sponsored links
TED@IBM

Caleb Barlow: Where is cybercrime really coming from?

November 15, 2016

Cybercrime netted a whopping $450 billion in profits last year, with 2 billion records lost or stolen worldwide. Security expert Caleb Barlow calls out the insufficiency of our current strategies to protect our data. His solution? We need to respond to cybercrime with the same collective effort as we apply to a health care crisis, sharing timely information on who is infected and how the disease is spreading. If we're not sharing, he says, then we're part of the problem.

Caleb Barlow - Cybercrime fighter
IBM's Caleb Barlow is focused on how we solve the cyber security problem by changing the economics for the bad guys. Full bio

sponsored links
Double-click the English subtitles below to play the video.
Cybercrime is out of control.
00:12
It's everywhere.
00:18
We hear about it every single day.
00:19
This year,
00:24
over two billion records lost or stolen.
00:25
And last year, 100 million of us,
mostly Americans,
00:31
lost our health insurance data
to thieves -- myself included.
00:37
What's particularly concerning about this
is that in most cases,
00:44
it was months before anyone even
reported that these records were stolen.
00:49
So if you watch the evening news,
00:57
you would think that most of this
is espionage or nation-state activity.
01:00
And, well, some of it is.
01:05
Espionage, you see, is an accepted
international practice.
01:08
But in this case,
01:13
it is only a small portion
of the problem that we're dealing with.
01:15
How often do we hear about a breach
01:21
followed by, "... it was the result
of a sophisticated nation-state attack?"
01:24
Well, often that is companies
not being willing to own up
01:30
to their own lackluster
security practices.
01:35
There is also a widely held belief
01:38
that by blaming an attack
on a nation-state,
01:42
you are putting regulators at bay --
01:46
at least for a period of time.
01:48
So where is all of this coming from?
01:51
The United Nations estimates
that 80 percent of it
01:56
is from highly organized
and ultrasophisticated criminal gangs.
02:02
To date,
02:09
this represents one of the largest
illegal economies in the world,
02:10
topping out at, now get this,
02:17
445 billion dollars.
02:20
Let me put that in perspective
for all of you:
02:25
445 billion dollars is larger than the GDP
02:28
of 160 nations,
02:34
including Ireland, Finland,
Denmark and Portugal,
02:37
to name a few.
02:41
So how does this work?
02:44
How do these criminals operate?
02:46
Well, let me tell you a little story.
02:48
About a year ago,
02:52
our security researchers were tracking
02:53
a somewhat ordinary but sophisticated
banking Trojan called the Dyre Wolf.
02:56
The Dyre Wolf would get on your computer
03:03
via you clicking on a link
in a phishing email
03:06
that you probably shouldn't have.
03:09
It would then sit and wait.
03:11
It would wait until you logged
into your bank account.
03:13
And when you did,
the bad guys would reach in,
03:17
steal your credentials,
03:20
and then use that to steal your money.
03:22
This sounds terrible,
03:24
but the reality is,
in the security industry,
03:26
this form of attack
is somewhat commonplace.
03:29
However, the Dyre Wolf had
two distinctly different personalities --
03:35
one for these small transactions,
03:42
but it took on an entirely
different persona
03:44
if you were in the business of moving
large-scale wire transfers.
03:47
Here's what would happen.
03:51
You start the process
of issuing a wire transfer,
03:53
and up in your browser would pop
a screen from your bank,
03:56
indicating that there's a problem
with your account,
03:59
and that you need to call
the bank immediately,
04:02
along with the number
to the bank's fraud department.
04:05
So you pick up the phone and you call.
04:08
And after going through
the normal voice prompts,
04:10
you're met with
an English-speaking operator.
04:13
"Hello, Altoro Mutual Bank.
How can I help you?"
04:16
And you go through the process
like you do every time you call your bank,
04:19
of giving them your name
and your account number,
04:23
going through the security checks
to verify you are who you said you are.
04:26
Most of us may not know this,
04:31
but in many large-scale wire transfers,
04:33
it requires two people to sign off
on the wire transfer,
04:35
so the operator then asks you
to get the second person on the line,
04:38
and goes through the same set
of verifications and checks.
04:41
Sounds normal, right?
04:45
Only one problem:
04:47
you're not talking to the bank.
04:49
You're talking to the criminals.
04:51
They had built
an English-speaking help desk,
04:52
fake overlays to the banking website.
04:54
And this was so flawlessly executed
04:57
that they were moving
between a half a million
05:00
and a million and a half
dollars per attempt
05:02
into their criminal coffers.
05:05
These criminal organizations operate
05:08
like highly regimented,
legitimate businesses.
05:10
Their employees work
Monday through Friday.
05:14
They take the weekends off.
05:17
How do we know this?
05:18
We know this because
our security researchers see
05:20
repeated spikes of malware
on a Friday afternoon.
05:23
The bad guys, after a long weekend
with the wife and kids,
05:27
come back in to see how well things went.
05:30
The Dark Web is where
they spend their time.
05:35
That is a term used to describe
the anonymous underbelly of the internet,
05:39
where thieves can operate with anonymity
05:45
and without detection.
05:47
Here they peddle their attack software
05:50
and share information
on new attack techniques.
05:53
You can buy everything there,
05:57
from a base-level attack
to a much more advanced version.
05:59
In fact, in many cases, you even see
06:03
gold, silver and bronze levels of service.
06:06
You can check references.
06:09
You can even buy attacks
06:11
that come with a money-back guarantee --
06:14
(Laughter)
06:17
if you're not successful.
06:18
Now, these environments,
these marketplaces --
06:21
they look like an Amazon or an eBay.
06:24
You see products, prices,
ratings and reviews.
06:28
Of course, if you're going
to buy an attack,
06:32
you're going to buy from a reputable
criminal with good ratings, right?
06:34
(Laughter)
06:38
This isn't any different
06:39
