December 20, 2019: Philipp Amann's big topic is international cooperation. Together with his team, he is responsible for the analysis and strategic evaluation of current and future threats and trends in the field of cybercrime at Europol. At Command Control he and Heiko Löhr from the BKA will give an overview of the current security situation in Europe. We talked to him beforehand about cyber resilience, the work of Europol, the correct handling of ransomware and much more.
The central theme of Command Control 2020 is cyber resilience.
What do you understand by this approach? And why should companies orient themselves towards it?
Amann: I understand cyber resilience to mean that companies are organizationally prepared for cyber threats and have both the technical and organizational resources, options, processes and tools to respond appropriately to cyber-attacks. In addition to technical measures, these of course also include the continuous training of staff and the creation of an appropriate awareness for the risks within the organization and within the environment in which the company operates – including the supply chain. The human being is still frequently the crucial weak point. For example, we see that complex attack scenarios often start with phishing emails or social engineering which lead individuals to do something they should not do. This often causes existing technical security measures to be effectively bypassed.
To equip themselves companies require the appropriate organizational structures and must be aware of their risk profiles, of where attacks may originate and what counter-measures they can take. Furthermore, they must not treat resilience as a one-off action, but as an ongo-ing process. This then incorporates measures such as penetration testing and red and blue teams. As police we view ourselves as an important partner in the issue of resilience, not least due to the fact that cyber-attacks generally have a criminal component.
How does Europol and EC3 in particular support European companies? Are there special programs, training courses or other activities?
Amann: In addition to numerous activities relating to prevention and raising awareness, I would specifically like to highlight our “No More Ransom” initiative. This initiative is still comparatively unknown, but to date has helped over 200,000 victims – and this is in fact a very conservative number. “No More Ransom” provides companies and private individuals with practical help with currently over 95 freely available tools which can decrypt more than 150 ransomware families.
Another interesting dimension is that we have three consulting groups with partners in the internet security field, the financial sector and the telecommunication sector who meet several times a year to examine intensively those threat themes in cyberspace where there is an acute requirement. This year one of the main topics has been spear phishing which is a big problem particularly in the banking sector. We recently published a joint report on this subject which provides both a clarification and action recommendations for dealing with spear phishing.
You just mentioned ransomware.
How do you advise companies to proceed from a police perspective?
Amann: In principle I can comprehend why some companies in such cases are prepared to give in to the demands. However, from our perspective I must say very clearly: Do not pay! On the one hand because this further fuels the ransomware business model and under certain circumstances also cofinances other types of crime, but also because it is not at all certain whether by making such a payment you will actually recover your data. Ultimately when you make a payment you are relying on the honesty of criminals. Furthermore, when you make a payment you increase the risk of being a repeat target of an attack since the criminals take note of an affected company’s “willingness to pay”. Instead of this I recommend that you contact the authorities. Through the “No more Ransom” initiative we offer practical help and any subsequent information about an attack can help us provide support in specific investigation proceedings.
Europol recently published the INTERNET ORGANISED CRIME THREAT ASSESS-MENT (IOCTA) 2019 Report. In this report you examine the issue of cyber threats in “Smart Cities” which is one of the main issues to be covered at Command Control 2020.What relevant findings for police investigative work did you acquire whilst compiling the report?
Amann: In principle the issue of Building Smart Cities must be considered in connection with the Internet of Things. There is a big cybersecurity risk through constantly expanding areas of attack via unsecured, smart and autonomous devices which are connected to the internet. Many of these devices were not, and are not, developed according to the principles of security or privacy by design. Nor is it possible in many cases to update the devices or encrypt the information on them. Here we see a big risk because such unsecured devices are used as an invasion vector for attacks or as part of a botnet, for instance, to start big DDoS attacks or to attack entire ‘smart’ cities via a ransomware attack therefore also paralyzing critical infrastructures. Unfortunately, this is a trend that we are now observing more and more also in Europe.
The report also addresses the fact that criminal prosecution in cyber criminality is becoming more and more difficult, primarily due to the fragmentation in the darknet.
What measures should security officers derive from this?
Amann: Handling the darknet is primarily a risk management issue as companies should be aware of the risks they are exposed to in the darknet. Security officers must specifically look at whether data is offered there which affect their company. These may include personal data of employees such as passwords or other sensitive information that affect the company. Companies also ought to know whether malware or tools on offer in the darknet could have potential impacts on their business model.
At Command Control 2020 you will hold a session with Heiko Löhr (Head of Cyber Security Unit, BKA) entitled “The current cyber threat landscape in Europe”.
Can you give us a small preview into the highlights that visitors to the Summit can look forward to?
Amann: In addition to an overview on the current threat situation our session will examine how authori-ties, industry, research and other stakeholders should cooperate on this issue. We will also explain the role of EUROPOL. This is because there are issues – specifically around cyber threats – which can only be solved at a European or international level. During the session we will describe a few examples in more detail.
In essence during our session we want to make it clear that we all become more cyber resilient when we cooperate and exchange information. Cybersecurity is a collective responsibility. Therefore, I want to convey to the attendees at Command Control from industry what we do at EUROPOL and why it is worthwhile for companies to work together with authorities like us.