A year in cybersecurity: the view from industry

9 September 2019 (Last Updated September 3rd, 2019 17:03)

After hearing the NCSC’s insights into trends in cybersecurity over the past year, we asked cybersecurity experts for their observations on how cybersecurity threats are evolving.

A year in cybersecurity: the view from industry

ITC secure: it’s back to the future

Over the past 12 months or so we have seen the privatisation of nation-state capability in two separate ways.

Firstly, the release into the criminal sector of, albeit now relatively old, nation-state tools. Shadow Broker is the best example, releasing onto the internet tools which have their antecedents in the US National Security Agency. These are capable and are being seen in criminal activity; Wannacry and other well-known examples.

Secondly, certain nation states are outsourcing their offensive cyber capability; Russia and Fancy Bears and Olympic doping [Wada hacked emails], for example. The GRU attack on the chemical weapons facility in the Netherlands is another example. Also, the recent GandCrab ransomware is slowly being linked – tangentially but increasingly strongly – with a nation-state which is assessed to be hostile to the West. In other words, it looks like an outsourced nation state attack capability.

The other observation is ‘back to the future’: we are seeing an increasing number of attacks targeting end points. As companies begin to build security strategies which deliver strength in depth, so attackers are being forced to the edge. This is entirely logical, but it does mean that endpoint protection, both endpoint detection and response but also more generically, which were fashionable once, are now increasingly important.

Malcolm Taylor, head of cybersecurity at ITC Secure

Airbus: start with your neighbours

Although this and other UN initiatives could take years to come to fruition, the balance of risks vs rewards is steadily tipping towards a system of rules for at least some nations, especially if this had geopolitical advantages mirrored in other economic and military ties.

A formal cybersecurity treaty of this kind would rest as much on its political and symbolic capital as its technical detail.

States need to advocate the need for cyber cooperation instead of cyber warfare. Indeed, states have an obligation to work towards such a treaty to make this happen to prevent harmful cyberattack. 2019 could be the year for such an agreement for neighbouring countries.

Ray Walsh, digital privacy expert at ProPrivacy

LogRhythm: watch your third parties

A key security issue organisations are increasingly facing is not only ensuring their own network is secure, but also the networks of suppliers and third-parties that plug into it. Cybercriminals are invariably after one thing – data. The richest and most lucrative stores of data are found in the largest organisations.Naturally, due to the complexities of running a multinational organisation, these businesses have the broadest and complex supply chains. From third-party suppliers to white label clients, each connection with another business is a potential point of weakness, and it’s something cybercriminals are increasingly willing to exploit. The Best Buy, Sears, Kmart and Delta breaches of last year were engineered through vulnerabilities within a third-party chat app, for instance.

As supply chain attacks become increasingly commonplace, it’s almost inevitable that a breach will occur. It’s a tough pill to swallow, but businesses need to recognise this and therefore ensure they have the capability to rapidly detect and respond to threats in order to mitigate any damage.

Focusing on mean time to detect and mean time to respond as key security metrics is a good first step. That is, detecting a threat – whether it comes from a compromise on its own or a partner’s network – and subsequently shutting it down early in the cyberattack lifecycle. To achieve this, technologies like security information and event management or user and entity behaviour analytics, coupled with security orchestration, automation and response, should be key components of any firm’s security suite.

Ross Brewer, VP & MD EMEA at LogRhythm

KnowBe4: ransomware is growing

After a slight dip a year ago to focus on crypto mining, we’ve seen ransomware surge to prominence again over the course of the year. Not only has it been more frequent, but the payment demands have pushed the upper ceiling higher and higher, with notable attacks on schools, city councils, and even power stations.

Business email compromise (BEC) or CEO fraud has also risen steadily. Reported BEC incidents were 500 a month in 2016 compared to over 1,100 a month in 2018, while thefts have nearly tripled from $110m a month in 2016 to $301m a month.

These would indicate cybercriminals are actively looking to exploit companies for monetary gain. Other common attack trends from both criminals and state-sponsored attackers have included malicious file distribution to gain backdoor access to companies.

Javvad Malik, security awareness advocate at KnowBe4

NanoLock Security: supply chain risks

In an increasingly connected world, the new trend is attacks on hardware, IoT, and edge devices within the supply chain and these attacks can come from bad actors with both state and criminal intent. From the moment a computable device is born in the fabrication laboratory (fab), it is automatically prone to being logically compromised with malicious firmware.Once the device is released from the fab and delivered to the client, it’s further exposed to situations in which it may undergo unauthorised logical modification. This puts the device’s functionality at risk and also opens the door to unplanned activity that could create a security breach. A breach in the supply chain can lead to a variety of attacks, ranging from ransomware to malicious manipulation of stored code. To secure homes, businesses and smart cities moving forward, there must be a new solution to protecting connected devices from the production line to their end-of-life.

Eran Fine, CEO at NanoLock Security

Radware: state-sponsored cyber espionage

Enterprises need to understand that 22 countries around the world are currently suspected of state-sponsored programmes for governmental cyberattacks. And lest you believe that these are all focused on stealing nuclear codes, half of all targets for these attacks are private enterprises, not governmental agencies.World governments are actively investing in building and operating cyber espionage teams to both protect their national interests as well as collect intellectual property for their domestic industries. With this information, they are acquiring expertise, malicious botnets and cyberattack tools to further advance their craft.

Enterprises in developed nations around the world need to understand the high stakes and the need for increased protection. If a company competes based on its intellectual property in a global marketplace, then it may be a mark for government cyberattacks.

Mike O’Malley, VP of carrier services at Radware

Defendza: retail and supply chain threats

Ransomware, supply chain attacks and formjacking attacks [inserting malicious code into the website of an e-commerce provider] on retailers have been most prominent during 2018. Most likely attributions have been towards crime groups rather than nation states in this case. Nation-state actors are more likely known for targeting critical infrastructure, human rights activists, and other non-commercial areas.Magecart attack [capturing customers’ payment details] has been one of the notable types of attack, particularly targeting the retail sector. The recent rise of online retailers in the retail and e-commerce markets has attracted the interest of cyber criminals.

Another is supply chain attacks. Multiple attack vectors exist at times against a single target, and this all depends upon resources and time at hand with threat actors. Threat actors linked with nation-state actors and organised crime groups spend a large amount of time on the very first phase of hacking known as ‘open-source information gathering’, where lots and lots of data is gathered and analysed about the target. This includes information about a business, its hierarchy, investments infrastructure footprint, assets, people and processes, vendors, partners and investors in use. Therefore, supply chain attacks are a real threat these days where weakness in any of the vendors exposed could act as a stepping stone for threat actors to reach their intended target.

Harman Singh, co-founder at Defendza