Hackers have been maligned by those who do not have our best interests at heart, but are instead motivated by money – attackers who steal our assets and hold organisations such as banks and hospitals to ransom.
Last year two German hospitals were held to ransom, forcing staff back into the last century by restricting them to pen and paper. In an age of such digital advancement and connectivity the results of such attacks can be catastrophic. Traditional cyber defence methods have failed, so what can the industry offer to combat these adversaries?
In a panel discussion held between some of the most experienced cybersecurity specialists at the IT-SA security conference in Nuremberg, Germany, major questions were raised about malware’s prevalence and what can be done to tackle persistent threats, particularly ransomware.
The discussion was chaired by Uwe Scholz, an Industry expert based in Germany, with leading cybersecurity industry figures from Menlo Security, Cylance, iT-CUBE SYSTEMS and Infinigate.
Opening the discussion, Mr. Scholz outlined the current security landscape, ‘threats are continuously changing, the industry is trying to keep up, but it looks like the race is still on and we’re behind it.’ Leif Dehio, Business Development Manager at Infinigate agreed that ‘the landscape is evolving. Threats are getting more and more complex. The motivation to actually attack networks has also changed a lot – from a hacktivism point of view to a financial one.’
Connectivity has compounded the problem according to Alexander Bünning, Regional Manager DACH for Menlo Security: ‘It’s a business – we are more and more connected with every device we are using and, as long as the attacker can make money, you will be under threat.’
Furthermore, the evolution of technology and business means that ‘we almost by necessity have to increase our attack surface area,’ said Anton Grashion, Senior Director of Product Marketing EMEA at Cylance. He continued, ‘it’s a never-ending cycle.’ We will always be creating opportunity for attackers ‘because we can’t stop doing new things and different things in order to compete in our markets.’
In answer to this Janus Cybercrime Solutions, for example, is a platform facilitating ransomware distribution and is open to all in exchange for a cut of attackers’ profits. Its creators announced in July 2016 that the well-known Petya and Mischa Trojans could now operate on a Ransomware-as-a-Service (RaaS) basis, further affirming the financial motivations of those wishing to distribute and widening the net of participation to even more cybercriminals.
Succinctly summarising this, Andreas Mertz Founder and CEO of iT-CUBE, referred to ransomware as ‘modern robbery, nothing else.’ He continued, ‘the point is you can run this business because the risk of getting prosecuted is extremely low…that is the reason they are so successful.’
The Security Apocalypse – is it a question of resource or a question of technology?
Mr. Mertz explained that ‘we have a kind of security apocalypse now. The problem is that the technical team who is running a company’s security are often just an appendix of the IT department… This team never gets the budget and the skills, and everything that is needed to really be able to respond to threats.’
The problem is down to both resources and technology, specifically with regards to communication within organisations. As Mr. Dehio said, security teams ‘don’t interact and the Chief Information Security Officer needs resources to bring all the information from all these different sources together to get a complete picture.’ How can this be resolved? According to Mr. Dehio ‘one crucial aspect is automation in the future.’
In a similar vein to the importance of fluid communication, the way in which new technologies are implemented is essential. According to Mr. Mertz, ‘the question is how to orchestrate technology within your process landscape…it’s not just purchasing a certain device – you have to orchestrate the whole thing and follow a governance which takes care of the maximum level of security you want to reach.’
In addition to this, time is a major factor. How does this compare between attackers and security officers? As Dr. Grashion pointed out, as a security professional ‘you can’t create time so you slice time, you share time between things’ on the one hand. ‘On the other side you’ve got guys who are trying to get in. They’ve only got one thing to do and they’ve got all the time in the world to do it.’ In agreement with Mr. Dehio, Dr. Grashion then went on to say ‘We have to do something – either through automation or a combination of automation and more intelligence.’
This paints a vivid picture. Mr. Mertz said of CryptoWall’s profits ‘I guess it was $80 million last year.’ If the risk of prosecution is so low and the fruits of labour so high, it’s no wonder attackers can take their time in creating more evolved strains of malware to advance their agendas.
Does Ransomware require a targeted approach to be successful?
Security threats seem to come in waves. The latest wave is ransomware – although the core tactic is nothing new, the method of attack continues to change. Ransomware seems not only to be a technical challenge, but something that takes social engineering on the part of the attacker. Is this true? Are cybercriminals informing themselves about organisations and specifically targeting those where they see larger financial gain?
