The next threat is going to hurt
It is that time for yearly threat landscape overviews in the cybercrime world. Vendors, law enforcement and others share a bleak view on what’s going on out there. Europol mentions “Ransomware is eclipsing other cybercrime as the biggest threat” in September 2017. The FBI has some modest stats surrounding ransomware but still mentions ransomware as the second biggest “hot topic”.
It is true that ransomware hit the mainstream over the last year. Geo political tensions, and the attacks & hacktivism supporting them are just as relevant. In 2017 we have seen the “weaponization” of ransomware, with the goal (whether it’s intended or not) being destruction, rather than making money.
When I hold presentations on the threat landscape, I often show an “impact” slide. On it we can see the evolution of threats: whereas 10 years ago small amounts of our money would be stolen infrequently, today we’re likely to be hit with fraud, ransomware, our companies by espionage, fraud and extortion, and geo political tensions impact our companies and even our democratic values. It’s truly a different era, and threat modelling has become exponentially more difficult.
The next big thing
People always ask me: what will be the next big thing?
Diana Selck, our resident criminologist, sees two angles to this question: from the victim’s perspective, IoT will likely play a great role in cybercrime in the very near future. Especially as we become more and more accessible. We produce health data, such as pulse curves and sleeping routines. We register our personal identifiable information (PII) to platforms and web applications, as well as the devices surrounding us, opening ”digital doors” to our homes through SmartHomes, SmartTVs and SmartToys. Cybercrime will become more personal and thus affect the average user as much (if not more) than cyber-attacks against businesses, via espionage, financial gain and data loss. These types of attacks will not go away, and the new attacks will become an extra opportunity to harm us both personally and professionally. For example, misusing IoTs to remotely record images, audio and videos could be leveraged for extortion and for misinformation.
Another point to consider are the criminological theories on why some people turn to crime and others don’t. The most fitting ones are social theories: the routine activity theory focuses on opportunity & motivation as well as absence of sanctions. Rüdiger’s “broken web” theory originated from the broken window theory. In a nut shell, the broken window theory describes the likelihood or sustainability of a crime when a physical area shows signs of disorder such as a broken window. The same applies to cyberspace; the absence of sanctions, motivated offenders and profitable outcome are incentives for cyber criminals.
When considering the “what’s next” approach, it is interesting that the resulting threat might become physical. Tools for infecting systems with malware, which has become increasingly easy, are readily available on online. The risk that ransomware attacks will be executed by an individual rather than an organised group increases as well. The question is, do they have the criminal mindset and willingness to commit a crime? Or will they only threaten their victims to drive internet connected cars against a wall, to close all windows automatically and turn on the gas and record and track the movements of you in your private sphere?
With criminology theory in mind, let’s do some tea leaf reading and extrapolate what we see. Bear in mind, historically, extrapolation has seldom worked well, so we’re aggregating some other trends as well.
Trend 1: ransomware converges with extortion
Ransomware, strange as it might sound, doesn’t scale particularly well. Specifically, an individual might pay 0,1 BTC to recover his photo’s, but a company will not pay 100 BTC to recover 1000 endpoints. Corporation’s require a different approach, which criminals manage in a more bespoke nature. Just as organised fraudsters evolved from retail banks to corporate banks, to also targeting enterprise bookkeepers and CFO’s. In our Cyber Defense Center’s we have seen hackers compromising CRM systems and changing invoice templates to include their mule bank accounts. The same will happen in ransomware too.
In healthcare, particularly in the US, where there’s big budgets involved, criminals steal patient files and threaten to publish. This extortion variant is much more compatible with enterprises. With some bespoke effort criminals can have a big impact.
Ransomware, of course, is just one type of extortion. In recent months, ransomware has evolved to play with the psyche of the victim, putting more pressure on them in order to pay. It will evolve to a bespoke extortion campaign which involves hacking.
Trend 2: IoT attack surfaces
You can’t throw a rock into a security conference without hitting an IoT presentation. For good reason: one can imagine unprecedented threats as stories surface about pacemaker firmware updates, car hacking and so on. This week researchers have found vulnerabilities in WPA2, which protects pretty much all home wifi networks, and the majority of wifi router vendors have not produced timely security updates. This shows us how vulnerable we become with IoT.
However, personal IoT devices like pacemaker’s, watches, medical devices, TV’s with cameras and microphones all neatly fit into the trend of criminals increasing pressure on victims. When extorting money, they will bargain not only our security, but our safety too. And safety, in general, is something we’re all willing to pay more for.
Combining these two trends, bespoke extortion campaigns using IoT might become the ultimate challenge in the future.
How’s the industry going to respond?
As always, products do not solve these problems. You need people, processes and technology. That said, every now and then there’s a breakthrough allowing us to build new processes. Big Data made advanced analytics and threat hunting possible. So, what does the industry need to do in order to respond to a new era of cyber safety threats?
- Before 2006, there was mischief, like conficker, back orifice and the iloveyou worm. A nuisance at most, the industry responded with AV. They did all the work for us at little operational effort. We just needed to install AV and that was cyber security for us.
- Organised cybercrime changed that, attacking retail banks, then commercial banks, then everyone with ransomware. A select few experienced espionage and data theft. The industry responded with big data type solutions: SIEM, monitoring and detection became popular.
- Criminals saw big data as big profit, and they started collecting big victim data too. Based on the data, they could tailor off the shelf attacks and engage into bespoke campaigns too. The industry saw this as a problem, and started to collect and correlate more behaviour, network and endpoint data. This much data requires a process, which pre-selects relevant workloads for analysts. Often times these are based machine learning. In case you’re wondering: you are here. This is where we are today.
- What will happen next: as we are firmly entering the machine learning phase, we will be OK for one or two years. Will criminals build attack systems on machine learning too, or is there another way, closer to their appetite? Many vendors say the future is at the endpoint, while others revert to proven technologies like network packet monitoring. We track new technology and put it to the test, but we have yet to find a better method than investing in secure design, architecture and development for many IoT devices.
Our prediction is that the next attack will impact safety, with criminals ransoming pacemakers, cars, elevators, and hotel rooms, as well as investing effort in bespoke extortion attacks on enterprises. The next iteration of attacks will merge business models like ransomware with IoT attack vectors and extortion.
Criminals have surprised us in the past, only the future will reveal if there’s truth in this. Taking IoT and extortion into account during InfoSec fire drills might not be a bad plan, though.