What can we all learn from the cyber threat landscape of 2018?

Every year, as a co-founder and member of the Neustar International Security Council, I attend The Neustar Cyber Summit, this year the summit was held at the OXO Tower in London and there really were some very interesting findings from the summit which I would like to share.

Rodney Joffe, Chairman of NISC, started to discuss where the Internet of Things fits into the equation.

‘The first thing to recognize is that the Internet of Things is a new phrase for something that’s existed for years. The only difference is scale.
Sometime in the late 1970s or early 1980s, some computer science students wired a Coca-Cola vending machine to the Internet. The students wanted to solve the problem of walking down three flights of stairs to the lobby only to discover there weren’t any cold Cokes in the machine.
It was one of the first devices wired to the Internet, and anyone could connect to it and ask for the status of the Cokes. So IoT isn’t really new. It’s probably best defined as all of the devices that can be connected to the Internet that don’t necessarily look like traditional computers. Items like smart power meters, smart lightbulbs and modern home thermostats, all the way to critical medical appliances and devices, jet engines and power turbines.

Because everyone is now focused on the IoT, we’re trying to develop rules around how all people, places and things interconnect. But millions of devices and things that are out there already are not secure, so we have to find ways of securing them and making sure that everything that gets added in the future is secure.
It’s no big deal if the Coke machine is wrong, but what if a nuclear-generating turbine goes down or if all the air-conditioning systems in a city go on at the same time because the smart meters that control the smart homes were compromised?

The other thing to recognize is that the industrial IoT is much larger than the consumer IoT. The breach of Target customer credit cards started when network credentials were stolen from an air-conditioning filtration vendor that had serviced various Target stores. Those credentials were used to hack into Target’s system, then install malware on a large number of the chain’s point-of-sale devices. The end result was brand damage for Target that has reverberations today.

The facts are, in 2016, we saw a number of huge attacks — many that exceeded 1Tbps. In 2017, by contrast, we saw fewer large distributed denial-of-service (DDoS) attacks, possibly because hackers were finding little advantage in taking a company completely offline. Another explanation is that hackers were simply enjoying the success of the previous year’s myriad of extortion and ransomware-oriented attacks, as well as the many DDoS associated data breaches.

So far in 2018, however, the big attacks are back with a vengeance. Earlier this year we saw the largest DDoS attack ever recorded — 1.35Tbps — using a new type of attack called Memcached, which will be discussed later. Then, a 1.7Tbps DDoS attack was recorded. Previous amplification attacks, such as DNSSEC, returned a multiplication factor of 217 times, but Memcached attacks returned amplification records exceeding 51,000 times! In fact, the potential return from Memcached attacks is so large that they do not require the use of botnets, making them a new and dangerous risk vector.

We are hoping that these attacks will go the way of the Simple Service Discovery Protocol (SSDP) amplification attacks, which used the protocol designed to advertise and find plug-and-play devices as a vector. SSDP amplification attacks are easily mitigated with a few simple steps, including blocking inbound UDP port 1900 on the firewall. There are similar steps that organizations can take to mitigate Memcached attacks, including not exposing servers and closing off ports, but until then, Neustar is prepared.

This year we are also seeing different uses for DDoS beyond simple volumetric attacks, including what we call quantum attacks. Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation. These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.
This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

Neustar recently thwarted what is believed to be the first IPv6 attack. This attack presented a new direction that attackers are likely to pursue as more and more companies adopt IPv6 and run dual IPv4/IPv6 stacks. We believe that IPv6 vectors will continue to emerge as organizations around the world move to adopt the new standard.

You can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect. It is important to note, however, that Layer 7 attacks are typically only part of a multi-vector DDoS attack. The other parts are aimed at the network and overall bandwidth.

DDoS attacks can be found in a multitude of sizes and for any reason imaginable. They can now be used to find vulnerabilities, to locate backdoors for exfiltration, and as a smokescreen-like distraction for other activities. Today’s organized criminals are able to focus on the results that they want and simply buy or rent the malware or botnets they need to get there. Some have gone so far as to comment that criminals are getting more and more like corporations, each with their own specialization.

The simple fact is that if you’re online, you’re susceptible to an attack. Whether you are vulnerable or not is entirely up to you.

