As an industry, security suffers from an inside baseball problem, generally focused on the technical minutiae and failing to translate it to the non-experts. This not only makes security inaccessible to the rest of the population, but it hinders a more holistic perspective on just how quickly the threat landscape is evolving. This strategic perspective is required to ensure both public and private sector organizations are not caught flat-footed with the next compromise. Building off of this challenge, we’ll post a series of articles this summer that address the key tech and policy trends impacting security, and highlight some of our research that integrates the threat landscape, machine learning, and user experience.
With that in mind, this post kicks off the series by focusing on the dominant technological trends that are altering the digital and geopolitical landscape, illustrating how they impact commercial enterprises and the public sector, and how their convergence contributes to the escalatory nature of attacks. I recently spoke at the Commonwealth Conference on National Defense and Intelligence to a very tech-centric audience, with the main feedback centered on how useful it was to pull the thread through these key cybersecurity trends and articulating their impact. While it may be a review to insiders, to those who don’t spend their day researching the latest attack, this hopefully provides insight into just how quickly the digital threat landscape is evolving both overseas and on the homefront.
Beyond Inside Baseball
How many times do we read about wake-up calls that are anything but? In the last few months, WannaCry and CrashOverride were both hailed as the latest wake-up calls, but if you talk to anyone outside of security, they were quickly cast aside in the twenty-four hour news cycle, or worse, never even registered on the radar. This is problematic, as together they reflect several of the key technological trends which are dramatically restructuring adversarial capabilities and objectives. A look at a few of the driving trends behind recent widescale attacks reveals just how urgent the situation is. To summarize, I’ll discuss the role of bots and automation, innovations in malware (ransomware and wiper malware), and the open source proliferation of advanced cyber weapons which continues to dramatically alter the threat landscape.
Bots and Automation
WannaCry, which I referenced earlier, is a self-propagating worm, which leverages automation, as do most widespread attacks. A few weeks ago, US-CERT revealed that North Korea was behind a DDoS botnet infrastructure that, since 2009, has targeted a range of victims, exfiltrating data and causing disruption. This use of botnet infrastructure is increasingly prevalent, as we saw with the Mirai botnet in late 2016, which leveraged IoT devices to bring down internet services, including major websites. Bots are not just used for DDoS, but also contribute to malvertising, which often includes browser-hijacking malware. Fireball is a recent example of this and has infected between 40 million and 250 million computers (depending on who you ask). These malicious bots - which also include social bots responsible for amplifying false news and propaganda - comprise roughly 30% of all web traffic. The use of automation doesn’t end with bots and propagating ransomware, but also extends to adversarial machine learning, which is increasingly employed to circumvent security defenses.
Destructive and Demanding Malware
Automation is not the only transformative digital innovation leveraged by adversaries. Once thought of as not much more than a nuisance, malware is now extremely impactful, especially in the form of ransomware or wiper malware, leading to financial losses and destruction. Let’s start with ransomware, which was a billion dollar industry in 2016. While WannaCry is most associated with attacks over a weekend in May, just last week it forced Honda to halt production after the worm shutdown computers. With the introduction of new variants, and criminals and nation-states employing ransomware with impunity, this number is only expected to rise. SamSam ransomware, which has been around for over a year, successfully demanding ever-higher ransom, as well as today's evolving news on Petya ransomware spreading across Europe, illustrates how attackers continue to push the limits in financial demands and objectives.
Simultaneously, wiper malware - which can cripple computers and destroy data - continues to wreak havoc in some of the most volatile international relationships. CrashOverride, or Industroyer, is the most recent example, and is customized to disrupt power grids. It has been linked to the 2016 power outage in Kiev, which affected 1/5th of the population. This is just the latest example, as Kiev experienced an outage a year earlier, linked to KillDisk, a destructive, wiper malware. Ukraine is not the only victim, with numerous instances of wiper malware surfacing across the globe, including: Dark Seoul (attributed to North Korea) destroying over 30,000 South Korean government, financial and media computers; Shamoon 2 (attributed to Iran) targeting 15 Saudi government agencies, petrochemical companies, and IT service providers; and Destover (attributed to North Korea) destroying 75% of Sony’s servers. If this wasn’t enough, a few months ago malware with a ransomware component, Stonedrill, was spotted in the wild. It began in the Middle East, and has since spread to Europe. Shortly after, KillDisk was also discovered with a ransomware component.
Open Source Proliferation
These new attacker innovations evolve, and in some cases leverage the open source proliferation of nation-state capabilities that has occurred via data dumps or human error. With these readily accessible and powerful cyber weapons, the asymmetry within the cyber domain is only growing, such that those with limited resources can now achieve an even greater impact. For example, the recent WannaCry ransomware infected over 300,000 machines across 150 countries. It deployed an exploit called EternalBlue, which was recently released in a Shadow Brokers dump. We will likely see more of these, as Shadow Brokers recently announced an exploit-of-the-month subscription model. The Vault 7 dump similarly offers new releases periodically, and together the two dumps reflect the growing accessibility of nation-state digital capabilities within the open source realm.
Recently, a newly discovered attack leverages two Shadow Broker’s exploits, exploiting both unpatched Microsoft servers and can remain undetected in the kernel. There also is a ransomware component, and fears of worse-case scenarios of this attack vector foresee the insertion of destructive malware through the backdoor to attack critical infrastructure. Finally, it’s not just nation-states whose weapons are dumped into the wild, but also commercial entities, expediting the proliferation of these impactful weapons. For example, BlackTech is an espionage group using dumped Hacking Team tools for document and IP theft. What happens when these same tools are employed by terrorist or other criminal groups, or additional nation states, who may or may not comprehend the potential externalities of such an attack?
Duck and Cover?
By most accounts, we are not ready to respond to these hybrid attacks that are unleashed at a rapidly expanding rate. The old-school, Cold War mentality of state-on-state targeting is obsolete. Even previous attacks which focused on data theft may soon pale in comparison to the brazen objectives of today’s adversaries. From the attribution of WannaCry to North Korea to revelations of the Mexican government targeting lawyers, journalists and media with spyware, to threats to the energy grid and financial systems, it is well past time for new models, approaches, and policies to address the realities of the modern threat landscape.
Technological innovation is key to improved defenses, but so too is innovation in our policy and strategy. While duck and cover is the path of least resistance, the risks are too great to leave in the hands of Cold War era strategies that are insufficient for today’s technologies and adversaries. So what can be done? With every high profile breach, there is demand for greater deterrence capabilities and policy changes, but it quickly dissipates within the twenty-four hour news cycle. It also is extremely difficult, with no easy solutions across a menu of options, but that should only serve to elevate the necessity for a modern approach.
In the next post, I’ll discuss some key tenets that should inform such a framework, including the integration of diplomatic and defensive postures, and reimagining the role of the private sector to progress toward a deterrent framework. It will also require international collaboration, which is increasingly difficult as the latest UN GGE talks demonstrated. Despite these challenges, while the defensive technologies will be key, a path toward better security must also run through a modernized policy framework.
