Why hackers may always remain a step ahead
Mumbai: It was only a month ago that WannaCry, the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom, created havoc across the world including some companies in India.
Security firms had, then, cautioned that this was not the last case of ransomware that we were seeing. It’s hardly a surprise, then, that another malware has caught us off guard and is holding us to ransom again.
Call it by any name—GoldenEye, Petrwrap or Petyawrap, or even ‘NotPetya’ as Kaspersky Labs wants to call it because “it is not a variant of Petya ransomware as publicly reported, but the new ransomware that has not been seen before”—this newly-detected ransomware is more deadly than WannaCry and is already creating panic among companies across the world including India.
Most crypto-ransomware families target and encrypt files on the victim’s hard drives. This means victims can’t access those files, but they can still use the operating system. Petya, security firm F-Secure points out, “takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows”.
This Petya variant has already affected operations at one of the three terminals at Jawaharlal Nehru Port Trust (JNPT) run by AP Moller-Maersk in Mumbai and the government is expected to react by the end of day.
Ransomware is a type of malware that prevents or limits users from accessing their systems, either by locking the screen or by locking the users’ files unless a ransom is paid. And in this case, the Petya variant’s demand is very specific--a ransom of the equivalent of $300 worth of bitcoins.
While the extent of the cyberattack is still yet to be ascertained, as the story is still unfolding, cyberattacks typically take a huge toll on companies and governments.
According to an October 2016 report by the Ponemon Institute, the average cost of a cyber attack on a company is $9.5 million. The largest cost impact from cyber crime is information loss (an average of 39%) followed by business disruption at 36%, the Ponemon report noted. Cybersecurity Ventures predicts global annual cybercrime costs will double from $3 trillion in 2015 to $6 trillion by 2021.
Why do hackers always get the better of us?
The question, of course, is why despite the myriad security solutions currently in use to thwart attacks, are malicious actors continuing to exploit weaknesses and gaps.
It appears, from various studies by security firms, that hackers are much better organised than companies and governments because of which they will continue to stay ahead of the race for quite some time to come.
“Cybercriminals have the advantage,” acknowledges a 27 February report titled ‘Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity’ by the US-based Center for Strategic and International Studies (CSIS) and security firm McAfee Llc, owned by TPG (51%) and Intel (49%)..
Vulnerabilities are exploited by criminals within 30 days of disclosure, meaning that as these vulnerabilities are disclosed publicly, the criminal underground quickly adopts them into new attacks, according to the CSIS-McAfee report. One advantage that cybercriminals have over defenders “is due to technology—we now all know that the internet was never designed to be secure”, notes the report. The other reason is policy--there are countries that tolerate, shelter, and maybe even encourage cybercrime. Hence, the report recommends that companies and governments will “need to rethink how they measure, reward and incentivize defense”.
Black Hats are better organised
Consider the role of ‘black hats’--a term for hackers. They are part of an underground ecosystem that channels tools, expertise, and infrastructure into criminal operations that extract billions of dollars of profit from data theft, extortion, and fraud. This ecosystem is largely comprised of commoditized markets of specialized freelancers with different skills and expertise, the McAfee report notes.
The black hat community draws from a large talent pool and relies on a freelance model to produce highly specialized products and exploits for specific attack purposes. This market is also more efficient and fluid, being able to adapt quickly and with more ease based on an attacker’s motives.
The top tier of the black market, the report reveals, comprises almost exclusively elite technical specialists selling highly coveted zero-day vulnerabilities (previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available), intermediaries who specialize in high-dollar-value exploits that serve as brokers between buyers and sellers, and governments that buy tools in the white or grey market for everything from domestic surveillance to cyber espionage.
The lower tier, dominated by criminals and the networks that support them, is made up primarily of products like financial information and counterfeit goods, as well as “exploit-as-a-service” and spamming services, as opposed to sophisticated tools and exploit kits, which are primarily in the upper tiers, the report notes.
While upper-tier actors commit espionage, steal intellectual property (IP), and launch destructive attacks, the lower-tier criminals are driven primarily by money.
The McAfee report also suggests that the perception that cyber-breaches do not directly lead to loss of revenue or profit may be giving companies a false sense of security.
Moreover, the report points out to a disconnect between strategy and implementation, which is partly due to the fact that those who determine the strategy (executives) and those who implement the strategy (operators) are not measuring effectiveness and outcomes using the same set of metrics.
Operators, the report notes, typically look at metrics such as breach numbers, penetration testing, vulnerability scans, and cost-of-recovery analysis to measure their organization’s cybersecurity effectiveness. Executives, on the other hand, are more likely to rely on general performance and cost-centric metrics to gauge their cybersecurity strategy effectiveness.
Importantly, the report notes, that cybersecurity professionals lack “adequate incentives”. Besides, even as companies value interactions with the government as a source of information, the McAfee report reveals that in many cases, the government sector was reactive and least likely to report having a fully implemented cybersecurity strategy or provide incentives to cybersecurity professionals.
In contrast, the “black hats” have clearly designed incentives created by market forces, “not by organizational fiat”. The market economy of the criminal hacker ecosystem facilitates innovation and rapid adaptation, and channels resources efficiently to the lowest cost and most profitable criminal enterprises. This open and decentralized criminal market creates strong incentives for criminals to strive to be the best, attracting the largest customer base and commanding premium prices.
‘White Hats’ may provide an answer
The report notes that many old school black hats have moved into the legitimate cybersecurity industry with “access to six-figure salaries at legitimate companies, no fear of arrest, and the opportunity to spend their time figuring out how to hack the most complex and “cool” systems”. For instance, some of the most sophisticated Russian cybercriminals are also plucked from Russia’s advanced math and computer science programs and trained by the intelligence services.
Defenders, the report notes, can learn from the black hat community. “Security-as-a-service” can offer greater flexibility to counter the “crime-as-a-service” model of the criminal market, leveraging market forces to foster competition and strengthen incentives for defenders.
Despite the best efforts of cyber and information security professionals, cyber criminals can fly under the radar for long periods of time, make it difficult to detect and prevent them from penetrating our systems, says a 19 July, 2016, report by Secure 360, an annual conference organised by the US-based Upper Midwest Security Alliance (UMSA).
For instance, the Leave-no-trace malware is one way cyber criminals are able to avoid exposure and remain undetected on company networks for months at a time. Moreover, full and convincing user identities can be stitched together for mere dollars, meaning that fraudsters can create pitch-perfect social engineering attacks, notes the Secure360 report. One of the biggest issues security professionals face is that there is not enough trained and experienced IT enterprise security personnel.
Moreover, a lack of clear definition around security policies and integration between security layers and solutions allows criminals to fly under the radar, the report notes.
Cyber criminals love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change, the Secure360 report suggests.
Most common specialties/professions in the hacker ecosystem
■ Programmers—who develop malware.
■ Web designers—who create malicious sites.
■ Tech experts—who maintain the criminal infrastructure (servers, databases).
■ Hackers—who exploit system vulnerabilities and break into computer networks.
■ Fraudsters—the classic con artists who devise social engineering schemes (phishing, spam).
■ Intermediaries—in general, these are criminals who collect data stolen from users, advertise it to other cybercriminals, sell, or exchange it for money or other illegal actions.
Source: McAfee ‘Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity’