SafetyDetectives spoke with Vito Alfano, the Digital Forensics Analyst for Group-IB Europe, about some common tactics used by cybercriminals, the worst cyberattacks he’s seen, tips for organizations to protect their data, and more.
Can you talk about your background and what is your current role at Group-IB?
This question makes me feel a bit old as it brings back many memories. I began my career as a system administrator in a small consulting firm back in 2006, with a keen interest in network security. At that time, I was still completing my degree, so I had to carefully plan every single day to juggle my job and university.
Thanks to my innate passion for troubleshooting and a strong desire to learn, coupled with the daily job that I did with amazing experts I worked with, I had the opportunity to delve into the world of cybersecurity in the space, defense, banking sectors, and intergovernmental organizations. We were a one-stop shop for all things that had to do with cybersecurity. I worked on network security, incident response, cyber threat intelligence, cybersecurity awareness activities, and developed tailored countermeasures and solutions for each company to detect, track, and prevent cyber threats.
After a few years of challenging but interesting activities, I was honoured to land a job at Group-IB as a Digital Forensics and Incident Response (DFIR) expert. Essentially, we are the go-to guys when the company suffers a cybersecurity incident. We come and figure out what’s happened, how the attacker got into a network, make sure they don’t have access, and develop recommendations and countermeasures for our customers across all sectors to avoid similar incidents in the future. Some forward-looking clients come and buy a pre-negotiated statement of work known as an incident response retainer.
In addition to DFIR, what are other Group-IB’s services and products?
Since day one, Group-IB has been fighting cybercrime all over the world, in close collaboration with national cyber police forces and international law enforcement agencies like Europol and INTERPOL.
DFIR and cyber investigations are the two services that the company started with in 2003. Over the years of conducting investigations and handling incident repsonse operations, the company has accumulated actionable knowledge about how cybercrime operates. This knowledge, combined with Group-IB’s internal tools has laid the foundation for the company’s comprehensive product ecosystem which now includes Fraud Protection, Threat Intelligence, Managed Extended Detection And Response, Business Email Protection, Attack Surface Management, and Digital Risk Protection.
Within our unit, we have developed a service lifecycle model to provide a tailored solution based on different combinations of activities focused on Digital Forensics, Incident Response, High Tech Crime investigation, Audit, and Cyber Education. This approach allows us to respond to a specific need with different packages that include a range of services or only one, effectively defending companies against all types of cyber threats.
As part of Group-IB service lifecycle, our Digital Forensics and Incident Response team has developed a new model to deliver integrated activities, a “combo,” that involves different teams assessing your perimeter, investigating, identifying the presence of a threat, responding to it, remediating it and helping law enforcement to catch the “bad guys” or training customer’s experts to face threats and how to respond and prevent them.
The best part is always when the Threat Intelligence unit identifies an ongoing attack, DFIR team responds to mitigate the damage, and the Investigation Department, after that, finds the real cybercriminal. All services are connected and complement each other. It’s very impressive!
Our major strength lies in the synergy between different teams. In 2022, we consolidated all company’s products and services into a single Unified Risk Platform. At the heart of the Unified Risk Platform is Group-IB’s Single Data Lake, which contains the industry’s richest body of adversary intelligence. Every product and service in Group-IB’s consolidated security suite is enriched with intelligence from the data lake, enabling them to overcome the attacks targeting an organization and reduce the risk.
What are some common methods used by cybercriminals to break into companies that you are seeing?
In general, initial vectors do not change much. For example, good old phishing continues to be one of the easiest ways for cybercriminals to infiltrate a company in 2023. A significant number of ransomware attacks start with phishing emails. What does change is the sophistication of tools that phishing carries on board, the quality of phishing emails, and the ability of malware to avoid detection.
The cost of doing cybercrime and the entry barrier have lowered. A cybercriminal can buy a pair of credentials for $20 and use them to access the network of one of the biggest tech firms in the world.
At the same time, cybercriminals’ effectiveness is growing rapidly. The structure of a modern ransomware gang is not much different from that of a huge IT company: both have massive R&D units, recruiting capabilities, developers, OSINT departments, incentive programs. The methods are clearly different. But unlike legitimate businesses, ransomware collectives are not bound by legal frameworks and work ethics.
Automation is another major trend enabling cybercriminals to hit more individuals and companies. As our Computer Emergency Team (CERT-GIB) recently found, the number of phishing kits grew by 25% in 2022. Phishing kits allow threat actors to create and manage hundreds of phishing pages at simultaneously.
There are quite a lot of risks to map. And forward-thinking companies keep up with the evolution of the threat landscape by using threat intelligence solutions that allow them to stay up to date with the latest threats and vulnerabilities.
What was the worst attack your team handled, and how did you handle it?
We recently carried out a lengthy investigation related to a critical attack that impacted one of our customers, a public sector company. The investigation required several weeks of analysis and remediation performed across hundreds of different systems.
Everything began while our team was assessing whether any threat actor had previously attempted the company.
Initially, our team identified several indicators of compromise, indicating unknown malicious activity on different systems. The unexpected findings triggered a further investigation to evaluate the impact magnitude and resulting risk level.
Unfortunately, after identifying the compromise, the victim immediately turned off one of the compromised internal servers, which was widely exploited by the threat actor. This caused the inaccessibility of one of the main pivot points, which provoked the threat actor’s behaviour.
