In the new era of cyberspace, technology transformation has been a core factor for continuous security innovation and operations. In the world of connected vehicles, IoT, mobility, and the cloud, it opens up a focal point for cybercrime, targeted attacks, and industrial espionage. Once an attacker finds a vulnerability and determines how to access an application, they have everything they need to build an exploit for the application, and so it is critical to develop strong vulnerability management. Remember, the effectiveness of vulnerability management depends on the organization's ability to keep up with emerging security threats and models.
Security systems won't make an impact if employees are lured into clicking on a malicious link they were sent over email. Social engineering has proven to be an effective way to get inside a target network, and security forces face endless challenges in identifying malicious entry. Back in the old days, before Facebook and LinkedIn, if you needed to find information on organizations, you weren't going to get a lot information on the internet, and thus the use of social networking sites has made social engineering attacks easier to perform.
Ransomware is malware in which information on a victim's computer is encrypted and payment is demanded before granting them access. Ransomware is one of the most trending and high-return types of crimeware. It has attracted an enormous amount of media coverage in the past two years, mainly because of WannaCry, NotPetya, and Locky. WannaCry ransomware was spread rapidly across a number of systems worldwide in May 2017. It targeted several high-profile organizations including the UK's National Health Service, Spanish telephone giant Telefonica, French automobile leader Renault, US leading logistics company FedEx, Japanese firm Hitachi, and many more.
The ransomware author hosts the service over the dark web, which allows any buyer to create and modify the malware.
The dark web is a part of the internet that can't be fetched with a search engine but needs a special type of anonymity browser called Tor. In other words, the dark web carries unindexed data that's not available to search engines. The Tor browser basically routes the user information through a series of proxy servers that makes user identity unidentifiable and untraceable. Dark websites look similar to ordinary websites, but there are some differences in the naming structure. Dark websites don't have a top-level domain (TLD) such as .com or .net or .co; rather, they just use websites that end with .onion.
As per the cybersecurity business report, ransomware damage costs are predicted to hit 11.5 billion by 2019. There are several driving factors behind the growing operation of ransomware globally. To earn faster, cybercriminals have stopped making malware themselves and started leveraging Ransomware-as-a-service (RaaS), which is available over the dark web marketplace.
These marketplaces don't just reduce the effort for expert criminals, but they also allow non-technical criminals or script kiddies to conduct ransomware operations.
The attacker produces a ransomware program with a preconfigured timer that ensures the destruction of data if a ransom is not paid before the specified time. Attackers also share a payment procedure, which is mostly through a Bitcoin wallet (since a digital cryptocurrency wallet provides anonymity).
WannaCry attacks were the biggest ransomware attacks and occurred in May 2017. WannaCry made use of a vulnerability in the Windows OS, first identified by the NSA, and then made publicly available through Shadow Brokers. It was designed to exploit a vulnerability in Windows SMBv1 and SMBv2, so that one moves laterally within networks. By May 24, 2017, more than 200,000 computer systems were infected in 150 countries.
NotPetya is another flavor of ransomware attack, which was launched in June 2017. The NotPetya ransomware apparently resembles the Petya virus in several ways: it encrypts the file and shows a screen requesting Bitcoin to restore the files. The original infection method was backdoor planted in M.E.Doc (a leading Ukrainian accounting company's software). After compromising the system through the M.E.Doc software, NotPetya used tools such as EternalBlue and EternalRomance to spread across network. It also took advantage of a tool called Mimi Katz to find administration credentials in the compromised machine.
SimpleLocker was the first ransomware attack that did not affect any computer systems, but affected several mobile phones. The choice of OS that the hackers preferred was Android, and the origin of this ransomware was tracked to Eastern Europe. The Trojan was targeting SD cards slotted into tablets and handsets, automatically crawling the entire set to get certain files and then demanding cash to decrypt the data. The virus entered the devices through Google Play Store. Once installed, the virus would scan the affected device for various file types and encrypted those using an Advanced Encryption Standard (AES), changing the file extensions to .enc. It also used to collect various other information from the respective device, such as the IMEI number, device model, and manufacturer, and sent this to a C2 server. With the latest versions of this virus, hackers can even access the device camera and display a picture of the victims to scare them into paying the ransom. This threat is still lurking out there.
Within a year of CryptoLocker, a new threat came into existence, TeslaCrypt. At the start, many believed it to be one of the dimensions of CryptoLocker, but later it was given a new name, TeslaCrypt. This ransomware targeted a different set of people: hardcore gamers. TeslaCrypt targeted and affected the ancillary files that are associated with video games. This contained saved game files, maps, any game-related downloadable content, and so on. The uniqueness of this ransomware was that the creators of this ransomware constantly improved the impact of the Trojan and filled the loopholes that were there while the attack was ongoing.
