Since the turn of the century the evolving state of Cyberwarfare and Cybercrime; technologies, capabilities, and resources, has grown by leaps and bounds. The concepts of advanced threats, sponsored nation-state organizations, and highly motivated criminal organizations are relatively new, but the use of the internet and the cyber domain as a means of attack has been well established for at least the past fifteen to even thirty years.
Most notably, with the surge of access to the internet in the 1990s, and the abundance of cyber commerce, the rise of cybercrime took to the scene and sought new methods to exploit targets. General Denial of Service Attacks became a common method of ransoming money from the websites that were denied their ability to access the internet and identify thefts trended upward. During this time cybercrime became the breeding ground for new and advanced malicious payloads to be created, tested, and deployed with great ease.
In the early years of the turn of the century, we saw the beginnings of what was to become the precedent for more advanced, and rapid spreading, cyber-attacks.
Worm viruses such as Sasser and SQL Slammer made their way across cyberspace. These viruses spread through the internet targeting unpatched vulnerabilities in systems such as IIS and SQL servers. Advanced forms of these worms, became more weaponized over time with the intent to not only spread rapidly, but also call home and receive commands from their owners, effectively creating the first forms of C2 bot-nets used for widely dispersed, and hard to mitigate Distributed Denial of Service attacks.
By 2007 intelligent forms of highly targeted malicious payloads were discovered.
Stuxnet, Duqu, and FLAME. Each of them deployed with specific goals, either to destroy critical systems of nation-states or used for the exfiltration of sensitive information from targets. While never attributed to any one nation-state, the advanced nature of these programs indicated that those that crafted them had significant expertise and resources available to them that could only be attributed to organizations sponsored by nation-states or highly funded criminal organizations.
Since the release of these the virus variants, the weaponization of the internet, grew by leaps and bounds. Swarms of advanced malicious payloads modeled after Stuxnet, and similar attacks, became widely used by individuals with criminal intent.
Now anyone with basic knowledge of how these tools were created could put them to use for whatever their objectives may be.
With that came the rise of Ransomware; viruses that encrypt critical data and lock out users from it until some form of ransom is paid via nearly untraceable cryptocurrency transactions. Advanced campaigns such as Cridex and Dridex show that highly motivated criminal organizations can create targeted campaigns aimed at stealing specific information from a user, in their case, sensitive banking information.
So now what?
While it may seem all doom and gloom, the sky is falling, there is no silver lining, things are just progressing continually down a worse path; there are some good things to note, at least in my opinion, resulting from all the unsavory activity out there:
Each day more and more people and companies are becoming security-centric. Many of these attack campaigns rely on user input, user interaction, and take advantage of a general lack of fundamental understanding of how the internet, computers, and information, works.
I’ve often held the opinion that while high profile breaches are unfortunate, they at least offer a chance to figure out what failed, and what can be improved. Lending credence to the fact that just as the tools, tactics, and procedures of criminal organizations and sponsored nation-state groups are evolving, so is our ability to protect, detect, respond, and recover from their attacks.
Being forward thinking as to how we address this topic in the face of evolving adversaries and threat actors is crucial. Organizations must be willing to admit that the way we do things today may not be the way we do things tomorrow.
Cybersecurity and Information Assurance is an evolving process, that is still in its infancy. The best way to be forward thinking in regards to our processes and procedures is to be well educated and open minded to working with others, so that as a community, we can objectively determine if what we are doing, is effective. With that in mind, there are some good practices that we know work well today and are expected to continue to be good practices for some time.
“Real knowledge is to know the extent of one’s ignorance”
Educating yourself is the first step to mitigating the threat of cyber-crime.
This idea is most important when it comes to home and personal use. More and more attackers target the weakest link in the chain, and it has been proven time and time again that people themselves can be that weak link. Social engineering and phishing campaigns are still a primary method of malware distribution, both Ransomware or variants like Dridex. It is best to be mindful of messages you receive, especially unsolicited messages, via e-mail.
Use good judgment when opening messages from people that you don’t know. Even if you receive a message that looks like it is from a service you belong too; banking, social network, financial, be mindful. If you receive messages instructing you to visit their site and view new documents or update your settings, it’s better to go directly to the site instead of clicking on links within the e-mail. Learn to view the actual sending address within your preferred mailing application. It’s easy to set a sender name as “Joe’s Bank” but if you check the actual address it may be firstname.lastname@example.org.
Learn to install and use fundamental security tools such as Anti-Virus Systems, host-based firewalls, anti-malware systems. You don’t always have to dip into your budget for these, sometimes you can get free full versions of commercial off the shelf software from your ISP, check in their online portals for information there regarding what benefits they may offer for these tools.