than checking on Yelp or TripAdvisor
before going to a new restaurant.
06:40
So, here is an example.
06:46
This is an actual screenshot
of a vendor selling malware.
06:48
Notice they're a vendor level four,
06:53
they have a trust level of six.
06:55
They've had 400 positive reviews
in the last year,
06:57
and only two negative reviews
in the last month.
07:00
We even see things like licensing terms.
07:02
Here's an example of a site you can go to
07:06
if you want to change your identity.
07:08
They will sell you a fake ID,
07:10
fake passports.
07:12
But note the legally binding terms
for purchasing your fake ID.
07:14
Give me a break.
07:20
What are they going to do --
sue you if you violate them?
07:21
(Laughter)
07:24
This occurred a couple of months ago.
07:27
One of our security
researchers was looking
07:29
at a new Android malware application
that we had discovered.
07:33
It was called Bilal Bot.
07:38
In a blog post,
07:41
she positioned Bilal Bot
as a new, inexpensive and beta alternative
07:43
to the much more advanced GM Bot
07:50
that was commonplace
in the criminal underground.
07:54
This review did not sit well
with the authors of Bilal Bot.
07:58
So they wrote her this very email,
08:03
pleading their case
and making the argument
08:06
that they felt she had evaluated
an older version.
08:09
They asked her to please update
her blog with more accurate information
08:16
and even offered to do an interview
08:20
to describe to her in detail
08:24
how their attack software was now
far better than the competition.
08:26
So look,
08:32
you don't have to like what they do,
08:33
but you do have to respect
the entrepreneurial nature
08:37
of their endeavors.
08:42
(Laughter)
08:43
So how are we going to stop this?
08:46
It's not like we're going to be able
to identify who's responsible --
08:51
remember, they operate with anonymity
08:57
and outside the reach of the law.
09:00
We're certainly not going to be able
to prosecute the offenders.
09:03
I would propose that we need
a completely new approach.
09:07
And that approach needs
to be centered on the idea
09:13
that we need to change
the economics for the bad guys.
09:17
And to give you a perspective
on how this can work,
09:22
let's think of the response we see
to a healthcare pandemic:
09:25
SARS, Ebola, bird flu, Zika.
09:30
What is the top priority?
09:33
It's knowing who is infected
and how the disease is spreading.
09:35
Now, governments, private institutions,
hospitals, physicians --
09:43
everyone responds openly and quickly.
09:50
This is a collective and altruistic effort
09:55
to stop the spread in its tracks
09:59
and to inform anyone not infected
10:03
how to protect or inoculate themselves.
10:06
Unfortunately, this is not at all
what we see in response to a cyber attack.
10:10
Organizations are far more likely
to keep information on that attack
10:17
to themselves.
10:22
Why?
10:24
Because they're worried
about competitive advantage,
10:26
litigation
10:29
or regulation.
10:31
We need to effectively democratize
threat intelligence data.
10:33
We need to get all of these organizations
to open up and share
10:39
what is in their private arsenal
of information.
10:45
The bad guys are moving fast;
10:50
we've got to move faster.
10:53
And the best way to do that is to open up
10:56
and share data on what's happening.
11:00
Let's think about this in the construct
of security professionals.
11:03
Remember, they're programmed right
into their DNA to keep secrets.
11:08
We've got to turn
that thinking on its head.
11:13
We've got to get governments,
private institutions
11:16
and security companies
11:19
willing to share information at speed.
11:20
And here's why:
11:23
because if you share the information,
11:25
it's equivalent to inoculation.
11:27
And if you're not sharing,
11:30
you're actually part of the problem,
11:32
because you're increasing the odds
that other people could be impacted
11:34
by the same attack techniques.
11:40
But there's an even bigger benefit.
11:43
By destroying criminals' devices
closer to real time,
11:47
we break their plans.
11:51
We inform the people they aim to hurt
11:55
far sooner than they had ever anticipated.
11:58
We ruin their reputations,
12:02
we crush their ratings and reviews.
12:04
We make cybercrime not pay.
12:08
We change the economics for the bad guys.
12:12
But to do this,
a first mover was required --
12:18
someone to change the thinking
in the security industry overall.
12:22
About a year ago,
12:27
my colleagues and I had a radical idea.
12:29
What if IBM were to take our data --
12:32
we had one of the largest threat
intelligence databases in the world --
12:37
and open it up?
12:41
It had information not just
on what had happened in the past,
12:43
but what was happening in near-real time.
12:47
What if we were to publish it all
openly on the internet?
12:49
As you can imagine,
this got quite a reaction.
12:54
First came the lawyers:
12:56
What are the legal
implications of doing that?
12:58
Then came the business:
13:01
What are the business
implications of doing that?
13:02
And this was also met with a good dose
13:05
of a lot of people just asking
if we were completely crazy.
13:07
But there was one conversation
that kept floating to the surface
13:11
in every dialogue that we would have:
13:15
the realization that if we didn't do this,
13:18
then we were part of the problem.
13:21
So we did something unheard of
in the security industry.
13:25
We started publishing.
13:28
Over 700 terabytes of actionable
threat intelligence data,
13:30
including information on real-time attacks
13:35
that can be used to stop
cybercrime in its tracks.
13:38
And to date,
13:41
over 4,000 organizations
are leveraging this data,
13:43
including half of the Fortune 100.
13:47
And our hope as a next step
is to get all of those organizations
13:50
to join us in the fight,
13:54
and do the same thing
13:56
and share their information
13:58
on when and how
they're being attacked as well.
14:00
We all have the opportunity to stop it,
14:03
and we already all know how.
14:06
All we have to do is look
to the response that we see
14:09
in the world of health care,
14:13
and how they respond to a pandemic.
14:15
Simply put,
14:17
we need to be open and collaborative.
14:18
Thank you.
14:21
(Applause)
14:22
Translator:Leslie Gauthier
Reviewer:Camille Martínez

