Using swarm intelligence against hackers

The criminal threat on the net is growing. Surrender is not an option. On the contrary: the more organisations recognise the risks, invest in security and coordinate their responses, the better their chances of achieving enduring protection.

Text: Robert Wildi, first published in the NZZ supplement of 7.11.2019, Image: Adobe Stock, 17 january 2020 9 Min.

The downsides of rapid digital advances are well known: criminals are also hard at it, shamelessly exploiting the latest technology and playing the keyboard of disruptive possibilities with as much virtuosity as the cleverest programmers from leading technology companies. The result? An exponential race to see who can bend and break the most. Ever newer interlocks for increasingly efficient IT systems on the one hand; on the other, a continuous quest for the tiniest gaps through which systems can be infiltrated.

It is no use minimising the harm: "The risks are growing all the time," says Marco Wyrsch who, as Security Officer at Swisscom Business Customers, is the man in charge of combating cybercrime at the ICT provider. Internet criminals' current preferred means of attack are malware and targeted ransomware trojans. The methods they use vary: recent years have seen hackers repeatedly use ransomware to paralyse organisations' entire computer systems. Attacks like this can result in production losses that quickly run into the millions. "Organisations often have to contend with blackmail: they're forced to pay big sums in order to regain control over their data."

From protection to prevention

Alongside visible attacks, hackers are increasingly sneaking into the virtual nerve centres of organisations and even state apparatuses. Unnoticed, they introduce their malicious software into the victims' systems, sometimes managing to access important data for months or even years. The theft of intellectual property mainly occurs in the realm of industrial espionage and can result in the thieves applying for patents for the innovations they have stolen. "While prevention provides effective safeguards against the malevolent encryption of data and accompanying blackmail, technological hardware is needed to detect data theft," says Wyrsch.

"Many companies feel powerless in the face of attacks and blackmail."

Marco Wyrsch, Swisscom

Für die künftig wachsende Gefahr von derartigen Angriffen sieht Wyrsch nicht nur die rasante Entwicklung der digitalen Technologien als treibenden Grund. «Wir müssen bedenken, dass Cyber-Kriminalität einer der attraktivsten wie auch lukrativsten Verbrechermärkte überhaupt ist, weil die Täter nicht nur im Schutz der Verborgenheit agieren, sondern ihre dunklen Machenschaften sogar beliebig skalieren können.»

Um der Gefahr wirksam zu begegnen, müsse die Wirtschaft rasch umdenken. «Heute fühlen sich viele Unternehmen den Angriffen und Erpressungsversuchen hilflos ausgeliefert und beschäftigen sich vornehmlich mit der Frage, ob sie für den Schadensfall finanzielle Rückstellungen machen oder teure Versicherungen abschliessen sollen ». Diese Haltung greift für Wyrsch zu kurz. Der technologische Fortschritt sei dermassen rasant, dass ungenügend geschützte Firmen nicht nur einmal, sondern immer wieder zu Opfern würden. «Das einzige Mittel dagegen ist eine radikale Änderung der Strategie von Absicherung hin zu aktiver Prävention mithilfe von gezielten Investitionen.»

Healthy mix needed

Although organisations talk about taking the requisite steps, all too often too little is still being done, observes Cyrill Peter, Head of Enterprise Security Services at Swisscom Business Customers: more often than not, the lack of (or unbudgeted) funds – a particular problem for SMEs – means that the idea that organisations should develop and maintain their own digital high-security approach is neither realistic nor affordable. According to Peter, a viable alternative is targeted outsourcing to an external partner with the requisite know-how and capacities.

"Our aim is to achieve a steep learning curve in the race between 'good' and 'evil'."

Cyrill Peter, Swisscom

Swisscom's round-the-clock Security Operations Centre in Zurich's Binz district offers business customers a range of cybercrime prevention services. "We're currently experiencing increased demand for detection-related services, i.e. the detection of attacks that have already occurred," observes Marco Wyrsch. Swisscom's experts recommend a healthy mix of prevention, detection and response measures: "This combination has long been the basis in healthcare; digital security needs to do the same thing, and quickly."

Swisscom experts Marco Wyrsch (right) and Cyrill Peter at the ICT provider's Security Operations Centre. (Image: Michele Limina)

Organisations need to redouble their efforts, especially as the hacker scene is not asleep: "Our aim is to achieve a steep learning curve with our customers in this non-stop race between 'good' and 'evil'," says Cyrill Peter. Swisscom's approach in this regard makes use of a kind of swarm intelligence, whereby every single security experience of the current cohort of 1000-plus business customers is gathered together and immediately made available to all the others. "This know-how boosts significantly the learning ability of our systems and security analysts, something that ultimately benefits each individual customer.

WEF: cyber risks are urgent

The two Swisscom experts believe that if businesses manage to sensitise themselves to the issue of cybercrime and organise themselves as fast-learning "security communities", the battle against the digital underworld can be won in the long term. "The fact that every application has hacker-friendly vulnerabilities remains a problem going forward," says Wyrsch. He thinks the coming years will see companies, especially in the manufacturing sector, continue to suffer losses running into the millions: "At some point, though, the level of suffering is likely to be so high that huge investment will be made in online security."

Accordingly, more and more industries will regard protection against digital threats as a decisive competitive advantage. The World Economic Forum (WEF) recognised this urgency and put cyber risk at the top of its agenda at the beginning of the year. It is a logical consequence that telecoms and technology groups such as Swisscom are increasingly focusing their services and infrastructures on the prevention and detection of cybercrime. Demand is expected to increase exponentially in the near future. "We're ready to go 24/7," says Marco Wyrsch.

The commonest cyber risks

The Federal Reporting and Analysis Centre for Information Assurance (MELANI) identifies a large number of cyber threats to which companies are exposed:

Vulnerabilities in the digital infrastructure – e.g. lack of internet encryption or weak passwords – are exploited by cyber criminals to access confidential information and prepare further attacks. This affects government agencies as well as businesses, whose know-how is stolen and misused.

Confidential information is stolen, then the attacker blackmails the victim by threatening to publish, copy or distribute it. It is hard to evaluate the veracity of the claim, which is why many companies affected in this way play safe by paying the extorted sum.

Distributed denial of service attacks are aimed at limiting the availability of an IT service such as a website or web shop and causing it to crash. These attacks can come with threats of blackmail. This tends to happen to IT services with limited resilience or no data traffic monitoring.

Psychological tricks are deployed to deceive users and lead them to reveal personal information. Social engineering exploits the weak point, i.e. the human being. Tricks include putting the target under time pressure, e.g. by exhorting them to "log in immediately or your account will be blocked".

A phishing attack tries to obtain the target's access data by assuming a false identity, e.g. that of the target's bank. If they get hold of the login details, the cybercriminals have access to the target's online bank account.

Damaging malware is used in many cyber attacks. IT systems are manipulated and information obtained, altered or even deleted. An attack of this nature on a business can involve the loss of confidentiality, integrity and availability of the data.

Here, encryption trojans encrypt the target's data, thus rendering it unusable. The cyber criminals demand money in return for unencrypting the data – which may or may not occur.