Cybercrime is out of control.
We hear about it every single day.
This year, over two billion records
lost or stolen.
And last year, 100 million of us, mostly Americans,
lost our health insurance data to thieves — myself included.
Now what’s particularly concerning about this
is that in most cases,
it was months
before anyone even reported that these records were stolen.
So if you watch the evening news,
you would think that most of this
is espionage or nation-state activity.
And well, some of it is.
Espionage, you see, is an accepted international practice.
But in this case,
it is only a small portion
of the problem that we’re dealing with.
How often do we hear about a breach
followed by,”… it was the result of a sophisticated nation-state attack”?
Well, often that is companies not being willing to own up
to their own lackluster security practices.
There is also a widely held belief
that by blaming an attack on a nation-state,
you are putting regulators at bay —
at least for a period of time.
So where is all of this coming from?
The United Nations estimates that 80 percent of it
is from highly organized
and ultra-sophisticated criminal gangs.
this represents one of the largest illegal economies in the world,
topping out at, now get this,
445 billion dollars.
Let me put that in perspective for all of you:
445 billion dollars
is larger than the GDP of 160 nations,
including Ireland, Finland, Denmark and Portugal, to name a few.
其中包括爱尔兰 芬兰 丹麦 葡萄牙等等
So how does this work?
How do these criminals operate?
Well, let me tell you a little story.
About a year ago, our security researchers were tracking
a somewhat ordinary but sophisticated banking Trojan
called the Dyre Wolf.
叫做 “Dyre Wolf”
The Dyre Wolf would get on your computer
via you clicking on a link in a phishing email
that you probably shouldn’t have.
It would then sit and wait.
It would wait until you logged into your bank account.
And when you did, the bad guys would reach in,
steal your credentials,
and then use that to steal your money.
This sounds terrible, but the reality is,
in the security industry, this form of attack
is somewhat commonplace.
However, the Dyre Wolf had two
然而 Dyre Wolf病毒具有两种
distinctly different personalities —
one for these small transactions,
but it took on an entirely different persona
if you were in the business of moving large-scale wire transfers.
Here’s what would happen.
You start the process of issuing a wire transfer,
and up in your browser would pop a screen from your bank,
indicating that there’s a problem with your account,
and that you need to call the bank immediately,
along with the fraud the number to the bank’s fraud department.
So you pick up the phone and you call.
And after going through the normal voice prompts,
you’re met with an English-speaking operator.
“Hello, Altoro Mutual Bank.
How can I help you?”
And you go through the processes like you do
every time you call your bank,
of giving them your name and your account number,
going through the security checks to verify you are who you said you are.
Now most of us may not know this,
but in many large-scale wire transfers,
it requires two people to sign off on the wire transfer,
so the operator then asks you
to get the second person on the line,
and goes through the same set of verifications and checks.
Sounds normal, right?
Only one problem: you’re not talking to the bank.
You’re talking to the criminals.
They had built an English-speaking help desk,
fake overlays to the banking website.
And this was so flawlessly executed
that they were moving between a half a million
and a million and a half dollars per attempt
into their criminal coffers.
Now these criminal organizations operate
like highly regimented, legitimate businesses.
Their employees work Monday through Friday.
They take the weekends off.
How do we know this?
We know this because our security researchers see
repeated spikes of malware on a Friday afternoon.
The bad guys,
after a long weekend with the wife and kids,
come back in to see how well things went.
The Dark Web is where they spend their time.
That is a term used to
describe the anonymous underbelly of the internet,
where thieves can operate with anonymity
and without detection.
Here they peddle their attack software
and share information on new attack techniques.
You can buy everything there,
from a base-level attack to a much more advanced version.
In fact, in many cases, you even see gold,
silver and bronze levels of service.
这些服务有金 银 铜等级
You can check references.
You can even buy attacks
that come with a money-back guarantee —
if you’re not successful.
Now, these environments, these marketplaces —
they look like an Amazon or an eBay.
You see products, prices, ratings and reviews.
你可以看见产品 价格 评分和评论
Now of course, if you’re going to buy an attack,
you’re going to buy from a reputable criminal with good ratings, right?
This isn’t any different than checking
on Yelp or TripAdvisor before going to a new restaurant.
So here is an example.
This is an actual screenshot
of a vendor selling malware.
Notice they’re a vendor level four, they have a trust level of six.
