The growth rate of digital attacks continues to alarm. According to PwC’s Global State of Information Security Survey 2015, the number of reported incidents rose by 48 per cent this year to 42.8 million, the equivalent of 117,339 attacks a day.
Add to those the masses of unreported attacks and you have an awfully messy environment.
Businesses that want to protect themselves adequately need to understand who their enemies are and how they operate.
But the threat landscape has become so chaotic that trying to draw a picture of the myriad adversaries that might want to hack the organisation, and figuring out how they go about their illicit task, is far from simple.
“The term ‘know your enemy’ is a foundation for any formal risk assessment. It is important, but the potential number of malicious actors has expanded due to the ease with which tools and services have become available to anybody with access to a computer and a means to pay,” says Raj Samani, CTO in EMEA for Intel-owned security firm McAfee.
Though determining which ones require special security strategies might prove complex, there are several categories of hackers that use typical techniques.
By tracking the modus operandi of these hacker types, it will be a tad easier to start deploying the right technologies and policies before the bad guys cause havoc. So who are they?
The powers that be
If the last year has made anything apparent, it is that nation states are keen to attack anyone they see as fair game. Whether it is the National Security Agency and GCHQ tapping individuals and businesses on their own shores, or the Chinese army infiltrating foreign organisations and activists’ PCs, government-funded hackers are more active than ever before.
PwC’s survey found respondents who reported a compromise by nation states increased by 86 per cent – and these incidents are also most likely under reported. There was also a 64 per cent increase in security incidents attributed to competitors, some of which may be backed by nation states.
Individuals most likely to suffer are workers in government departments, especially those involved in defence, intelligence services or government agencies that deal in high-tech research, according to Brian Honan, security consultant and founder of Ireland’s first computer emergency response team .
“Also included would be any organisations, be they private or government owned, that operate within the critical network infrastructure arena. Companies that conduct a lot of high-tech research and have valuable intellectual property would also be under threat,” he says.
“Nation-state attackers often target companies in their supply chain to gain access to their ultimate target’s network.
“Other targets may include professional firms such as solicitors or accountancies that provide services to high-tech companies or government agencies and thus have access to sensitive information.”
Any company involved in the manufacture of embedded devices in houses or cars might have to start building in security
It is likely that governments will start to exploit the Internet of Things, which many see as an expansion of the third industrial revolution. The scores of connected devices spreading through homes and civilian areas would certainly make attractive targets for any surveillance agency.
That would mean any company involved in the manufacture of embedded devices in people’s houses or cars might have to start building in security to prevent government hackers snooping on citizens’ lives or causing real-world carnage.
“In the near future, when every man and woman may have 2,000 fixed IP addresses allocated to them, imagine a car manufacturer which has just released a fully cyber-connected car. Every imaginable part has a fixed address and is controlled by a free operating system,” says Amar Singh, CEO and founder of the GiveADay initiative.
“After selling 20 million cars, a major vulnerability, similar to Shellshock, is discovered in the operating system that the car manufacturer has used. This catastrophic vulnerability can cause the engine to die or switch off and bypasses all controls.
“Now imagine an attacker, nation state or otherwise, holding countries and the manufacturer to ransom – ‘meet my demands or I exploit this vulnerability now’.”
Businesses are becoming aware of how widespread are these attacks from government bodies, which can hit any level of infrastructure, be it Wi-Fi networks or phones.
Indeed, when doing scenario-based risk assessments, it might be advisable to use nation-state attackers as the model adversary, given that they will try anything to break down organisations’ digital walls.
Apart from the nation-state attacks, there remains a miminal threat from terrorists. The same PwC survey showed the percentage of incidents attributed to terrorists over the past year stood at 10 per cent, up from eight per cent the year before.
Despite a lack of concrete examples of cyber attacks by extremist groups, businesses evidently believe they have been targeted by them.
The ISIS terror group has been adept at using the internet to spread its aggressive anti-West propaganda. Though no digital attacks have been directly attributed to it, cyber intelligence company IntelCrawler said in July it had recorded a rise in Trojan activities in Iraq, pointing to a digital aspect of that country’s conflict.
Any company involved in critical infrastructure is likely to be keeping a close eye on the potential for destructive attacks. But until a major event caused by a terrorist organisation occurs, there won’t be a high level of concern among private businesses.
