Cybercrime is the stuff of nightmares for any organization. The volume and complexity of cyberattacks has soared in recent times. A problem that is recognized even at European level, resulting in new privacy legislation and investment worth € 450 million to promote research and development into new technologies.
But what does this mean? What are the threats we face and why is this so lucrative? Why do security suppliers find it so difficult to stop these threats and what can we do to prevent them?
By Roël Bouman, Solution Advisor Security
Reading time: 4 minutes
What is the digital threat?
In recent years, our ICT landscape has changed rapidly. All our data is digital and there has been a shift from on-premises to the Cloud. This has resulted in a massive trade in digital data. With the arrival of anonymous means of payment such as Bitcoins and illegal market places on the dark net, the cyber crime industry has expanded enormously. In fact, more money is now involved in this industry than in the international drugs trade! Besides false passports and trade secrets, you can even hire hit men and buy weapons there! There are three ways in which money is earned:
1. Data Theft: theft of sensitive data
The most common way in which hackers earn money is by stealing data. A well known example was the Sony hack in 2014, whereby films were available online earlier than they appeared in the cinema. In such cases, access is acquired to a network, after which files are released. This access can be obtained in various ways. For example social engineering whereby hackers ‘target’ an individual via social media, obtain the user name (often initial.surname or first name.surname) and then only have to hack the password to get full access to the network.
There are also various forms of malware which are embedded in a network. After a successful phishing mail, browsing on a website or vulnerabilities in the network, self-installing mala fide software (malware) is downloaded and controlled remotely. It then releases valuable data from the network which is subsequently sold. Hackers currently even offer HaaS (Hacking as a Service), hiring themselves out to steal data.
2. Ransomware: ransoming sensitive data
Ransomware is a form of malware whereby the hacker is not concerned with stealing data but encrypts sensitive data which is valuable for an individual or company. At the moment, ransomware is the biggest concern in the security sector and a case of ransomware is reported every ten days to the National Cyber Security Centre (NCSC). When a system becomes infected with ransomware (usually via a hyperlink or executable), the program starts encrypting files. After a while, the ransomware displays a message that payment is required to unencrypt the data or have it restored. Payment has to be made in Bitcoins so that the hacker receives the money anonymously. That is therefore the revenue model of the hacker in question.
3. DDoS attack: making data inaccessible
A Distributed Denial-of-Service (DDoS) attack is a form of HaaS and is not initiated by a hacker but by a client. During a DDoS attack, the hacker uses multiple (previously hacked) computers to attack a target. That might be a computer, network or website. Because the target does not have sufficient capacity to handle this simultaneous traffic, it goes offline. A recent example of this was internet provider Ziggo, whose network went down several times after DDoS attacks in 2015 Anyone can order a DDoS attack and shut down a competitor’s website, for example. There are even examples of school children who shut down their own school’s system so that they don’t need to do exams.
Why are these threats so difficult to stop?
Threats are constantly evolving and becoming increasingly complex. Three changes are behind this.
1. Hackers are professionals
Hackers no longer operate independently from a bedroom. As trade in digital data has grown, so has the professionalism of the hackers. They are more organized and in some countries even legal as a business/organization as long as they don’t try to harm their own country.
This creates a situation in which hackers provide services like writing customized malware specifically targeting a client. They even sell SLAs with it to guarantee that the client achieves his goal!
As professionalism has grown, so has the complexity of cyber crime. Hackers know the vulnerabilities in a network and can write a virus for a single vulnerability which enables data to be stolen.
2. Polymorphic engines
Hackers have found a smart way to circumvent signature-based scanning, where a file is quickly checked on the basis of a database. Whereas hackers used to spend a lot of time on a single virus which could be patched relatively quickly, they are now able to reproduce this same virus thousands of times. They do this using polymorphic engines which attribute a slightly different signature to each virus. Thus the volume of new malware has soared to nearly 1 million new malware threats every day! This makes it difficult for signature-based antivirus software to stay up-to-date.
However, we find that these threats come from a very limited number of malware families. The malware can therefore be retraced to only twenty different processes. There are solutions which, supplementary to a signature-based scanner, know and can identify the various processes. This is also called behaviour-based scanning. When starting a process, it is checked and if necessary blocked. This might be an executable which is started from the trash folder and tries to connect with the Internet. Or an executable which starts to encrypt files. A workstation is thus more secure also outside the network.
3. Smart malware
Hackers are finding increasingly smart ways to avoid detection in a network. Besides polymorphic engines, there are also polymorphic viruses. These are constantly able to adopt a different signature within a network. As such, it is very difficult for a system manager to find and remove such a virus.
Here too a possible solution is behaviour-based scanning as an addition to endpoint security or sandbox technology, whereby a file is executed in a virtual environment to reveal the actual behaviour. Hackers have already responded to sandbox technology by developing sandbox aware -malware. This malware circumvents many sandbox technologies by recognizing that it is in a virtual sandbox and then temporarily not behaving like malware.
How do you arm yourself against these threats?
In the light of the current threats, traditional security methods are no longer sufficient. After the approach of layered security, whereby a different security vendor was chosen for each security layer, we are seeing a new trend whereby suppliers connect the different security layers in a network. By sharing information with own and third-party solutions, we see a synchronized approach emerging. In addition, a new generation of security solutions has arrived which, besides signature-based scanning, also look at the behaviour of unknown files via behaviour-based scanning.
My colleagues and I advise our clients on a daily basis about security solutions. Besides endpoint, web, email security and firewalls, we look at:
- Synchronized security: By means of a security policy in which different layers communicate with each other, a virus is identified and removed sooner. By sharing information, it is much easier to track the route that a virus has taken to enter a network and who else has received that same virus. Thus an incident is resolved faster and I am able to take action to close the route taken.
- Behaviour-based protection: Signature-based scanning is no longer sufficient to stop malware. By supplementing this method of scanning with behaviour-based scanning, there is a much greater chance of stopping undesired programs. Manufacturers are responding to this by supplementing endpoint security with products which identify and block the processes of malware, and thus ransomware, as soon as they are started.
This form of protection is independent of location and also works if an endpoint is outside the network or has no Internet connection. In addition, as I described earlier, there are sandbox technologies which reveal the actual behaviour of malware by opening the file in a virtual environment. If you choose sandbox technology, it’s important that you choose a solution which is also able to identify sandbox-aware malware.
- Strong authentication: This is important to prevent the use of social engineering. User name and password should not be enough to obtain free access to the entire network. You should also consider incorporating an additional authentication layer.
- DDoS mitigation: This makes it possible to stop a DDoS attack, but this form of protection is not relevant to every organization. That depends on the business model. Is your organization largely dependent on a webshop? Then a DDoS mitigator offers great added value for you.
- Vulnerability management: In order to be aware of weaknesses in a network, you must have insight into all the connected systems. Are all the systems up-to-date and are there no other vulnerabilities in the network? This is easy to test using pentesters, who can be hired on a one-off basis or periodically, or by using dedicated software solutions.
Don’t be a victim
Don’t want to be a victim of cyber crime? Then it’s important to know the constant changes in the market. With our knowledge of trends in the security market and our independent advice relating to the different software solutions, we will be happy to help you with your security strategy and its implementation. Please, contact me or one of my colleagues.