请注意 他们的卖家等级为4 信用等级为6
They’ve had 400 positive reviews in the last year,
and only two negative reviews in the last month.
We even see things like licensing terms.
Here’s an example of a site you can go to
if you want to change your identity.
They will sell you a fake ID, fake passports.
But note the legally binding terms
for purchasing your fake ID.
Give me a break.
What are they going to do — sue you if you violate them?
This occurred a couple of months ago.
One of our security researchers
was looking at a new Android malware application that we had discovered.
It was called Bilal Bot.
Now in a blog post,
she positioned Bilal Bot as a new, inexpensive
她认为 相对于更为先进的GM Bot病毒
and beta alternative to the much more advanced GM Bot
that was commonplace in the criminal underground.
Now, this review did not sit well with the authors of Bilal Bot.
So they wrote her this very email,
pleading their case and making the argument that they felt
that she had evaluated an older version.
They asked her to please update her blog
with more accurate information
and even offered to do an interview
to describe to her in detail
how their attack software was now far better than the competition.
So look, you don’t have to like what they do,
but you do have to respect the entrepreneurial nature
of their endeavors.
So how are we going to stop this?
It’s not like we’re going to be able to
identify who’s responsible —
remember, they operate with anonymity
and outside the reach of the law.
We’re certainly not going to be able to prosecute the offenders.
I would propose that we need a completely new approach.
And that approach needs to be centered on the idea
that we need to change the economics for the bad guys.
And to give you a perspective on how this can work,
let’s think of the response we see
to a healthcare pandemic:
SARS, Ebola, bird flu, Zika.
非典 埃博拉 禽流感 寨卡
What is the top priority?
It’s knowing who is infected
and how the disease is spreading.
Now, governments, private institutions, hospitals, physicians —
政府 私人机构 医院 医生
everyone responds openly and quickly.
This is a collective and altruistic effort
to stop the spread in its tracks
and to inform anyone not infected
how to protect or inoculate themselves.
Unfortunately, this is not at all what we see
in response to a cyber attack.
Organizations are far more likely to keep information on that attack
Because they’re worried about competitive advantage,
litigation or regulation.
We need to effectively democratize threat intelligence data.
We need to get all of these organizations
to open up and share what is in their private arsenal of information.
The bad guys are moving fast;
we’ve got to move faster.
And the best way to do that is to open up
and share data on what’s happening.
Let’s think about this in the construct of security professionals.
Remember, they’re programmed right into their DNA to keep secrets.
We’ve got to turn that thinking on its head.
We’ve got to get governments, private institutions
and security companies willing to share information at speed.
And here’s why: because if you share the information,
it’s equivalent to inoculation.
And if you’re not sharing, you’re actually part of the problem,
because you’re increasing the odds that other people could be impacted
by the same attack techniques.
But there’s an even bigger benefit.
By destroying criminals’ devices closer to real time,
we break their plans.
We inform the people they aim to hurt
far sooner than they had ever anticipated.
We ruin their reputations,
we crush their ratings and reviews.
We make cybercrime not pay.
We change the economics for the bad guys.
But to do this, a first mover was required —
someone to change the thinking in the security industry overall.
About a year ago, my colleagues and I had a radical idea.
What if IBM were to take our data —
we had one of the largest threat intelligence databases in the world —
and open it up?
It had information not just
on what had happened in the past,
but what was happening in near-real time.
What if we were to publish it all openly on the internet?
As you can imagine, this got quite a reaction.
First came the lawyers:
What are the legal implications of doing that?
Then came the business:
What are the business implications of doing that?
And you know this was also met with a good dose
of a lot of people just asking if we were completely crazy.
But there was one conversation that kept floating to the surface
in every dialogue that we would have:
the realization that if we didn’t do this,
then we were part of the problem.
So we did something unheard of in the security industry.
We started publishing.
Over 700 terabytes of actionable threat intelligence data,
including information on real-time attacks
that can be used to stop cybercrime in its tracks.
And to date,
over 4,000 organizations are leveraging this data,
including half of the Fortune 100.
And our hope as a next step
is to get all of those organizations to join us in the fight,
and do the same thing and share their information
on when and how they’re being attacked as well.
We all have the opportunity to stop it,
and we already all know how.
All we have to do
is look to the response that we see in the world of health care,
and how they respond to a pandemic.
Simply put, we need to be open and collaborative.
Cybercrime is out of control.