The happy hacktivist
An increase in nation state spying won’t just bring about an escalation in tensions between countries and factions, it will also inspire aggression from digital activists. Anonymous might not be attracting the same level attention as it once did, and the Syrian Electronic Army may have retreated into more clandestine activities, but the threat from hacktivists remains strong.
When there’s a protest to be had, as there was in Brazil during the World Cup, there will more than likely be a digital element to the demonstrations. As a sign of its continuing importance, Anonymous knocked out scores of websites belonging to sponsors and organisers of the epic soccer competition this summer.
“[Hacktivists] will remain on the threat radar and over the coming years could become a bigger menace than criminal gangs,” says Singh.
“They are often highly passionate and determined to vent their views. This tends to make them a more serious threat than the opportunist attacker.
“Couple that with a thriving underground economy selling tools and attack services at affordable prices and the oncoming mass adoption of hyper-connected devices and you have a perfect recipe for anyone wanting to vent their voice in cyberspace.”
Indeed, a similar confluence of forces led to the initial surge in hacktivism around 2010, when the likes of LOIC made it simple for those who felt disenfranchised, disenchanted or disappointed in their government to launch denial-of-service attacks as a form of protest. Though movements come and go, the hacker tools they help spawn remain accessible to future activists.
As retail firms have learned the hard way, financially motivated criminals are getting rather adept at poking holes in businesses’ defences, sneaking in and pilfering people’s credit card data.
Point-of-sale attacks have been steady in terms of growth, but as the attacks on Target, Home Depot and many others have shown, they are highly effective.
Standard social engineering techniques, especially phishing, continue to work wonders too, especially when combined with cross-site scripting to force victims to cough up session cookies or other valuable data.
And with a buzzing underground economy, where victims’ financial data is traded at an alarming rate, businesses that handle such information will forever be fighting off hackers hungry to make easy money.
“With easy access to knowledge of hacking techniques, an abundance of targets ripe with valuable data that can be sold anonymously through the black market, vulnerabilities that can be easily weaponised and companies still failing to protect their infrastructures sufficiently, it is no surprise that we’ve seen a shift from hacktivists and cyber vandals towards financially motivated activities,” says Gavin Millard, technical director EMEA at network security company Tenable.
“The democratisation of white-collar crime is causing a paradigm shift in the approach criminals take to extracting money from businesses and the public. Why would a criminal mug one person for their wallet, gaining access to a few card details, when they could easily buy credit card details online and duplicate many at a lower risk?”
Threat from within
And let’s not forget employees are always going to be a problem, whether they mean to or not. This was made all too apparent to supermarket chain Morrisons earlier this year when a member of staff leaked the payroll data of 100,000 employees.
“Insiders will always be an issue. However, they can be divided into those who divulge information or perform an unauthorised action due to a subconscious action, such as social engineering, and those who perform a conscious action, such as bribery,” says Samani.
The problem extends to contractors. PwC found the percentage of incidents attributed to service providers, consultants and contractors increased to 18 per cent in 2014.
“Companies need to ensure they are regularly reviewing their business activities and who they conduct business with to see if that affects the type of adversaries they may attract,” says Honan.
“For example, a new contract with a company that deals with sensitive government information could result in your company becoming a target for nation-state attackers, or developing a new online service may attract criminals.”
Who pulls the strings?
Though pigeonholing attackers can help focus strategies, this will become harder. As hackers for hire become increasingly useful for people with all kinds of malicious motivations and tools become ever more available, worrying about what kind of adversary is after your digital goods might not be as worthwhile as it was.
“We have seen the emergence of cybercrime economies that support the as-a-service culture,” says Samani.
“So while it would have been easy in the past to say this malicious actor is classed as, for example, a cyber criminal, they are now offering these services to customers whose ultimate motivations may differ. The malicious actor categories are not as black and white as before.”
In many cases it might be better simply to focus first on more pressing issues. “Organisations have to accept that regardless of who the threat actor is, with the right motivation, resources, skill and time almost any infrastructure can be breached,” says Millard.
“Knowing who the attackers are gives insight into the response required to defend against them but unfortunately many organisations aren’t ready to defend against anything but low-motivation, low-skill attacks.”
Technologies can assist in determining the behaviour of attackers. Companies such as CrowdStrike and Juniper Networks have created and bought technologies that use honeypots and bait data to allow IT to track hackers as they start their reconnaissance missions. When they fall for the trap and steal tagged data, they can be tracked around the web.
The enemy is out there. It is just a matter of deciding how to find it and then stop it from launching successful attacks, but it is no easy task. ®