For corporate settings, regular security awareness training sessions, and helpful reminders delivered via e-mail, posters in areas with heavy foot traffic, and other awareness methods are great tools to enable your end users to think smarter when using information systems within your corporate boundaries. Creating intelligent sensors by means of educating your workforce is a great way to reduce risk.
In addition to awareness training, outsourcing a company to test your employee’s resiliency to phishing and social engineering is a sound practice. Many organizations can help you facilitate social engineering tests to measure the effectiveness of your awareness initiatives.
It’s cold outside; wear more layers…
Taking a layered approach to how you approach securing your identity online is easier than ever. Methods for how users authenticate, identify, and access sensitive information systems have evolved.
The right identity in the wrong hands is always a worst-case scenario, but with the rise of social engineering attacks, and evidence that nearly 50% of users who receive a spear phishing e-mail will click on a link in the first hour, identities within an organization, and at home, will remain a top priority target for attackers.
In order to safeguard an organization, and its users, adoption of multi-factor authentication should be, and is, starting to be implemented in a number of ways.
It was only a few years ago that a multi-factor approach to authentication was reserved for highly classified and most sensitive information systems. Most of these implementations were manual processes and utilized additional hard-tokens that users would need to carry with them. Today, there are many methods to use multi-factor authentication, such as one-time-passwords (OTP), hard or soft tokens, or combinations of OTP’s and other pattern based recognition systems, such as how a user types a sentence or says a phrase.
As time moves on these multi-factor forms of authentication will grow to become more accessible and should be expected to be a standardized approach to further protecting individual identities within a system. If you are an organization offering services to customers it is becoming vital to building in 2FA / MFA solutions to further protect your end-users.
What does this mean for the everyday user?
Check your online banking platforms to start, see if they have a method of utilizing multi-factor authentication for various login portals or types of transactions. Several of these utilize your phone as a method of authentication. Even if you do fall victim to some malicious actor who has stolen banking information, they won’t be able to do anything with it if your bank requires additional authentication to authorize a transfer. Especially if the means of authentication is a response from you directly, delivered through your smartphone.
There are a lot of banking services that have already started down this path but don’t limit yourself to just there. Think about the online platforms that you use the most, that contain the most sensitive information about you, and see about enabling these features within their system (whenever available). Also, multi-factor authentication can be a great detection tool as well, serving as a nice alert when someone might be masquerading as you.
Be that for others for those who can’t….
There always seems to be a large focus on cybercrime and what it means for the everyday individual and corporations, because—let’s face it—they do take on the brunt of the attack activity. However, those activities are not the only ones that are classified as cybercrime. There is an unfortunate fact that there are other elements of cybercrime that do more harm than simple financial losses (most of which are insured anyways).
Human-trafficking and the exchange of child abuse images are still very persistent forms of cybercrime in today’s modern era.
Through the misuse of legitimate anonymizing platforms and nearly untraceable digital currency, there is still a market for these types of things. It is heartbreaking, and I still have hope that a final solution can be found to reduce, or eliminate these practices.
Until that time, we have a duty to be aware of what to do if we come across evidence that someone we know is participating in these acts. You might be that “tech bro” that the neighbor asks to help them with their computer, you might be the genius behind the table, geek working on a squad, you might be the helpdesk technician who was asked to work on someone’s laptop because it started “acting funny.” In any of those scenarios you might be the one person that can do for others what they can’t do for themselves. I don’t need to spell it out for you. Common sense tends to indicate, if those files seem suspicious, then they probably are.
As far as security practice at a company level, we have a duty to ensure that our information systems are not being manipulated or used to store, transmit, or otherwise participate in the distribution of these types of images and content.
There are numerous tools available that can significantly reduce the chance of this happening. Appropriate ingress / egress proxies, SSL decryption, and deep-packet inspection technologies, data assessments to gain insight into what sort of files are within your environment, where they exist, who created them, how long have they been there. These are just a few and are sort of the tip of the iceberg. It’s up to you to find the right combination of tools, technologies, processes and procedures to help reduce the impact of this unfortunate reality we live in.
It takes a village….
So that was pretty heavy, I know, sorry about it, but I hope you understand the importance of calling it out. As we move forward into the future we will continue to face new challenges and hopefully overcome them with grace. I touched on an important concept earlier, which is that as far as where we have come from, where we are now, and where we are going, we are still very much so in the infancy of it all.
Less than fifty years ago, our lives and the world we lived in was very different, and I am limited by the boundaries of my imagination, as I cannot truly fathom where we will be in another fifty years. I do believe that as technology progresses, how we secure and protect the tasks we do in our day to day lives is going to continue to be more “mainstream” as it will become an essential component of survival. Just like how we learned to ride a bike and drive a car, cook for ourselves, become social creatures, and seek education; we will continue to learn how to navigate the pitfalls of using the gift of technology safely and securely.
Through community efforts, information sharing, social networks, we will help each other live safer lives in the digital village of the future.