are not going to tell you, no matter how much you have spent on RSA, Def Con or Black Hat credentials.

For me, some aspects served as inspiration to other ideas (will write about them in the future), but thinking about the whole video, it could have added more value.