Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Philipp AmannHead of Strategy
Europol, EC3October 2017
A Three-Pronged Approach to Fight Cybercrime
@EC3Europol
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Topics to Cover
Cybercrime Fighting Model
Europol’s EC3
Examples
Crime-as-a-Service Model
Europol Unclassified - Basic Protection level
Scenario
Multi-national corporation
2 CEOs, 1 CTO and 2 CFOs
Excellent customer service and support
Uptime and resilience some of the key competitive advantages
Range of high-profit services catering to a global market and audience
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Crime-as-a-Service Model
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Crime-as-a-Service Model
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Crime-as-a-Service Model
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Some Terminology
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Visible/Surface WebPublicly accessible searchable internet
Deep Web
Unindexed by traditional search engines with limited access
(databases, records, etc.)
Dark Web
Environment accessible only through specialised software and providing anonymity
(whistle-blowers, criminals, etc.)
4%
96%
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Underground Economy
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
5 arrests in
4 countries37 searches in
7 countries
39 servers
seized in 13
countries
221 servers
taken offline
64 TLDs
800,000
domains in
26 countries
Victim
remediation in
189 countries
Awareness
raising and
prevention
Operation Avalanche - Nov 2016
Europol Unclassified - Basic Protection level
Operation Avalanche
Delivery platform to launch mass global malware attacks and money mule recruiting campaigns
In business since 2009
App. 500 000 infected active devices worldwide/day
Network very resilient to technical takedowns (double fast flux)
Estimated losses hundreds of millions of euros worldwide
Europol Unclassified - Basic Protection level
Operation Avalanche – Service Model
Do it yourself Malware as a Service Botnet as a Service Distribution as a
Service Crime as a Service
Collect and launder
money
Collect and launder
money
Collect and launder
money
Collect and launder
money
Collect and launder
money
Distribute malware Distribute malware Distribute malware Distribute malware Distribute malware
Infect target
machines
Infect target
machines
Infect target
machines
Infect target
machines
Infect target
machines
Develop and test
malware
Develop and test
malware
Develop and test
malware
Develop and test
malware
Develop and test
malware
Step managed by criminal Step managed and provided as a service to criminal
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
HEADQUARTER
The Hague, Netherlands
“Europol shall support and strengthen action by the competentauthorities of the Member States and their mutual cooperation inpreventing and combating serious crime affecting two or moreMember States, terrorism and forms of crime which affect a commoninterest covered by a Union policy”
(Europol Regulation)
Europol’s Mandate
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Cooperation Agreements
28 EU Member States
Operational Agreements: Albania, Australia, Canada, Colombia, Eurojust, FormerYugoslav Republic of Macedonia, Moldova, Montenegro, Iceland, INTERPOL,Liechtenstein, Monaco, Norway, Serbia, Switzerland, Bosnia and Herzegovina,United States of America, Ukraine*
Strategic Agreements: CEPOL, ECB, ECDC, EMCDDA, ENISA, FRONTEX, OHIM, OLAF,Russia, UNODC, World Custom Organisation
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Liaison Bureaux Network
Europol Liaison Officers in:• Interpol IGCI• Interpol IPSG• Washington DC
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Europol Operational Units
EuropeanCounter
TerrorismCentre
EU IRU
EuropeanCybercrime
Centre
J-CAT
InformationHub
Serious Organised
Crime
EMSC
EuropolOperational Centre 24/7
HorizontalOperational
Support
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
EC3 – A Three-Pronged Approach
Europol EC3
January 2013
Transnational Payment Fraud Hi-Tech Crimes Child Sexual Exploitation
Cyber Threats and Trends Capacity Building Cybercrime Prevention
Digital Forensics Document Forensics
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
EUCTF
Evaluation SOCTAIOCTA
OperationalActions
StrategicPlans
EU Policy Cycle
EC3 Programme Board
EC3 Advisory Networks
Internet Security
Financial Services
Academic Advisory Network
Cybercrime Prevention Network
Communication Providers
Forensic Expert Forum
Multi-stakeholder Governance Model
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Communication Providers
Financial Services
Advisory Groups at a Glance
Internet Security
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
High-Tech Crimes Payment FraudOnline Child Sexual Exploitation
Cross-Crimes Factors Facilitating Cybercrime
24/7 Permanent TaskforceOperating from EC3
Identificationof priorities
Investigativeopportunities
INVESTIGATION
Chairmanship: Germany Vice-Chairmanship: US FBI
Attachment Schemeswith Law Enforcement and
Private Sector
2.0
Joint Cybercrime Action Taskforce (J-CAT)
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Threats to Information and
Devices
Threats to Communication
Who is Behind?
