In a couple of weeks, security experts from around the world will be converging on the Moscone Center in San Francisco for the annual RSA Conference. I’ve been a few times and its quite overwhelming with the entire city filled with infosec companies. Accompanying the event, every major analyst firm and security vendor releases their annual security report, telling us what they’ve learned over the least year. This year, there’s one new thing that’s hitting the headlines.
While cybersecurity threat matrices typically focus on four major types of attackers – organised crime, nation states, insiders and hacktivists – the tools they use have changed but motivations have stayed the same.
Cybercrime where the goal is to steal or extort money remains the most significant issue, regardless of the reports you look at. But a new tool has emerged in the toolbox of cybercrime.
We’re now seeing cryptojacking increase. This is where bad guys either introduce a piece of malware, via the usual tools such as phishing or drive-by downloads, that takes over your computer’s processor to mine cryptocurrencies. This can affect both traditional computers and smartphones.
With ransomware, Telstra said in their report that 76% of Aussie businesses affected by ransomware in 2017 with 47% paying the ransom.
Malwarebytes said their report that spyware, which remains an issue, is now adding cryptojacking with TrickBot, a malware which includes a cryptocurrency miner code, is increasing in popularity as it gives the bad guys multiple revenue possibilities.
Interestingly, we’re seeing cryptojacking also come from insiders. There have been many cases of staff adding cryptocurrency mining software onto corporate servers which results in the installation of potentially dangerous software and increased costs as more energy is used by servers.
But, for corporate IT departments, the primary threat vectors remain focused on money with ransomware and executive email fraud still significant issues.
Executive email fraud, or business email compromise, is where a specific person in the company, with financial authority is duped into tranasferring funds to an unauthorised third party. This is a sophisticated social-engineering led attack that can involve the compromising of a trusted third-party, such as a vendor, to deliver emails requested payments.
End-users are the key to most security threats. Threat actors seek to either compromise and end user device through the injection of malware or steal user credentials. So, it’s not surprising to seem mobile device attacks also increasing with Symantec finding Mobile malware variants went up by 54%.
After following the cybersecurtity scene for several years, what’s clear is that the motivations of attackers are largely unchanged. But threat actors are getting better at crafting social engineering attacks and the tools they use enable them to automate attacks.
This allows them to scale their attacks in a way that was unimaginable just a few years ago.
That means our defensive tactics need to adapt. While protect, detect and respond remains the cornerstone of most cybersecurtity strategies, the focus needs to shift to detect and respond. The traditional focus on protection is no longer enough.
Most of the senior security execs I speak to now operate on the assumption that breaches will occur and the devices they connect to their networks are untrusted. So, while preventing attacks remains an important function, they continuously monitor their networks to detect anomalous activity so they can respond quickly.
They also have responses palns for different types of incidents and, importantly, they practice those plans regularly so that if an incident occurs, all the parties involved in the response are familiar with their roles and able to adapt during a real incident.