CryptoLocker is grand-scale ransomware, and is believed to have been first posted on the internet on September 5, 2013, cultivated through an email attachment and over the Gameover Zeus botnet. It exerted influence on systems running on Microsoft Windows, and was spread through malicious email attachments and used to encrypt certain types of files stored on the local and network drives of a user, using RSA encryption. CryptoLocker was removed in late May 2014 through the Tovar operation, whichtookdown the Gameover Zeus botnet. It was reported that CryptoLocker successfully extorted more than $3 million from victims.
A DDoS attack is a malicious attempt to disrupt the legitimate user traffic of a server by overwhelming it with a flood of random traffic. DDoS differs from DoS by its distributed nature, attacking a target from several independent networks of compromised systems. These compromised computer systems are called bots, and a botnet refers to a group of such bots under the control of the same malicious actor.
DDoS attacks have become a frequent hazard, as they are commonly used to take revenge, conduct extortion, activism, and even for cyberwar. In October 2016, leading ISP Dyn's DNS was bombarded by a wave of DNS queries from millions of bots. The attack was executed by the Mirai botnet, and was composed of over 100,000 IoT devices.
There are numerous theories about the attack launched on October 26, 2016 on Dyn's DNS infrastructure. One of the most sensitive and highest impact DDoS attacks was noted to be against Dyn, a US-based DNS service provider, that caused several major websites including Twitter, Reddit, GitHub, Amazon, Netflix, PayPal, and many more to be inaccessible by a major part of country. There are numerous theories and claims as to who could be behind this. Security researchers pointed the finger of blame at script kiddies; however, there was also a claim by a hacker group, Jester, that the Russian government was behind the attacks. The hacker group Jester defaced the Russian foreign ministry against a Democratic National Committee (DNC) hack.
This didn't just stop there; there have been some high-profile damages as of late as well. The political crisis in Qatar led to a DDoS attack on Al Jazeera's website. France's presidential election was disrupted by attacks on the Le Figaro and Le Monde websites.
You could launch DDoS attacks by paying $10 an hour, $200, or $600-$1200 for an entire week. Several attackers on the dark web are offering DDoS for hire services that make launching DDoS attacks easy.
Someone who is looking to bombard their targets with a burst of heavy traffic gets charged for every second of botnet use rather than an hourly fee.
Attackers can compromise a computer and make their own bot. These bots are used to conduct reconnaissance, web page crawl, and even DDoS attacks. It is important to understand that countries that have a larger number of compromised systems should be aware of their global risk index. The following is a diagram of the global DDoS threat landscape in Q2 2017 by a leading DDoS protection provider called Incapsula:
33% of businesses around the world had been affected by DDoS attacks in 2017 alone. The number doubled when compared to 2016, wherein double the number of businesses were affected by DDoS attacks.
Any form of threat can originate from inside an organization, and it's not just limited to an employee with malicious intent; it can even be contractors, former employees, board members, stockholders, or third-party entities.
CERT's Common Sense Guide to Mitigating Insider Threats defines an insider as a current or former employee, contractor, or business partner who meets the following criteria:
- Has or had authorized access to an organization's network, system, or data
- Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems
Before this can be described, its is important to understand the need for it, and this need was indicated by the US Department of Defense (DoD) in 2000, which is also when research by the CERT division was initiated. For an insight into the insider threat profile and its corresponding behavior, check out the link at https://ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf.
A malicious threat that comes from within an organization, such as from employees, former employees, partners, associates, and so on, does need not come from outside to affect the systems of the organization. This attack is more menacing than that of other malware as this comes from people who have access to the main systems, and they have knowledge that allows them to bypass security in a legitimate manner. Insider threats exist everywhere. If someone says that they are not prone to an insider threat, then they may not actually know what one is and how fatal it can be for an organization. A so-called insider may try to access confidential files for personal gain. This gain can be anything from selling information to competitors to stealing it for the insider's own personal use. The attrition rate in any organization is at a considerable level. People leave and join companies every year or two. This serves as a motivation for employees to keep certain information to themselves, as employees think that they have the right to hold on to such information just because of the fact that they had been working on that piece of information for a considerable amount of time. Talking about insider threats, not even the US government is free from insider threats. A report published in 2012 stated that most insider threats actually take place during an employee's working hours. Since technology has made it easier to identify where the breach or the attack started, there is no evidence, and the number of culprits were not identified in all the cases.