sponsored links

Caleb Barlow - Cybercrime fighter
IBM's Caleb Barlow is focused on how we solve the cyber security problem by changing the economics for the bad guys.

Why you should listen

As a vice president at IBM Security, Caleb Barlow has insight into to one of the largest security intelligence operations in the world. His team stands watch protecting the information security of thousands of customers in more than a hundred countries. On a busy day they can process upwards of 35 billion potential security events across their global operations centers.

Barlow has been advising chief information security officers, boards of directors and government officials on security practices, frameworks and strategies for risk mitigation on a global basis. He is a sought-after speaker on the subject of security and regularly appears in both print and broadcast media, including NBC News, CNBC, BBC World Service, NPR, the Wall Street Journal and the Washington Post. His opinions have been solicited by members of Congress, the NSA, and NATO, and he was invited by the President of the UN General Assembly to discuss his views at the United Nations.

Most recently, Barlow is focusing on building a large-scale simulation environment to educate C-level executives on how to better prevent and respond to a cyber attack so they can maintain business resiliency in the face of crisis.

The original video is available on TED.com
sponsored links

If you need translations, you can install "Google Translate" extension into your Chrome Browser.
Furthermore, you can change playback rate by installing "Video Speed Controller" extension.

Data provided by TED.

This website is owned and operated by Tokyo English Network.
The developer's blog is here.