In part two of his 5 Cyber-predictions for 2018, Sysnet’s Juliusz Idzik continues in examining cyber threats that could impact organisations in a major way in 2018. If you missed the first part of this article or want a recap, then you can read it by clicking here.
4. Phishing methods and techniques
Phishing and broadly speaking social engineering has a history of successful compromise, this is due to that nearly every security mechanism involves a human factor. This human aspect can be unpredictable and can never be “hardened” enough to sustain sophisticated attack attempts. Despite ongoing education and user awareness, phishing and social engineering will continue to grow in 2018, especially since more business operations and sensitive data are being moved to the cloud.
A successful phishing email such as a password recovery sent to a user’s email address is usually the easiest way to gain unauthorised access to an organisation’s resources. Many studies were published in 2017 that illustrated the danger of phishing emails, yet most organisations still continue to use email addresses as the main and common denominator on which access management to sensitive data is based. Once an attacker is able to obtain partial access to mailbox there are almost no obstacles in unlocking the entry to private and restricted resources.
At Sysnet Cyber Risk we have examined the most widely used techniques in recent months by threat actors, for example; phishing kits, keyloggers and credential leaks and we believe that social engineering will continue to flourish in 2018 and beyond. One of the most worrying aspects of phishing is the rise of projects like “Lets Encrypt” which on one hand enables automated and free creation of SSL certificates to secure traffic over public networks for small and medium sized organisations (SME). On the other hand it offers easy, fast and free tools to hide the true identity of adversary actors that can imitate a target’s trusted sources, contacts or business links. Since SSL certificates were invented to provide identity confirmation and offer confidentiality by encrypting web traffic, it is hard to distinguish between legitimate and spoofed sources of communication. Almost all browser vendors are forced to trust “Lets Encrypt” as a public Certificate Authority (which is backed among others by Google Inc.), in order not to cut down millions of authentic and valid SMEs that use the service of unrestricted SSL/TLS encryption.
The most disturbing aspect of social engineering apart from phishing kits is the re-use of login credentials exposed in third-party breaches. The re-use of the same password between different systems, identity providers, or even within the same access management modules presents very easy and an effortless way of getting access to protected structures. Large scale data breaches that were admitted publicly in recent years have for example provided an important source of information for malicious actors and can sometimes “open the door” without a single active action from their side. Sites like breachalarm.com, leakbase.pw can provide enough information to compromised individual email accounts from the most popular identity providers. The most efficient way to limit this exposure to phishing and the re-use of previous passwords is to employ “strong” multifactor authentication that consists of more than one factor from three base ones (knowledge, inheritance, possession), supplemented by secondary attributes: context, patterns, etc.
5. Threat outlook: organised crime used by Advanced persistent threat (APT) actors
Rising political tension globally has a direct connection to the scale and complexity of cyber warfare’s operations launched by leading world powers. There is also a very close relationship between leading state actors and organised crime. At Sysnet Cyber Risk we continuously monitor blackhat markets as well as the underground web and we can observe spikes of activity in most mediums, trade marketplaces, and private forums. Sysnet Cyber Risk believes that 2018 will almost certainly bring new tools, inventions and even wider usage by crime organisations to launch and conduct long-term, sophisticated campaigns described as Advanced Persistent Threats (APT). Organised crime flourishes in the global ecosystem and one of the most important technological factors contributing to their success is the presence of the dark web. There is evidence of a large number of online exchange markets that offer illegal products and services which fall outside of national police force or court jurisdictions.
Political and business affiliations that facilitate the efficiency of organised crime have been a significant contributing factor to the establishment of criminal organisations. For example, the rise of Crime-as-a-Service contributed significantly to unauthorised access to sensitive financial information but also enabled sharing of sophisticated tools & methods that are offered to “newbies”. A kind of next evolution of script-kiddies, where beginners without technical knowledge have access to advanced techniques which were reserved previously only to state-sponsored agents. On the other hand, we have witnessed technically advanced attacks, for example performed by the Carbanak Gang or FIN campaigns, that can be classified as “advanced cybercrime”. An important factor and one of the remedies is a clear association of typical organised crime with recent trends in cybercrime. With time and detailed analysis, it is feasible to find linkage between results of cyber-campaigns and victims with their long-establish adversaries.
The private sector however cannot be expected to face advanced and sophisticated attackers on their own and we have seen recently the shift towards global cyber programmes. For example; the reauthorisation of Section 702, a powerful NSA surveillance programme (FISA Amendments Reauthorisation Act of 2017), or the recent announcement from NATO alliance to start the “cyber warfare principles” as to actively confront the actions of state-sponsored hackers from hostile countries.
Lastly, there has been a surge in the price of bitcoin currency which is the main denominator of all ransomware attacks and in which the ransom is requested to be paid. Considering that general awareness around Windows based ransomware attacks and their effective countermeasures have been enhanced in 2017, there are solid grounds to believe that in the coming months criminals will move their extortion attempts towards mobile devices and especially Android based handsets. According to Gartner, more than 80% of smartphones worldwide are powered by Google’s mobile operating system and most of them do not run the most up-to-date version of the OS. Apple users tend to update their devices with the most frequent patches and upgrade to latest version of software. It must be assumed therefore that Android users will be the prime target for criminals in 2018. This is evident of the increasing number of “Android Ransomware Kits” that are available on the dark web and the increasing unit price which on average is 20 times higher than equivalent for a Windows machine, according to Carbon Black researches.
Summary: Increase your cyber maturity
At Sysnet Cyber Risk, we believe that the best defence is the constant improvement of your security and maturing your overall cyber-posture. Following best industry practises and tailoring them to specific conditions of each organisation can limit the risk of data breach, by deterring threat actors and stopping their offensive operations as early as possible. We can review your solutions and make recommendations to limit the risk and overall cyber-exposure to an acceptable level. No system or mechanism is 100% secure, but choosing your security vendor carefully can make it too difficult for attackers and as a result encourage them to look for lower hanging fruit.
The presence of the dark web, increasing political tension around the world and existence of un-regulated digital currencies gives valid reasons to believe that organised criminal activities will continue to grow next year. We will most certainly see new and more widespread forms of ransomware attacks than in 2017. Criminals will most probably find more innovative ways to demand payments from businesses and the general users. Possibly in the form of encrypting mobile devices, threatening to release stolen personal data, or disabling online services via DDoS attacks originated from IoT (Internet of things) botnets.
The main principles of securing your IT environments, like timely patching, reviewing of user privileges or threat management, changes very rarely, doing so is our best recommendation for 2018. As always, the devil is in the detail, and the newest technology trends combined with specialised expertise and long-term experience can save a lot of effort and financial resources in the long run.
Regardless of the Information Security developments or investment projects, some form of data breach must be assumed by every organisation. Sysnet Cyber Risk believes in the old saying “By failing to prepare, you are preparing to fail ”. It is therefore better to be prepared for the unexpected rather than expect nothing to happen.