November 2, 2015, saw this years edition of the conference Cyber-Risks Switzerland organised by MELANI. While the last year’s edition presented a lot of interesting and promising ideas, this year brought concepts in draft stage, first reports from the frontline, lessons learnt at law enforcement and a batch of reports in finalised state.
It’s all about the NCS, the Swiss National Cyber Security Strategy (or more correctly “Nationale Strategie zum Schutz der Schweiz vor Cyber-Risiken”) with its areas of measures and the long action plan. Launched in 2012 and initialised in 2013, lots of different government entities are putting things in action, already looking ahead to 2017, when the batch of projects is meant to come to an end – or possibly rather a stopover.
National counselor Edith Graf-Litscher opened the presentations with a politician’s view on the subject matter. She used the term of “Gefühlte Scheinsicherheit” (engl: assumed Pseudo-Safety) and reported the wakeup process that is happening now, also among politicans. She sees the biggest challenge in the protection of critical infrastructures, which can only be controlled with the help of computers. She sees the NCS as a means to strengthen the resilience in the face of cyber attacks and IT blackouts. The core of the resilience has to be the cooperation; cooperation among the operators of critical infrastructures, the economy and the cantons.
She highlighted the creation of the Cyber NDB (Cyber Intelligence Service), a branch of the Swiss Intelligence which will cover cyber issues and cases that fall into the area of the secret service. Furthermore she identified the education and recruitment of young talents as an important factor in the national resilience as another important area.
And finally she looked ahead to 2017, when an effectiveness test will examine all the projects and measures, that have been implemented within the NCS frame.
Stefanie Frey NCS coordinator at ISB/MELANI illustrated that Switzerland pursues an integral approach to cyber security and showed the key cyber actors within the federal administration. The cyber actors are:
- Cyber Security of Critical Infrastructures (-> MELANI ISB and MELANI NDB)
- Law Enforcement (-> KOBIK)
- Cyber Defense (Military)
The NCS is an entirely civilian strategy that excludes war. Cyber defense in case of war is the responsibility of the army, which is a complete separate entity. However, the army takes part in many discussions and there is a close cooperation between the civilian and military entities, but does not contribute nor profit directly from the NCS. There is also close cooperation between the NCS and law enforcement. In a roundup over all the different areas of the NCS, she presented a list of finalised reports or projects, those in draft mode and finally those topics, which need more work – some of them a lot more work. There is still a lot of work to be done in law enforcement, which does not have a strategy at this point of time. (see below for details).
The first two areas in Stefanie Frey’s presentation are covered by the NCS, while the army is a complete separate entity, which takes part in many discussions, but does not contribute nor profit directly from the NCS.
Colonel Gérald Vernez covered the army in the cyber landscape. He is head of cyber defense of the army and thus part of the executive staff of the army. He reported that Cyber defense is now part of the doctrine of the army within its on sphere of operation. Also the protection targets of the army have been defined.
Within the army, there are three main “suppliers” of Cyber Security: (1) the Cyber military Intelligence Service, (2) MilCert and (3) Computer Network Operations. All three professional entities are supported by the militia.
The goal of the cyber defense activities of the army is to stop being reactive, but actually become pro-active. He gave the impression his unit is on good tracks.
Reto Inversini of MELANI talked about situation analysis and threat landscape (Lagebild) and the philosophy behind it. MELANI is not collecting any personal data and they are only collecting data they actually understand. So this is not Big-Data sink, but a collection of key data aimed at immediate analysis (and not archiving for future examination). MELANI is high on sharing and runs on infrastructure independent of the Federal IT and independent of the big Swiss carriers. He would then present three scenarios which are important for MELANI or rather typical situations faced by MELANI staff:
The first was malware on an endsystem of a partner organisation
(an operator of critical infrastructure):
- What family does the malware belong to?
- How many infections are there (within Switzerland)?
- What to do about it?
Then came: attack on critical infrastructure:
- Is this a targeted attack or a non-targetted attack?
- Does it have a technical background?
- What to do about it?
Finally a DDoS attack on a canton
- Is more than one canton affected?
- How long has this been going on?
- What to do about it?
In the latter case they need pcaps. They need to be able to analyse the traffic. Within those pcaps, they will try and find characteristics that identify the attack traffic. This pattern will help building a tailored defense.
All in all, this presentation gave a good insight into the day job of the analysts at MELANI and the problems they fight with.
Now it was the turn of KOBIK, which is concerned with the law enforcement within the NCS strategy. Tobis Bolliger, a.i. Head of KOBIK gave an overview over the status of his two NCS tasks, the “Operational Picture” and the coordination of criminal cases between the Swiss cantons. Here the picture was less bright than with the other presentations seen hitherto.
