Transcript business planning

Strategic Management of Cybercrime
Making Crime Pay
A/Prof Paul A. Watters
Research Director ICSL
Overview



Use business planning activities to
interpret current cybercrime tactics within
a strategic context
Understand the key drivers for
management in cybercrime organisations
Predict how new threats to cybercrime
might change or curtail future
organisational planning
Business Planning

Cybercrime organisations are like
any other business

What cash return is sought by their
investors?


ROI
What are the (non-cash) critical
success factors?

Risk management – threat of arrest,
seizure of capital
Business Planning

How do we know they operate like a
business?
Business Analysis Steps
1.
2.
3.
4.
What do we do?
To whom do we do it?
How do we do it?
How can we beat or avoid
competition?
What do we do?

Goal is to maximise revenue through
fraud



Identify most vulnerable targets
 The unemployed or desperate
Identity schemes which maximise return but
minimise risk
 Low or nil cost to operate, minimal risk of
detection or arrest
Scheme proceeds laundered through legitimate
businesses
 Cheque cashing fraud, mules
To whom do we do it?

Identify asset-rich countries with
sophisticated banking systems




Must have easy means to “cash out”
Attack launched from countries with no
extradition treaty with target
Local “protection” from government,
police, legitimate business as cover etc
Individual loss < minimum thresholds
for investigation (no loss aggregation)
How do we do it?
Example: Implied Obligation?
How do we do it?
How can we beat or avoid competition?

Principle of specialisation



Strategic HR


Hiring the best talent
Partnerships


Writing kits or running attacks?
Diversified industrial – very 1970’s
Strategic outsourcing where it makes sense
Trade organisations

Sharing knowledge, intelligence and expertise
freely
Strategy from tactical data?

Key challenge to measure the threat
landscape


Mapping of campaigns to identifiable
groups
Estimate of potential impact
Quantitative – dollars lost
 Qualitative – harm to reputation,
confidence in banking

Phishing Campaigns
Australian Data
Volume
Optimised threat management

Can we use data mining to optimise
response to threats?

Best allocation of resources to different
types of threat
Existing kits = takedowns, resource
management
 New kits = forensic investigation, focused
intelligence discovery/updates

An Example: New Threats
Frequency
80
70
60
50
40
30
20
10
0
M
T
W
T
F
Frequency
S
1
S
2
3
4
5
6
7
An Example: New Threats
Volume of new attacks
Exp smoothing a=0.2
30
25
20
15
Exp smoothing a=0.2
10
5
0
0
20
40
60
80
100
Time
120
140
160
180
No Simple Answers
Only 5% of variation in new case volume over time
accounted for by linear model!
Profiling – Know Your Enemy
Summary


Cybercriminals operate as businesses
Analysing cybercrime data helps us
interpret the threat landscape




Understanding of current activity levels
Prediction of future types of activity
Reveals the drivers and business planning
choices undertaken by criminal groups
Simple techniques only achieve so much

More sophisticated algorithms needed to
improve predictability