In 2017, a study by the Ponemon Institute called the Cost of Cyber Crime Study showed that the average cost of a data breach is currently $3.62 million globally, which is actually a 10% decline from 2016.
Data breaches may involve the leaking of sensitive corporate documents, technical blueprints, intellectual property, trade secrets, or even emails. This has always been massive in number and has an even bigger impact on businesses. Sophisticated attackers are capable of weaponizing malware highly tailored for the target and they are also managing to deliver the malware silently.
As per Mandiant's M-Trend 2017 report, most victim organizations were notified about the breach by people other than their own staff. More than 53% of breaches were discovered by an external source. Organizations should have a proactive breach management plan to detect the breach before getting notified by an outsider. The earlier it is detected, the more money organizations can save. The Ponemon Institute also suggested that organizations should aim to identify a breach within 100 days. The average cost of detecting a breach within this time is $5.99 million, but for those who don't have the tools to detect this, the average cost rose to $8.70 million. There are several ways data breaches happen, and the following are some of the most common reasons:
- Malicious attacks: Adversaries can launch a malware or malware-less attack, leveraging application vulnerabilities to exfiltrate sensitive information.
- Weak security systems: Attackers have became more advanced and persistent in nature. Attackers can use stolen credentials to look like legitimate users in the network and hence bypass existing security systems such as firewalls, intrusion prevention system (IPS), and endpoint security.
- Human error: As per a Verizon Data Breach investigation report in 2017, 88% of data breaches involve human error. Human error is something that all organizations have to deal with.
Some of the most notable recent data breaches are as follows:
- Equifax in September 2017: Equifax, one of the three largest credit agencies in the US, suffered a breach that affected 143 million consumers. An unknown threat group were successful in compromising Equifax online services by exploiting the vulnerability of Apache Struts CVE-2017-5638. Due to the sensitivity of the stolen data, including Social Security Number (SSN) and driving license numbers, this was one of the worst breaches of all time.
- Verizon in July 2017: Around 14 million of Verizon's subscribers may have been affected by the data breach. The compromised server was managed by the Israel-based NICE system.
- Edmodo in May 31, 2017: More than 78 million users had their information stolen from the education platform Edmodo. This was publicly notified when a hacker, known as nclay, was found selling 77 million Edmodo accounts on the dark web for $1,000.
- Verifone in March 7, 2017: Verifone, the leading maker of point of sale (POS) credit card terminals used in the US, discovered a massive data breach of its internal network. Sources indicate that there is evidence that a Russian hacking group was involved in the breach.
The consequences for businesses that experience data loss of their customers or partner's information, or any other confidential data, are severe and growing. Ponemon Institute, an independent security research company, has conducted a survey of data breach victim organizations to find out the impact of data breaches:
- Financial loss: Around 113 listed companies that experienced a data breach had their stock price drop an average of 5%, which resulted in a loss of their customer base
- Brand reputation loss: 61% of CMOs believe that the biggest cost of a data breach is the loss of a brand's value
- Customer trust loss: Consumers trust financial institutes, healthcare providers, and even government departments, to preserve their personal information and privacy
To get an insight into each impact, take a look at the following Ponemon Institute report from 2017: https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf.https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf
An APT uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term:
- Advanced: It is an advanced attack because it is made up of a broad spectrum of infection vectors and malware technologies that are available to the attacker, which are blended together to result in the successful compromise of a system.
- Persistent: It is persistent because the threat of being compromised is always there.
- Threat: This is not a typical, run-of-the-mill system compromise. This attack poses a real threat to the target, not only because it is backed by highly organized, well-funded, and motivated criminal elements, but also because if the attack is successful, it can have dire consequences for the target way beyond a normal system cleanup.
With technological advancements, new ways have risen to stalk corporate entities and any business. This is done in the form of APT. APT can be described as an attack on the network of an organization, which allows unauthorized people to be in the network for a long period of time without being detected.
APTs are different than regular cybercriminals based on the selection of a target, the goal, and human factors:
- Targets: They are chosen based on financial, political, geopolitical, surveillance, and security intelligence interests to gain high-value information
- Goal: The goal of an APT is not to simply get in and get out, but to gain prolonged access to the network's resources and keep themselves undetected by security administrators
- Human factors: This is a critical element for the entire APT operation, since the operation can occur through spear phishing or even insider threats
For more information on data exfiltration, follow the link at http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/how_do_threat_actors_steal_your_data.pdf.