As the world evolves from Web 2.0 to Web 3.0 – think decentralised protocols for crypto assets, identities, and computer-services leveraging blockchain technology – cyber threat teams too must evolve their understanding of the technology at play to stay ahead of threats.
Although the industry has evolved considerably since its inception, there is significant room for improvement. Security teams continue to battle with an array of challenges including the learning of Web 3.0 terminology, the understanding of new threat vectors, and the lack of support from existing toolsets to help analyse such threats. Meanwhile, crypto assets face significant challenges of their own. These challenges can be combatted with the right approach.
Should fear block cryptocurrency adoption?
Crypto assets are quickly becoming cyber criminals’ preferred bounty with £6.4bn of cryptocurrency laundered in 2021 alone, up by 30% from the previous year. As a result, there is a widespread belief that crypto assets, like Bitcoin, should not be adopted. Fear is a powerful motivator, with most people afraid to ‘gamble’ their money in what appears to be a volatile and risky market. But worst of all, it’s a new tool for cyber criminals to use to their advantage.
Tracking asset wallet addresses activity and transactions are far easier and quicker than the traditional flat currency, such as US dollars, that flows across boundaries and bank accounts. This is because the absence of banking systems in the transaction process makes transferring bitcoin in your name easier and cheaper than traditional currency. It is also important to note that transactions are kept and displayed on a public ledger, so anyone can see where money was sent to and from on the blockchain.
While this is seen as a strength of crypto assets, it’s also its greatest weakness. Cryptocurrency is the perfect getaway car for hackers as there aren’t any intermediary authorities like banks or governments, and no banking fees, which means you can truly do what you want with your money. Once your money is sent, there is no going back.
How do criminals obtain crypto assets?
Cyber attacks have dominated headlines over the last year. In 2021 we saw ransomware hackers being paid $11 million by JBS, $4.4 million by Colonial Pipeline and multiple groups selling data on the dark web. There is one thing in common with these attacks: cyber criminals wanted the funds in cryptocurrency.
Like all criminal activity, there are multiple pathways of entry. This includes ransomware, data exfiltration and crypto mining/jacking and these methods show no sign of slowing down. By 2025 experts predict that cybercrime will be costing the world more than $10.5 trillion annually. No organisation or individual should assume they are too insignificant and ensure they are taking the right precautions.
The US Government has started taking notice of crypto assets (referred to as virtual currencies) being used for criminal activity and is now acting upon it. The Financial Crimes Enforcement Network (U.S. Treasury Dept.) recently listed “cybercrime, including relevant cybersecurity and virtual currency considerations” as a national priority. This means security teams should expect those involved in criminal investigations and forensics to want details and a systematic means to track related threat data to support criminal cases. Threat intelligence systems of record, tools and analysis methodologies should support crypto assets fully so those details can be stored and managed like all other cyber threat intelligence.
Bringing crypto assets centre stage
The reality is that crypto assets have always been in the shadows. They play a background role as a note or an attribute but not a full-fledged supported object or entity.
Crypto Threat Intelligence provided by blockchain companies can be used by banking and financial institutions’ regulatory bodies to monitor, investigate, and prevent financial crimes such as ransomware, bitcoin mules and extortion. However, most security and threat intelligence platforms have limited understanding and capabilities in supporting this and are unable to provide crypto asset address details and related risk, wallet owners, their locations, transaction history and transaction risk.
The data sets that characterise typical threat actor behaviour, activity, and weaponry certainly carries over from traditional cyber threat intelligence where analysts are interested in cryptographic keys, file hashes, URLs, malware, IP addresses, hosts, and domains. But we need to accommodate for some of these new threat indicators in our system of record.
A Diamond Model for Diamond Hands
The threat actor uses capabilities (malware) to perform an attack and leverages infrastructure to host (malware) or operate, causing pain to the victim. Indicators to watch out for include malware file hashes and URLs or IP Addresses where the malware may be hosted or where command and control may be performed from.
Adopting an analysis-based approach, such as the Diamond Model for Intrusion Analysis, can help analysts piece together the most critical elements of an intrusion and uncover holes in infrastructure or exploitation tactics. It also helps capture trends of what actors do in hopes of prevention in the future.
By analysing the risks and threats of crypto assets, we will be able to explore how they can transition into mainstream use and become globally accepted currency. The concept of traditional flat currency has evolved greatly in our lifetime – from cash to plastic, to contactless. It is now time to allow crypto assets to do the same.