[BreachExchange] Cyber threats: 2018 and beyond

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 25 19:00:51 EST 2018


What do consumer credit reporting agency Equifax and ride-hailing company
Uber have in common?

One would imagine that as large enterprises, they would check the boxes for
good cyber-security practices: a healthy security budget, deployment of
leading-edge cyber security technologies, and round-the-clock monitoring by
well-trained cyber professionals.

Yet they were revealed last year to have been successfully hacked.

Equifax was the victim of one of the biggest data breaches in history with
about 145 million consumers' data compromised, including credit card
numbers. Uber revealed it was breached in 2016, losing about 57 million
users' and drivers' information worldwide. To make things worse, it paid
the hacker US$100,000 to delete the stolen data, and to keep the hack quiet.

Last year was a watershed year with an unprecedented number of cyber hacks,
leaks and data breaches. We believe 2018 will be worse, as attackers become
increasingly creative with attack methods and increasingly destructive
payloads that better target system vulnerabilities. Why is this so?


First, the threat landscape will continue to be asymmetrical. Threat actors
have an edge over enterprises that are hard-pressed to staff up internal
cyber security teams.

State-sponsored actors and, increasingly, organised crime groups are well
funded, organised and resourced. They can afford to take their time to do
research on their target, create the right malware and tailor their attacks
to their targets. Even if they were to fail the first time, they can
persist to try again and again at very little marginal cost.

These entities are aided by the breathtaking rate of technological
advancement, but attackers have also begun to acquire an increasingly deep
understanding of human nature. This has manifest itself in more nuanced
attacks that make use of social engineering and behavioural insights.

What we have seen in recent years is the continued evolution of (and
preference for) very complex and precise spear phishing campaigns, unlike
spam or phishing e-mails which are mass attacks. A spear phishing campaign
targets specific individuals, organisations or businesses, to collect
sensitive information. It may take the form of a professional-sounding,
personalised e-mail that makes use of personal data collected from public
posts on social media sites and blogs to target subjects to lower their
guard - to entice them to click on suspicious links or open documents that
may be virus-contaminated.

Another form of personalised attack is the watering-hole attack, which
takes place when hackers ambush their targets at the websites they
frequently visit. The hackers would inject a zero-day exploit - a malicious
code that takes advantage of vulnerabilities that software developers and
cyber security professionals are unaware of, giving them no time, or "zero
days", to prepare - on that website and lie in wait for their target.

When the target appears on the site, the exploit redirects the target to a
different site where the malware is present and infects the organisation's
network. Once that is accomplished, the cyber criminal has access to the
organisation's network and is able to exfiltrate critical data, such as
passwords and permissions, or pivot to attack other devices in the network.

The plain fact is that the adversaries sometimes understand us better than
we do. They are in some ways more motivated to do harm than organisations
are to protect their systems, in part because the rewards for breaching
organisations can be greater than the gains from strengthening security.

Second, an extensive shadow industry is being created around hacking and
data that will make it both easier and more lucrative to engage in such
dark trades.

Hacking has created a shadow economy where data is bought and sold on the
dark Web to organised cyber criminal syndicates. Data is the new oil. It is
what threat actors are after, and what needs the most protection.

This has birthed a booming shadow economy. On top of personal data,
exploits and zero-days are also available for sale. Large botnets are
available for rent, and so are services such as ransomware-as-a-service and
DDoS-as-a-service. DDoS attacks flood a target system with more traffic
than it can handle, bringing it down.

There is a market for exploits, which are attacks on computer systems made
through a particular vulnerability of the system, and for trading these
exploits. There is a growing number of actors trading such exploits which
drives up supply.

An iOS zero-day - an attack mechanism targeting previously unknown
vulnerabilities in Apple mobile operating systems - can cost as much as
US$1.5 million (S$2 million). It is no wonder that technically gifted
programmers see the attraction of providing such services.

In 2018, we will see an increasing number of extortionist attacks around
the world targeting critical infrastructure. Transportation, energy and
medical institutions are choice targets as a service outage can cause
severe public backlash and, therefore, increases the possibility of a

In recent months, the healthcare industry has been a victim of more
attacks. This is because of the value of healthcare data - such as medical
histories - which can be used for a variety of cyber fraud.

Cyber attacks will cost US hospitals more than US$305 billion over five
years and one in 13 patients will have their data compromised by a hack,
according to industry consultancy Accenture in a 2015 report.

A 2016 study by Brookings showed that, since late 2009, the medical
information of more than 155 million Americans has been exposed without
their permission through about 1,500 breaches.

Healthcare institutions are vulnerable partly because government
regulations forced healthcare operators to adopt electronic health records
and other advances even if they weren't ready to adequately invest in

Would-be smart nations should take note that mass adoptions of digital
solutions do not create a security nightmare, giving hackers an endless
attack surface to target.


So how should organisations respond? For swift detection and mitigation of
threats, round-the-clock monitoring of networks, applications and devices,
through an in-house security operation centre or outsourced service, is
critical. The next generation of security operations centres also need to
incorporate big data analytics and deep machine learning capabilities to
keep on top of the massive amount of data generated.

Organisations need to be more aggressive in vulnerability assessment and
penetration testing by conducting them more frequently. They might even
consider providing incentives to white hat hackers through bug bounty
programmes (which pay these hackers for discovering flaws).

At the operational level, the overall incident response framework must be
routinely audited and strengthened. The incident response team must be
drilled through specific skills training, table top scenarios, and
full-fledged red team-blue team exercises (blue team being the defenders;
red team the simulated attackers), where they are pitted against a group of
white hat hackers trying to break through their security. External
assistance should be sought if there is a lack of internal skillsets or

Singapore organisations especially need to take the threat of cyber attacks
more seriously. A survey conducted by managed security services provider
Quann and research firm IDC in June last year covered 150 senior IT
professionals from medium to large companies based in Singapore, Hong Kong
and Malaysia.

The results showed that 40 per cent of the respondents do not have incident
response plans for when they are being attacked and 67 per cent do not
practise their incident response plans.

Cyber security requires a comprehensive approach that goes beyond the chief
information security officer or head of information technology. The
executive leadership must not see cyber security as a cost centre and an IT
issue, but as an integral part of corporate risk management.

Senior management and the board must understand the threat landscape and
data protection strategies.

Beyond the board and management, every employee matters. A Cyber Security
Agency of Singapore 2017 survey showed that Singaporeans display risky
behaviour that jeopardises their own and their company's cyber security. It
does not matter how advanced the corporate anti-virus is if employees
indiscriminately download free but potentially malware-laden software from
dubious sources. Every careless employee is an open door for hackers to

With the number and complexity of attacks rising, enterprises need to stay
on top of their cyber security preparedness.

Effective cyber security is not about keeping up with the cyber security
products arms race. Instead, it is about ensuring that seemingly mundane
tasks, such as keeping patches up-to-date, ensuring that security hardware
is maintained and managed well, and ensuring compliance with user policies
and procedures, are performed well by human beings.

Even with the best technology, the human factor plays a critical role in
ensuring enterprises stay cyber secure. Firewalls must be kept up-to-date
but the most important firewall is still the human one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180125/1e45b7da/attachment.html>

More information about the BreachExchange mailing list