Cybercriminals are constantly creating new attacks to fit new trends, while tweaking existing attacks to avoid detection. They must do this to stay current as experts constantly work to thwart them, and as technologies and the way they are used change. Malware is a continuous threat and large organizations routinely deal with thousands of attacks, using anti-virus software to protect their IT assets.
However, with the rise of social networks, phishing attacks, the practice of tricking a user into willingly providing account logins or other sensitive information, have become more prevalent and protection can no longer be automated. There need be no malware involved, the user is just tricked into providing login details giving criminal free access or into approving payment of, for example, fictional invoices.
This leads to the rise of ransomware. While ransomware has been around for decades, encryption and evasion techniques have become increasingly refined, sometimes at the hand of state actors. For criminals, a lucrative market opened, making it worth the effort to execute a complicated scam. More recently, with the rising price of crypto currency, cryptojacking has become a viable target - Harvesting the processing power of user's equipment to unknowingly generate value for the criminal.
The potential impacts on an organization have become more dire. The emergence of strong data protection and privacy laws magnify the threat, and certainly it is no longer "just an IT issue.” The latest wave is the establishment of a global criminal industry with an estimated total of nearly a half-trillion dollars annually. These criminals operate in gangs, use well-established methods and target anything and everyone with a presence on the web. What we see is a transition from an IT centric, automated way of preventing cybercrime, to broader methods that rely on user education backed by the right tools.
In 2012 there was STUXNET, a "surgical strike," made possible by malware that took advantage of zero-day vulnerabilities in Microsoft operating systems and Siemens control software. The probable target was widely suspected to be uranium enrichment infrastructure in the Iranian nuclear program causing centrifuges to be destroyed as they ran out of control. This was the first likely large scale cyber attack by one nation state on another, and as we will see a portent of things to come.
In recent times, as ways of working change, these criminal elements adapt to the new opportunities. COVID-19 has increased the threat landscape. Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams, fake vaccines, fake certificates and confusion amplified by the spread of fake news. It is an ideal environment for cybercriminals seeking to sell items they claim will prevent or cure COVID-19. The healthcare industry, although never immune, becomes now a juicier target especially for ransomware. With this, the move to remote working puts stress on the organization's defenses because often they were not designed for this environment where, for example, staff can so easily share social and business activities without sufficient separation. It becomes harder for IT to "lock-down" personal equipment in insecure locations.
So no longer can organizations rely heavily on IT and automated methods. Now there are social aspects to consider and education and training of staff becomes the first line of defense. In writing that sentence, one realizes how much more vulnerable we have become, although, fortunately today's generation, brought up on social media, are much more aware of the risks of over-sharing and much more sensitive to phishing attempts.
The recent attack discovered in December 2020 is another milestone. A "back-door", software allowing unrestricted access, introduced into the SolarWinds software device security component is thought to have compromised 18 thousand computers across US Government and private companies. It took months to identify an attack had taken place. It was eventually discovered by an external party through incident management, following investigation of a single aberrant event. A device authenticated on the network that was not registered. How? Because the SolarWinds software had been compromised.
Imagine the Aha! moment when someone realized that the third party software (SolarWinds) that they use was compromised and the realization that it was likely that ALL users of that software was compromised. This was no a small scale opportunistic attack, it was a carefully planned one probably executed by a patient adversary with unlimited resources. Microsoft, also a victim, estimated that it took perhaps 1000 programmers to engineer the sophisticated back-door that was in every recent SolarWinds release.
It is easy here to blame the victims, why did they not prevent the attack? But software development is a complex undertaking and with sufficient resources applied, it is likely that ANY software can be compromised. This was a spying expedition not a money grabbing one so its true extent and effects are still unknown.
This suggests that instead of just trying to prevent attacks there should now also be the presumption that data may already be compromised. Moreover as stronger data privacy laws are emerging companies must assume they are but one data breach away from legal jeopardy. Realizing that attacks cannot be prevented is perhaps a major turning point in the history of cybercrime. It becomes a question of social values, international conventions (norms of acceptable behavior) and geo-diplomacy. If that doesn't frighten you, it should! We have evolved from "fortress IT" to relying on the good behavior of groups, "norms" in a world where, for instance, competition for natural resources is increasing and why would any "holds" be barred? It seems like the war is over and the bad guys have won, all that is left is to negotiate the terms of surrender. We must continue using our anti-virus software and other traditional IT defenses, but they do seem puny in face of today's threats.
So whilst there is no single easy solution to preventing cybercrime, we still contend that incident management is critical as the SolarWinds example clearly demonstrated. Investigation of a simple incident uncovered a horror story the likes of which has not been known before. So it is essential to make it easy for ALL staff to report potential sinister activity or data breaches in a consistent way. Recognize that physical security can also have a data content where, for instance, the theft of an asset may contain vital sensitive information too. Give the organization the opportunity to identify threats early, prepare its defenses and assess its risks before they become too great to manage. This must be supported by suitable education and training. Also the decisions are not just IT ones. In the example above it was the CEO of the company that investigated the event who raised the alarm, not just in their organization, but across the industries affected. Cyber threats potentially involve any and every function in the organization. So again collaboration is paramount and urgency and risk can be assessed by the right experts in a way that is best for the organization and as illustrated in this example, for the community as a whole.