State-Sponsored/ Condoned or Competitors
(Cyber)Criminals and Organised Crime Groups
Insiders
Hacktivists
Types of Threats
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
IOCTA 2017 – Key Trends
Europol Unclassified – Basic Protection Level
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Common Challenges in Combatting Cybercrime
MLA process Cross-border communication
and the exchange of information Public-private cooperation Internet of Things
Differences in legislation
Online investigations
Darknets Cloud-based
storage
Data retention Virtual currencies
Encryption CGN issues
LEA training
Loss of data
Loss of location
Legal framework
Public-private partnerships
International cooperation
Evolving threat landscape and the expertise
gap
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Cybercrime Fighting Model
Law Enforcement
PrivateSector
InternetGovernance
InstitutionalPartners
Academia
Law Enforcement
Key Partners
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Cybercrime Fighting Model
Profit per Attack
Volume of Attackers Volume of Victims
Prevention
Investigation
Law En
force
me
nt Fo
cus
Skill Ceiling
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Coordinated LE Response to Criminality
03
02
01Cyber Patrol Action Week (June 2017)
Operations GraveSac (Hansa) and Bayonet (AlphaBay)(June-July 2017)
Operation Titanic (Elysium)(July 2017)
13%
68%
5%2% 5%
1% 1% 1%
2%
1%
1%
0%
AlphaBay
Fraud
Drugs & Chemicals
Guides and Tutorials
Counterfeit Items
Digital Products
Jewels & Gold
Weapons
Carded Items
Services
Other Listings
Software & Malware
Security & Hosting
200,000 users & 40,000 vendors 350,000 illicit commodities Transactions worth USD 1 billion
Hansa Users and Surge of New Members after
AlphaBay Takedown
Before: less than 1,000 vendors per day After: more than 8,000 650 SIENAs/37 countries on daily drug
shipments from Hansa in June-July
AlphaBay Takedown
over 87,000 members worldwide 14 suspects arrested (incl. operator of platform) 12 of them suspected of hands-on abuse
Europol Unclassified - Basic Protection level
Operation Bayonet & GraveSac
Takedown the largest criminal Dark Web markets: AlphaBay & Hansa
Platforms offered significant amounts of illicit goods and services
3 admins arrested
Strategic assessment of impact to inform future operations (alternatives)
Innovative LEA strategy: covert control of Hansa for a month to gather intel
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Global Airline Action Days (June 2017)
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
2nd International action on
e-commerce fraud
76 arrests 100 searches
20,000 illegal online transactions
E-merchants,payment industry
and logistics companies
Europol coordinating AT,
BE, BG, CO, HR, DK, EE,FI, FR, GR, IE, IT, HU, LV, NL, PL, PT, RO, SK, ES, SE, UK,
CA, USA, IS, GE
E-Commerce Action Week (Oct 2016)
Europol Unclassified - Basic Protection level
Actions involving EC3, Eurojust, 16
countries, EBF, 106 banks
1,280 mules identified
259 arrested
95% transactions
related to cybercrime
European Money Mule Action (March & Nov 16)
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
@EC3Europol
11,000More than
followers
Active Users
4,000+
Onlinesub-communities
55+
Awareness Raising
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Mobile Malware Prevention Campaign
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
To identify the origin of different objects,
part of CSEM
Tips can be done anonymously
20 objects were uploaded on the
dedicated webpage
More than 10,000 tips in a few days
Inspired by victims previously identified
based on objects
EC3’s Trace an Object Campaign
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Videos in all EUlanguages
Two different scenarios
International awareness raising
campaign
Links to reporting mechanisms
Advice for victims
Prevention advice
Public report onthe phenomenon, key trends and response measures
Key findings from the report: Higher likelihood of female
victims in content-motivated cases
Predominantly male victims in profit-driven cases
Demand for other children to be included as well in the CSEM
“SayNo” to Online Child Sexual Coercion and Extortion
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
109Partners
Website available in
28 languages
54 free decryption
tools
>28 000 Devices
successfully decrypted
The 2017 SC Magazine Editor’s Cho-
ice Award
No More Ransom Initiative
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Training Courseon Combating
the Sexual Exploitation of Children on the
Internet
Training Course onOpen SourceIT Forensics
Training Course on Payment Card
Fraud Forensics
EC3’s Cybercrime Training Courses
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Internet Governance
ICANN - PSWG
• DNS Abuse Mitigation
• Privacy and Proxy Services
• Reform of WHOIS – Next Generation RDS
RIPE NCC• Improving the
accuracy of the RIPE Database to improve traceability of IP addresses
CGN• Expert network• Engagement with
industry• Engagement with
policy-makers
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Main Takeaway Points
Evolving threat landscape and various challenges
Europol and EC3 – the EU’s ‘Uber’ of law enforcement
Cybercrime at scale requires a networked or ‘multi-pronged’ response
Industrialization of Cybercrime –Crime-as-a-Service model
Europol Unclassified - Basic Protection levelEuropol Unclassified - Basic Protection level
Thank [email protected]
Follow us: @EC3Europol
Top Related