So far, there is no national strategy against cyber crime in the law enforcement area. This is still the object of discussion. There is no national “Operational Picture” and there is an almost complete focus on the prosecution of pedo-criminals, effectively binding all the ressources. Tobias Bolliger did not really state it expressively, but the fact was obvious: Police and namely KOBIK is so occupied with investigating pedo-criminals, that there is no personel left to hunt other cyber criminals. But they do exist of course: KOBIK has contributed to the assembly of a list of 25 phenomenons of Cyber crime. This list is almost settled and is meant to appear on the KOBIK website in the first quater of 2016.
There is a significant delta between the status quo and the goal defined by the NCS. There are no resources to develop an operational picture, not even in the area of pedo crime. There is a huge dark area where they lack information, namely in the economical cyber crime.
There is a set of nine tasks meant to work towards the said operational picture and the intercantonal case coordination. Among them are:
- Central Information Platform
- Analysis of Cybercrime in Switzerland
- Creation of a working group “Cyber Crime Phenomenons”
- Clarification of responsibilities
Marc Henauer of MELANI/NDB presented the new operational picture of the NDB, the Federal Intelligence Service. Actually, it is more of a radar. The idea was to develop a simple, intuitive and informative visualisation of the cyber threats targeting critical infrastructures and their operators in Switzerland. They resorted to the idea of a radar which brings remote dangers in a ring far away form the center of the radar. The closer the threat is to the center of the radar, the more dangerous it is. Every threat has additional information like the development, the classification by MELANI personnel and for significant threats a fact sheet attached, that describes the threat in more detail and presents a selection of defense methods. This looked quite useful and the radar metaphor makes a lot of sense. Right now, this radar is in beta stage with about 30 threats / issues covered.
The obvious question was if this was going to be available to the public and the response was, that this was developed for the audience of critical infrastructure operators. In a later stage, they will probably release a simplified radar to the wider public.
Gary Mc Ewen presented an overview of the Europol Cyber Crime Center (EC3) established in 2013. The center releases an annual IOCTA report. The focus of this year’s report is law enforcement. Among the findings in the report are the following items:
- Cybercrime is becoming more aggressive.
- It is still stealth, but really offensive in many aspects.
- Remote Access Tools are big (RATs).
- Ransomware is a hot topic.
- DDoS Extertion is very frequent and what they see more and
more is extortion over sensible information, like
sexual photos of people and the threat to release
them to the public.
He also made some interesting remarks on the structure of the cyber crime observed by Europol. Unlike traditional hierarchical organised crime, the cyber criminals are a lot less hierarchical. They source from the left and from the right and their cooperations are so called transactional cooperations. They are becoming more and more specialised, so there is more and more cooperation happening between the specialists. So the level of organising is more complex – and thus a lot harder to prosecute.
Jürgen Fauth, deputy head of the department “Cybercrime / Digital Tracks” at the state office of criminal investigation Baden-Württemberg, Germany, followed with his presentation. Within their department, they have three areas, called “Inspections”. They have over 100 specialists working in (1) investigations, (2) digital forensic and (3) surveillance. The size of his department was very impressive and contrasted strongly with the allocation on the canton level in Switzerland but also with KOBIK which covers a territory similar to Jürgen Fauth’s department.
He would then quote a single case, where a ransomware infection of a citizen lead to an investigation spanning the whole world. They estimate 200 Million devices infected and 10 Million Euros paid by people to recover their files.
The next presentation was performed by public prosecutor Stephan Walder from Zurich. The canton of Zurich has a pioneering role within Switzerland and he highlighted a few features of their setup or the problem at large. They work very closely with the police. This is necessary as the prosecutor plays an important role in the investigation from the very start. In a standard crime, the location of the crime, the tools and sometimes even the attacker is known. With cyber crime, these are unknowns and attribution is very hard. So in order to actually track down the criminals, the police is in need of support by the prosecutor to carry out the investigations.
They implement this specific need in the competence center, where they cover the management of the action, the police investigators and the techies. And unlike standard police action, the victims are often part of the discussion whether or not to deposit a formal complaint. This means it is OK to contact the prosecutor and talk with him about the merits and disadvantages of a prosecution. And he actually invited the audience to get in touch with cases, so the issues could be talked through. He wants more cases taken to the courts and he hopes people will realise their is actually a chance to track the the criminals down.
When talking about crimes seen today, he confirmed Europol’s statement: Criminals are still doing DDoS extortion, but they also gather information online and extort board members of big companies with personal information. Simple example: The location of the riding school of the daughter of a board member being sent to a board member giving him a feeling of exposure, trying to blackmail him. They are also seeing Swiss malware distributors. They are not all residing in shady countries but within Switzerland as well. And they can be tracked down!