The summit and Rodney Joffe’s keynote was incredibly insightful, but where does that leave us today and how can we guard against such threats in our business and personal lives?

A New York Times report reveals another cyberattack using stolen NSA hacking tools, and experts warn computer systems are not prepared for even more widespread attacks likely in the future. Max Everett, the managing director at Fortalice Solutions, joins CBSN to discuss the threat.

Cybersecurity expert warns the world is not ready.

We can all agree over the course of 2018, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic trojans, ransomware and spam bots were transformed.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers.
Powered by military-grade code allegedly leaked from the NSA, threats such as WannaCry and GoldenEye wrought havoc throughout, shutting down businesses and causing unprecedented operating losses.

The effectiveness of these threats has been compounded by novel lateral movement vectors that augment zero-day exploits such as EternalBlue and EternalRomance, allowing malware to ‘hop’ from one network to another, from organisation to organisation. These targeted attacks are reshaping corporate and government digital security, whilst simultaneously causing fallout in the consumer space.

Ransomware specifically aimed at companies has also become far more prevalent. Since the re-emergence this March of Troldesh, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Certain strains of ransomware such as Troldesh and GlobeImposter come equipped with lateral movement tools (such as Mimikatz), allowing malware to infect an organisation and log clean-up mechanisms to cover their tracks.

Following a surge of market interest around cryptocurrencies that has continued through 2018 and into 2019, miners have diversified and proliferated. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allowing cybercriminals to infect computers in organisations and increase mining efforts.

Based on threat developments in 2018, organisations should essentially prepare for more sophisticated iterations of malware based on the same theme in 2019.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers. Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities. In addition, the number of malicious attachments in SPAM emails will increase, particularly those written in scripting languages such as PERL or Python.

“All the world’s a stage/ And all the men and women merely players”; Shakespeare’s famous line makes us consider each person an ‘actor’ in their own right, with their own individual role to play. And when looking across the cyber threat landscape, this rings especially true – each actor has their own motivations and distinct part to play.
When the proverbial hits the fan, it’s typical for the victim – a business or government entity – to focus on the indicators of compromise (IoC) rather than what led to the attack in the first place.

Looking at IoCs is an essential part of a cyber defence strategy and can help victims identify who is targeting them. But it’s a reactive approach, which doesn’t help once your organisation has been breached.

This rear-facing view is also reflected in the cyber sensationalist news narrative. The media tend to focus on the number of attacks – a vanity metric – but rarely on its complexity, length, or who was behind it, and what their motivations were for attacking the organisation in the first place.

IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest.

As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.

Threat intelligence highlights IoCs around an attack, such as that the actor was using cheap outsourced labour to perpetuate the attack, was using a particular hosting platform, or shared infrastructure.

IP addresses and domain names change very quickly, but the adversary’s motive does not. Knowing this is the first step towards changing an organisations’ security stance to mitigate the threat, identifying the indicators of attack (IoAs) rather than just the IoCs. Without intelligence, this would be impossible.

The type of malicious actor organisations must deal with will differ. Some may be state-sponsored, for example, carrying out cyber espionage on behalf of a nation. Others may be hacktivists, looking to incite political change, or cyber criminals looking to make a profit.
Understanding the bigger picture beyond the impact of the attack itself is critical if the good guys are going to triumph over the bad. Intelligence plays a key role in getting to the core of that bad apple.

STIX, the standardised language to represent structured information about cyber threats, helps to store and share information on actors and TTPs. It has become the de facto standard for information sharing in cyber threat intelligence as it facilitates automation and human assisted analysis.

Finally, it’s worth remembering that intelligence is not a silver bullet. It’s a part of a wider puzzle that enterprises need to put together in order to give themselves the best chance of defence against a cyber attack.

Security needs to be seen as an architecture, embedded in the foundation of an organisation. Hygiene factors such as ongoing patch management and end-user training also need to be considered.

The human element behind an attack is often forgotten. However, analysts can create a ‘big picture’ of the lifecycle and ecosystem of hackers by adding in the more specific details.

Enterprises and governments are under a constant barrage of cyber attacks. With the threat landscape evolving and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Without this understanding, the problem will persist and the next newspaper headline will feature their name.

In summary, the question is not whether you will be attacked. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Comey once said:
“We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy. “

Share your thoughts with us