With the support of the cyber threat intelligence team, we started to track every single action accomplished by the threat actor. Then we compared each resulting evidence with any already known attack that occurred in the past in other entities to build a valid identification of the attacker.
At the same time, we started to deploy Group-IB’s MXDR solution to be able to identify which system was already compromised and how the threat actor was moving inside the infrastructure. Meanwhile, we were collecting some indicators of compromise, which have been used to build tailored remediation.
The investigation allowed us to identify the presence of two different state-sponsored threat actors that successfully gained hidden access within the customer’s perimeter and silently acted to exfiltrate sensitive information.
The entire activity, considering the investigation, remediation, and provision of our solutions, required almost a month and required our teams to be in total sync to ensure the best response.
Fraud and scams are becoming increasingly common. What are the most common and damaging schemes that you observe?
Phishing, and scams in general, remain the most common threat not only for individual users but also for brands that they impersonate. According to our findings, in 2021, 57% of all digital crimes were scams.
Quite recently, Group-IB’s Cyber Investigation team in Amsterdam uncovered a massive investment scam ring operating in French-speaking Europe. Codenamed CryptosLabs by Group-IB, the scam operation is a well-organized and profitable illicit business. Group-IB’s investigators say the gang could have earned as much as €480 million since its launch by impersonating over 40 prominent financial and crypto firms. Under the guise of legitimate brands, victims are shown fake investment platforms with made-up graphs that offer to multiply their investments.
In many cases, fraudsters establish money mule accounts to facilitate the transactions, making it crucial to detect and block such accounts. Advanced Fraud Protection solutions can identify money mule accounts not only by looking at transactional data, but also analyzing and correlating behavioral parameters within user sessions. In case a legitimate account has been taken over by fraudsters for money mule or other malicious purposes, to recognize fraudulent patterns, such solutions can build a median behavior model based on keyboard typing patterns, key pressure, as well as device parameters, including type of OS, time zone, use of VPN services, antidetect browsers, connection from a previously unknown device etc. This comprehensive approach allows banks to detect and safeguard against fraudsters’ activities, including money mule accounts, and investigate fraud instances.
How can organizations protect themselves, and what tools should they use?
This is a simple question, but unfortunately, the answer is complex and involves many variables. To be clear, there is not only one way to protect your organization, and it surely does not rely solely on tools. Most of all, it depends on people, well-defined processes, and a well-built, planned, and executed cybersecurity awareness program. Building a multi-layered approach to security, that includes technical and non-technical measures, could allow you to develop a “security in depth model”; the aim is to involve every part of your organization in ensuring a continuous improvement cycle related to security and considering your weaknesses.
What I mean is technically named threat modeling, which involves building a structured process that aims to identify security requirements and vulnerabilities, quantify threats and vulnerability criticalities that can affect your organization, and prioritize remediation methods.
Each organization should develop a tailored model for its own needs, taking a comprehensive approach to security, after properly training its staff with a tailored security awareness program. This can leverage a range of security tools to protect its assets against evolving threats, such as business email protection, managed detection and response, threat intelligence, attack surface management, etc.
How do you see the cyber threat landscape and cybersecurity evolving in the next 3 – 5 years?
Indeed, It is not easy at all to build a predictive model related to cyber-attacks or related to the techniques, tactics, and tools that an attacker will use.
We have repeatedly asked ourselves this question, especially after observing how quickly the landscape of attacks has evolved in recent times, and so far, we have not found a completely comprehensive and exhaustive answer.
Surely, some fundamental elements related to the economics, social and geopolitical context, and individual needs must be taken into consideration. These elements in the coming years will certainly undergo significant changes and evolutions, and almost certainly, these changes will be translated into opportunities and intentions that every attacker will consider. The same attackers will surely evolve and exponentially improve their capabilities, also improving their attack tools, perhaps by using artificial intelligence, machine learning, and automation to carry out attacks more efficiently and evade detection.
And it is precisely the use of artificial intelligence, with all its flaws, that will certainly make a difference in the evolution of cyber-attacks. As already happened with technologies that have taken hold in the last twenty years, becoming almost an extension of our body at the expense of our intellectual faculties that have slowly dwindled, even the use of artificial intelligence could become a sort of Trojan horse that could give countless opportunities to a criminal.
Considering this last element, one could hypothesize that even the landscape of ransomware attacks could be influenced and increase the number and amount of money that could be extorted.
Maybe, the demand for skilled cybersecurity professionals will continue to outstrip supply, leading to a shortage of talent in the industry. This could drive up salaries and make it more difficult for organizations to find and retain qualified cybersecurity staff.
Certainly, even considering the unfortunate bellicose climate we are witnessing today and the increasing number of nations investing in the creation of a cyber warfare army, we will see enormous investments in the military field, particularly in the creation and preparation of groups of experts in offensive and defensive operations, as well as in the development of technological solutions that could allow the battlefield to be transferred to cyberspace.
Overall, the next 3-5 years are likely to see a continued evolution of the cyber threat landscape, with attackers becoming more advanced and organizations and nations adopting new technologies and strategies to protect themselves. Considering these aspects, every year, Group-IB releases its traditional Hi-Tech Crime Trends report that explores the key changes in the threat landscape trends and forecasts for the upcoming year. I can state that most of the events and trends predicted by Group-IB researchers over all these years turned out to be accurate.