The job of a prosecutor comes with many problems. One problem is the territoriality principle. If he loads data from an international cloud server, he is violating this principle and commits a crime himself. The case is obvious: As a Swiss public prosecutor, his actions are limited to Switzerland. Everything outside the Swiss Jurisdiction necessarily demands a formal call for administrative assistance in the other country. This may take ages (typically up to 18 months in the case of the United States) and ISPs in many countries are not obliged to keep logs from their customers. So in many cases that administrative assistance is futile.
A recurring topic of Stephan Walder’s talk were the periods of safekeeping of the provider meta data: They are too short in his eyes. Namely in partnering countries, but also in Switzerland. So he trusts on the revision of the Telecommunication Surveillance Law (BÜPF) which extends the period.
Afterwards, the circle moved back to Mauro Vignati, head of the new Cyber NDB. His presentation tried to respond to the question how you can identify government backed APT or what are the APT’s characteristics.
- The malware drop is carried out over multiple stages
often three and four levels.
- The malware has the ability to remain active over many years.
So governments are investing a big deal of resources
in these malware families so they can remain stealth,
but are being updated regularly to remain active
across hardware and software updates.
- The malwares contain a high number of 0-day exploits.
0-days are expensive and the number of
them used typically point to a government willing to
invest a high amount of money / resources.
- There is a massive use of plugins. They have seen government
backed malwares with over 100 different plugins.
To do this, there is a need for a huge amount of
development and so far, only governments are
willing to pay this.
This presentation was followed by a hacking demonstration by Marco di Filippo of Koramis. Koramis is a German SCADA company and Marco di Filippo demonstrated the ease of exploitation of these devices. Often plugged in on the internet without any access control, they give access to a wide set of controls and steering processes: Traffic lights, water canalisation valves, pool heating, sun shades, anything.
Investigation is easy. Being exposed on the internet, google and shodan will index the services and a simple search will reveal possible targets within Switzerland. The third source of information are reference documentations by producers and integrators of the said SCADA systems. It is surprising what he was able to dig up in the said reference documentations: hardware and software releases, ip addresses, phone numbers etc.
Finally, he presented his project honeytrain, where they built a complete public traffic system with real SCADA setup, mediaserver etc. in order to attract hackers. The only thing missing were the real trains. In their setup, they used model trains. Within six weeks they attracted millions of port scans (no surprise there) and eight real attacks with human interactions. The results of the research can be viewed under https://www.sophos-events.com/honeytrain.
The conference was now approaching the end – and your author started to feel a bit dizzy with all the information received. Next was Kurt Lanz from Economie Suisse, who talked about Cyber Security from en economical standpoint. Economiesuisse represents over 100K Swiss companies with 2 Million employees. His presentation was strong on statistics, self-assessments of the said companies and issues faced by those companies.
The main fears of the Companies when it comes to Cyber Security are (1) business interruptions, (2) customer data loss, (3) loss of reputation (4) intellectual property. One might have to add, that not all of the 100K companies have IP to lose. But those who do have, are likely to have that high on their list. But the stats are an average of course.
Kurt Lanz described the cyberspace or rather the internet as a space that has to be used as common property (German: Digitale Allmende). All the stakeholders have to cooperate to keep it clean and it can’t be clean until our neighbours clean up their piece. This “Digitale Allmende” is a Swiss concept that resembles the idea of a “good internet citizen” in the area of security. The use of this metaphor is a strong statement from Economie Suisse and calls for a cooperation of the public and the private sector. He quoted namely Swiss Cyber Experts as a viable model; a Company where your author has the honor to serve as vice-president.
The final presentation of the day was held by Werner Meier, head of security at electricity utility Alpiq. Werner Meier also serves as head of Energy at the Federal Office for National Economic Supply. He talked about a special form of public private partnership in the energy sector where various tasks of the NCS have been completed. Namely the gas provisioning and the oil industry. The more delicate case of the electrical power is still working on its report and batch of measures – but faces a much more complicated problem. It is obvious that electrical grid involves far more IT than the system of tubes provisioning gas to Swiss households.
When asked about government regulations in the area of cyber security and namely electrical utilities he made it quite clear that the industry has heard the call and that measures are being taken. According to Werner Meier, there is no need at all for any additional regulation in the Cyber Security area in his industry.
With this, the conference came to an end and the word was given to Peter Fischer, Federal delegate of the IT Steering Unit and thus supervising MELANI. Peter Fischer would round up the various talks and thanked everybody for coming. He stated that gatherings like this have a unique value for Switzerland and the NCS. It’s an event for sharing information, but also for networking. Obviously, cooperation only works when you know each other and talk face to face from time to time.
All in all it was a highly informative day. The presentations have all been stuffed with content. All the presenters proved that they are experts in their field and willing to share a big deal of information. Coffee breaks and the lunch were humming with talking and discussions and I went home with a very big amount of information and food for thought. Mission accomplished MELANI.
Christian Folini Follow @ChrFolini Tweet