Last year saw the continued growth in number and sophistication of cyber attacks, with many high-profile breaches making the news. But do we really know the extent of these attacks? And has social media contributed to the growing number of attacks? What are the problems that arise out of this threat landscape? And what are the incentives for the attackers?
To help answer some of these questions, I contacted Alon Arvatz, co-founder & CPO of IntSights, to ask him a handful of questions about the threat landscape in 2017, today, and beyond. By way of background, IntSights provides advance warning and customized insights concerning potential cyber attacks, including recommended steps to avoid or withstand the attacks.
What makes 2017 such a bad year for cyber attacks?
This year we have witnessed a few of the most devastating cyber attacks in recent history. The leakage of CIA tools by Shadow Brokers led to the WannaCry ransomware attack, which hit hundreds of organizations and hundreds of thousands of computers, and cost millions of dollars in damage. This malware even compromised the life of civilians as it attacked critical hospital systems. Other attacks such as Petya/NotPetya also hit hard on businesses and civilians alike.
Personal data leakage became a major issue in 2017, as organizations like Equifax, Yahoo, Uber, and even government organizations were breached. The impact of these attacks cannot be underestimated, as they can lead to identity theft and scams years from the time of the exposure. Businesses that try to cover up and do not disclose the full extent of the theft are making it even harder for the public to know who was compromised and to what extent.
This past year, we also saw the commodification of cyber-crime and cyber attacks. Ransomware, botnets, credit card data stealers, and other types of malware became so widespread that even a novice with minimal computer knowledge can purchase tools and data that can launch devastating attacks. In 2017, it was easier than ever to launch a successful cyber attack, even without extensive prior knowledge.
Where do most attacks originate?
Last year a lot of the attacks came from nation-state sponsored attack groups. North Korea, China, and Russia all have hacker groups (directly sponsored, or just loosely tied) that are well-trained, well-funded, and cannot be touched by law enforcement agencies. This fact makes it very hard to fight them, allowing them to continue their attacks constantly.
What kind of organizations are most prone to attacks?
According to our data for 2017, the financial sector is most prone to attacks, as they hold the best opportunities for quick and lucrative money making. Following them closely are telecom companies and software/IT/computer services companies, as they have a wide exposure to Internet-facing services thus making an easy target. The governmental and utilities sectors are also prone to attacks.
What organizations are most vulnerable to attacks?
Big, legacy organizations are slower to react and have a bigger attack surface, as they may have many endpoints to manage and protect. This makes it extremely hard to respond to all the alerts and the ever-changing threat landscape.
Small organizations are less exposed, but they also have less money to invest in security measures and protection. Thus, they are the most vulnerable, yet less targeted.
How has malware changed over the past few years?
Malware has evolved from simple script kiddies that utilize simple attacks to break into their neighbor's Wi-Fi, to full blown nation-state tools that utilize zero-day and unknown exploits. The commodification of malware-as-a-service led to a price-based malware business structure. Low paying customers get second-hand hacks and malware that are already known. High paying customers can get new, custom written malware from expert hackers for specific purposes and attacks. Attack groups also keep generating new and unfamiliar malware.
How do social media attacks affect the enterprise?
Social networks are the new town square, and the social media outlets such as Twitter, Facebook, Instagram, etc., are the face of each company and organization. Attacks on social media outlets can have multiple motivations, including disrupting company service or defacing a company for their deeds as in some "hacktivism" campaigns from groups like Anonymous. These attacks can also serve a much more sinister purpose in order to facilitate social engineering attacks by impersonating someone else, or even for revenue making as in the hack to John McAfee's Twitter account that encouraged people to buy a certain cryptocurrency in the hope that it will bring the value of the currency up and will profit the attackers.
In addition, organizations suffer from impersonation on social media. Many attackers take advantage of social media to open fake profiles, impersonating the organization in order to lure customers and employees. This can lead to brand damage, or even a phishing attack that would lead to a breach.
What are the motivations for attacks?
Most of the 2017 attacks were intended to steal money -- directly by ransomware, banking trojans, credit-card data theft or crypto-miners.
Another kind of motivation is by attack groups, who also use malware to steal money and fund their operations, but also target other nations in espionage efforts and critical infrastructure attacks, inflicting damage to that nation's enemies. Although, most of those types of attacks are not published, and we can only assume that those attacks that do get published are just the tip of the iceberg to the real underground war between nation-states in cyberspace.
Hacktivist groups are also known threat actors as they attack targets on ideological grounds, and try to publish national, individual, or corporate behaviors and actions that are not in order with their ideology.
It is worth mentioning that sometimes the motivations are mixed, and sometimes different groups disguise their operations as other groups in order confuse and mask their true intention.
What steps can enterprises take to reduce their vulnerability to attacks?
First, keep your systems patched and up to date. Closing down known vulnerabilities should deter most of the attacks. Most organizations struggle to keep their systems up to date. Patching in time could mean the difference between a functioning business and a catastrophe.
Second, institute multiple layers of security. Just a firewall and a traditional anti-virus is not enough these days. No single security system or product can catch all types of threat. SIEM, NAC, IDS/IPS, and WAF systems are all combined systems that supplement each other, but still do not supply a bulletproof solution to every attack, as most of them are reactive, instead of proactive. However, without them, an organization will be even more exposed to attacks.
Third, be aware to your organization's exposure cross-section; understand how your organization looks like in the eyes of the attacker.
Threat intelligence can help you think as the attacker, all while providing you with real-world tailored intelligence of how your organization is perceived by threat actors, and identifying the most prevalent threats that threaten your organizations and others in the same sector. You need live intelligence from current attacks and threats, so you can be ready for what's coming – before it hits you.
Learn more about Security/Compliance at Enterprise Connect 2018, March 12 to 15, in Orlando, Fla. Register now using the code NOJITTER to save an additional $200 off the Regular Rate or get a free Expo Plus pass.
Related content: