By the time we sang “Auld Lang Syne” in 2015 we had experienced a year of unparalleled cybercrime. In this article today I’ll look at the current cyber security landscape, to see if there has been any improvement in the year to date. Or if we are likely to see continued cyber attacks of the levels seen in the breaches of the Office of Personnel Management (22 million records stolen) and Ashley Madison (37 million records lost). As our mid-year approaches, we can glimpse back at the last 5 months and perhaps use this to predict where we will be by the end of 2016, hopefully in a better place.
I am about to make a statement which is slightly at odds with the view of cyber security to date. I believe that cybercriminals may have become more predictable. This predictability is coming out of their use of successful strategies and is an expected pattern of behavior – “if it works, why fix it”. If you think about it, cybercrime is a business; it makes money… lots of money. If you hit on a successful business model, you use it. Cybercriminals seem to have found a very successful model in the guise of ransomware and they are milking this technique in 2016 for all they can get. Phishing too continues to make the grade as a first class hacking tool, being heavily used in the more targeted version, spear phishing.
Ransomware: In 2016, so far, we have seen ransomware become the cybercriminal weapon of choice. McAfee in their 2016 Threat Predictions report, predicted ransomware would be a major threat in 2016, and so far they have been proven right. In the last 5 months new ransomware families, such as ‘Locky’ have appeared, causing mayhem. Locky was the ransomware behind the recent Kentucky based Methodist Hospital cyber attack and you can see from Ransomware Tracker that Locky has been the main type of ransomware used this year.
Perhaps proof of the movement to a ransomware based malware model can be seen in two major modifications to its use case:
1. The changing profile of ransomware to include mobile infection. An example of this in action is the update of a previously very successful Android based Trojan known as Android.SmsSpy.88. This malware was previously used to steal credentials by spying on SMS texts and calls. The malware has now morphed into a type of mobile ransomware, which locks your phone and request payment to unlock it.
2. The addition to the hackers toolset of ‘Malware as a Service’, making it easy for even novice hackers to use as a money making service.
Phishing and email borne malware: Ransomware and other malware need a mode of transmission and phishing is as popular with the cybercriminal this year, as it was in 2015. Kaspersky Labs who keep a watch on cybersecurity trends have seen an increase in emails containing malicious attachments in the first quarter of 2016.
Business email compromise (BEC) attacks are also increasing this year. This is where specific business users, usually financial executives and HR, are targeted with phishing emails – BEC being a variant on spear phishing. The emails look like they’ve come from high-ranking executives in the company asking the recipient (often a company accountant) to urgently transfer monies to a bank account (owned by the cybercriminal). The FBI’s Internet Crime Complaint Center report 2015, have placed BEC as one of their ‘hot topics’, with losses, due to BEC attacks, of over $263 million last year.
Again, cybercriminals know when they are onto a good thing and will continue to use phishing as a means to get into your systems. However, they will also morph into new ways of using social engineering to extract your login credentials. We’ve recently seen phishing become SMiShing. This method uses a mobile text to send links to a spoof site that, once clicked on, harvests your login credentials.
DDoS: In the first quarter of 2016 the USA was one of the three largest attack victims of DDoS attacks, China and South Korea being the other two. Many of the attacks are politically motivated, such as the one against Donald Trump’s website, carried out by the group ‘New World Hackers’, earlier this year. But it isn’t just political motivation driving DDoS attacks. These types of attacks are a distraction method, to take security personnel’s eye off the ball, fixing the DDoS attack, whilst hackers then use this opportunity to insert malware. One of the most recent victims of a DDoS attack is the American Registry for Internet Numbers (ARIN) who had a DDoS attack on May 26.
The Insider Threat: Insider threats are as much a social issue as a security one and we can only expect these types of threats to remain consistent throughout 2016. The U.S. Department of Homeland Security is even predicting that we will see an increase in cyber security breaches caused by insiders with political motivation – these threats being targeted against critical infrastructures and utilities. Vulnerable focus areas such as privilege misuse are one of the mainstays of the insider threat – the 2016 Data Breach Investigation Report (DBIR) defining it as the second most common incident type.
In a nutshell, everyone is being targeted: Individuals, independents, SMB’s, not-for-profits, right up to the largest corporates; if money, data and credentials are there for the taking, you will be a target. The cybercriminal has settled into their international role as chief rogue and are expected to cost global business a staggering $2.1 trillion by 2019 – that’s 4X the 2015 costs, according to Juniper Research. Juniper also stated that that 60% of all data breaches in 2015 occurred in North America. Cybercrime has become the next big industry sector, tax-free, admittedly.
In terms of who will be next on the cybercriminals ‘to do’ list, we should expect ransomware to up its game in terms of target reach. Until recently, the types of monies exchanged were relatively small, the bitcoin equivalent of a few hundred dollars. The recent attack at the Hollywood Presbyterian Hospital in LA resulted in $17,000 being extorted. However, it’s likely that this is the tip of the iceberg and larger enterprises will start to feel the force of ransomware. Larger organizations will be asked for ransoms that are much higher than what we have been used to so far. I’m watching for the million-dollar ransom to hit the news.
As for which sectors are in the cybercriminals sights, IBM’s X-Force recently stated that healthcare was the most targeted of all industries. However, any industry that has personally identifying information (PII) is at a high risk. We can expect industry sectors such as retail to continue to be hit, following on from the success of the Target Corp. breach. This is especially the case if the extended and complex supply chain used by retail is not risk managed – the perfect storm of phishing and poor authentication making poorly managed partner eco-systems easy prey. To back this claim up, the NTT Group 2016 Global Threat Intelligence Report, found that the retail industry had 2.7X the number of attacks as financial clients did in 2015.
As cyber security becomes big business in its own right and the cybercriminal becomes the cybercrime entrepreneur, we can expect the next half of 2016 to bring even more of the same issues we have seen over the last few months. Ransomware, spyware and Advanced Persistent Threats are already brewing and ready to siphon off money and data. The way forward is to be knowledgeable about the problem. If we prepare ourselves and put in place, strategies to identify, detect and respond to cyber security threats, not just in our own organization, but with anyone we do business with, then by the end of 2016 we may well have put a dent in the cybercriminals armor.