He started the keynote by explaining the mission of CIRCL in analysing, collecting and handling the data and how data acquired during a breach is becoming a product used and sold by cybercriminals. He also introduced the MISP software, an open-source threat intelligence platform.
What is AIL?
Alexandre underlined the growing need to monitor what cybercriminals are doing, especially on Tor. Hence the creation of AIL, a framework for Analysis of Information Leaks. It is a modular framework to analyse potential information leaks from unstructured data sources like pastes or social networks or unstructured data streams. The primary aim of the framework is to gather credentials, emails, credit card numbers and so on in order to help security experts to detect leaks and then, react accordingly. AIL enables researchers and investigators to uncover malware in massive amounts of data.
Information leak is a reality. They happen on a day-to-day basis, and some groups are actively using leaks to conduct their businesses. Thanks to AIL, Alexandre showed a table with leaks from the previous day, containing a large number of credentials (usernames, email addresses, clear text passwords). Additionally, in the case of a ransomware and whenever the victims don’t comply with the demands, the attackers often dump confidential data and files (Financial, HR…) on the darknet.
What can we learn from cyber criminals?
Leaks have become a significant market and business opportunity.
- What do attackers do with the information and to whom do they sell it? Alexandre showed an “auction” website developed by a ransomware group on which they sell data to whoever would be interested.
- Which are valuable data and who decides what they are? The market and the attacker usually define which data are valuable.
- What do attackers sell? Everything: scans, documents… When a website is breached, also are the users/customers. The range of information can be important.
Thanks to AIL, CIRCL can also monitors the cybercriminals. There are 30 active ransomware groups worldwide, often working together, which can sometimes lack operational security, allowing organisations like CIRCL to apprehend attacks better.
Another interesting lesson: ransoms are usually paid through cryptocurrencies and in order to get real money, they need to extract it out of the blockchain. A number of services provide this extraction, which in turn helps CIRCL getting more insights.
Alexandre noted the importance of getting a full-scale view of the chain used by the adversaries and to understand how the information is monetised. This is also made possible via the AIL framework.
What can be improved?
Many attacks take days before the data get exfiltrated. If an earlier detection is made, security issues can be fixed. The timing is key, and the existing information sharing communities can become a real asset: share before the adversary does it!
See the full keynote talk here:
The keynote speech was followed by a roundtable moderated by Pascal Steichen, CEO of SECURITYMADEIN.LU, with the following participants:
The participants discussed the importance of communicating publicly about data leaks and focused on best practices and techniques or technologies to put in place to prevent and prepare incidents from happening.
Furthermore, they pointed out what steps are key to address during a crisis. Finally, they agreed on how important it is to watch the “dark web” and how it can help in prevention or during investigations.