[BreachExchange] The evolving threat landscape: nation state, third party attacks and cyber vandalism

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 17 10:55:10 EST 2018


Connected devices and flexible working practices may be beneficial to
employees, but they have caused the boundaries of organisations to ebb and
flow more than ever before. This, combined with increasingly complex
partner ecosystems, means the days are over where a firewall alone was
sufficient protection to halt those with malicious intent.

In the modern business landscape, the use of third party suppliers is
prolific. In fact, a recent survey from Thomson Reuters entitled ‘Third
Party Risk: Exposing the Gaps’ found that 70 per cent of organisations have
become more flexible and competitive because of third party relationships.
With this in mind, plus the fact other businesses now have responsibility
for your privacy, it’s no longer enough for businesses to understand just
their own security set up. Every organisation within a company’s supply
chain needs to be equally aware of, and shored up against, the risks posed
by the evolving threat landscape.

Getting to know your third parties

With regulations such as General Data Protection Regulation (GDPR), Open
Banking and the Second Payment Services Directive (PSD2) on the horizon,
it’s critical for organisations to know and understand their entire
ecosystem. By undertaking overarching audits on a regular basis and turning
this into a mandated process, business can do just that. It also presents
them with an opportunity to foster good threat intelligence sharing regimes
and protect the whole supply chain from attackers.

This kind of attack is illustrated by incidents in recent years involving
banks. For example, thieves managed to steal $250,000 from Bangladesh’s
Sonali bank in 2013, along with more than $12million from Ecuador’s Banco
del Austro in 2015, using the banks’ access to the SWIFT network to send
fraudulent messages and transfer money. It was also reported by Vietnam’s
Tien Phong Bank in May 2017 that it foiled a similar attempt by attackers
to steal money from the bank.

For businesses in this situation, ensuring there isn’t a weak link in the
chain can be the difference between being hit with an attack or crippling
fine, or not. At a time when cyberattacks are big news and hitting the
headlines on almost a daily basis, working closely with third parties in
the supply chain on cyber strategy is the best way to ensure business
survival and avoid failure.

The psychology of a hacker

While attacks on third parties aren’t new, they are becoming more prolific.
This evolution in the threat landscape is also being identified elsewhere
in the industry, with one key example being the significant rise in cyber
vandalism which has become apparent in recent years. On the plus side
however, there is now much more data available to businesses allowing them
to identify changes in attackers’ approaches and protect themselves before
they become an issue.

Using cyber vandalism as an example, it’s often difficult to see what
reward comes from these form of attacks. This may be students looking to
show off their cyber talents, researchers inventing new methods of
infecting a system, or even developers who are creating more professional
and serious viruses – this is often true of the state sponsored attacks
too. Despite this, whoever the attacker, it’s quite safe to say that it’s
very rare to be able to identify a motive for cybercrime like this.

The WannaCry malware, specifically the usage of the Destova wiper
component, also raises some interesting points when it comes to the
psychology and the tasking of nation state hackers. Released in early 2017,
the malware had one of the largest attack vectors to date, with upwards of
400,000 computers infected across 150 countries. Wiper software is a
bizarre edition to the WannaCry mix, given the ransomware itself is already
encrypting files in the hope that the organisation will pay up. Not only
that, but it’s the same wiper software used by Lazarus. So does this
indicate a close connection with the group, or is it a deliberate and
obvious addition to point towards Lazarus as the perpetrators? Perhaps it
is the lack of direction from a nation state (meaning hackers simply use
whatever tools are at their disposal), but it’s more than possible this
ambiguity is deliberate. Despite this however, the recent confirmation from
the US and UK governments that it is “highly likely” WannaCry was caused by
Lazarus, is just one example of how Governments are becoming more cautious
about getting attribution in cybercrime right – it is now just as important
to get attribution of financially motivated capabilities right as it would
be for espionage.

Looking at the Petya attack as another example, the motives of the
attackers behind it are still a mystery. Unleashed in networks just two
months after the WannaCry breach in July 2017, the United Nations’ top
cybercrime official claimed that, while the attack was incredibly advanced
and sophisticated, their strategy suggested money was not the motive. This
makes attribution very difficult, as without a clear motive behind an
attack – in this case, the use of highly unsophisticated attack vectors
could challenge the nation state attribution assertion – it’s almost
impossible to identify a pattern in behaviour and prevent future attacks.

Taking immediate action

Enterprises at all stages of the supply chain are under a constant barrage
of cyberattacks. With the threat landscape evolving in these various ways
and attacks becoming ever-more sophisticated, having time to stop and think
about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the
adversary’s perspective to understand what is most attractive to an
attacker. Is it more lucrative for them to attack the smaller businesses in
the chain in a bid to reach the larger organisations, or will they go
straight for the jugular and the top of the chain?

Without this understanding problems will persist and organisations will
fall further behind new developments as the threat landscape continues to
evolve. Corporations need to act now if they are to ensure their
cybersecurity strategies are keeping up with the attackers. Only then can
they prevent the next newspaper headline from featuring their name – or the
name of one of the organisations within their networks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180117/dbef911c/attachment.html>

More information about the BreachExchange mailing list