‘If you think about ransom, we always talk about targeted attacks, but ransomware I think has a broader approach’ said Mr. Bünning. He added that it is ‘very easy to be successful because you can do it via quantity, not quality.’ Dr. Grashion was in agreement – ‘I think it’s a shoot, hit and hope, and what you’re hoping for is that one person in the organisation has no time to check – to be really sceptical, like we all are as security professionals.’
Mr. Mertz argued that distribution is more targeted these days: ‘they’re going for more specific industries. They are looking for certain sectors, like the healthcare industry, which is extremely vulnerable because they have a lacking financial background…if that ransomware gets in, it does not differentiate between a computer or a life-critical system which supports life in the operating room…that adds a completely new dimension to the topic.’
This kind of approach can have a serious effect on an organisation. Dr. Grashion replied, ‘even if an attack doesn’t damage a critical piece of the infrastructure, just by locking staff out of their day-to-day system – what they need to do to see patients – I certainly know from the UK’s perspective that would be crippling.’ Proof of this level of disruption can be seen in the recent cyberattack on a Hospital in Lincolnshire, UK. A virus infecting the Hospital’s network led to a major incident, causing all planned operations, outpatient appointments and diagnostic procedures to be cancelled for 48 hours.
Can today’s security solutions solve the problem of limited time and money?
The fact that malware is now so easy to create and distribute poses one of the biggest issues for cybersecurity companies today. Attackers are not your stereotypical, and somewhat romanticised, computer experts intent on stealing state secrets. Mr. Dehio highlighted that ‘almost anyone can do it who is able to run a computer – you can actually design your own ransomware.’ Traditional signature-based security solutions cannot stand up to these threats – ‘You create a new file, it has a new check zone and a signature-based solution will not recognise this as being malware so we need another solution which is more intelligent, predictive, which can actually – before the application is being run – decide is this potential malware or not?’
One way today’s solutions are tackling the need to move ahead of the threats created by these anonymous bad actors is prevention. According to Mr. Dehio ‘we need a solution which is more intelligent, which is predictive.’ This approach was also supported by Mr. Mertz: ‘prevent as much as you can because if you don’t, and you have to deal with the consequences, it costs significant time and money.’
Over the past 20 years more and more things have been added on to ‘enhance’ security. Dr. Grashion further emphasised the need to prevent attacks from happening in the first place: ‘we’ve added behavioural analysis, we’ve added heuristics, we’ve added sandboxing, we’ve even added EDR. All of those technologies, however, are post-execution.’ Cylance is one company employing a new approach: ‘Through AI and machine-learning, they developed a solution which you can deploy on your endpoint, and which pre-execution will determine whether an executable file is going to be malware or whether the file is good and we can let it go.’
Time and money are a limited resource in comparison with the abundance of malware strains being developed by adversaries across the globe. Fuelling this problem is, as Mr. Bünning described, the ‘vicious circle’ where ‘you get alerts and it’s quite hard really to determine is it good or is it bad and is it critical or is it not critical. Then of course you need to have people, you need to have threat intel, but this is where you start making assumptions.’ What if you didn’t need to make this determination, but could assume that everything is risky? That’s what Menlo do with their Isolation platform – ‘we put a surrogate browser between the user and the internet and try to keep active content away from the endpoint entirely.’
What would you recommend to a CISO today to help tackle the problem?
It’s well known that cyber-threat awareness levels vary dramatically from individual to individual and organisation to organisation. According to a recent report by the Ponemon Institute, 78% of IT employees surveyed in the US and Europe were extremely concerned about Ransomware attacks, and yet 38% of them do not monitor any employee file and email activity – prime attack vectors.
Mr. Bünning’s advice is to ‘take security seriously. That’s the key.’ This sentiment is echoed by Dr. Grashion who offered: ‘Don’t assume that you’re covered just because you think you are…you want to be absolutely certain that the models that you put in to protect yourself actually do cover the risk that you’re willing to take.’
The investment must match the risk. As Mr. Dehio said ‘it’s a question of how much is security worth for you and your company? How much are you willing to invest?’ It’s clear that security solutions are stepping up to the plate. However, that alone doesn’t produce a clear winner in the jockeying for position between security solutions and malware. Attackers are diverse, anonymous and numerous – even if the latter wasn’t true, it only took one 18 year-old to accidentally detonate a DDoS attack on Arizona’s 911 system in October of this year.
The underlying message is urgent – it’s clear the effect malicious actors and their malware can have and are having on organisations large and small, individuals, and government infrastructure, even. The shift in driving force behind this activity, from hacktivism to profiteering, has already happened. If we don’t want to continue to fall victim to cyberattack, we must shift our thinking up a gear, embrace proactivity and take the advantage back from today’s bad actors.
By Alan Zeichick