Although the U.S. Congress must have designated literally thousands of commemorative days, weeks and months, I’m a bit partial to this month’s designation, National Cybersecurity Awareness month, now in its 15th year. Although I tend to think quite a bit on this topic during the other 11 months as well, it does make me pause to reflect on how cybersecurity awareness has evolved over this time period, and contrast that with the evolution of cybersecurity effectiveness.
In terms of general awareness, I’d say the ongoing battle against cybercrime, once relegated to implausible Matthew Broderick movies, is today a mainstream topic and has woven its way globally into our every-day culture—as the subject of an upcoming new television series, at packed-house scam prevention seminars, and even as a subject for placard-waving flash mobs. My barber is eager for tips on web and email security.
How Effective Is Security Today?
In terms of effectiveness, it would appear the security industry has a long way to go. I’ve just read a recent benchmarking study by Osterman Research, which documents an increasing rate of attacks, an increasing rate of breaches, and rising concern among IT managers from one year to the next. The survey says that the incidence of reported security failures during the prior 12 months is up, with 70 percent of organizations having suffered one or more successful attacks, compared to 68 percent in 2017. While the top source of infections was “other” malware like viruses and worms, I was struck by the fact that 44 percent say they suffered a successful phishing attack—an average of 11.7 times over the year. Almost half of IT and security managers indicated that the number of phishing and spear phishing emails getting through their current security and reaching end users was up substantially from a year ago.
Threat Industry Keeps Innovating and Lowering Barriers
Last month’s news of the 14-year prison sentence for the operator of a VirusTotal-like multi-engine scanning service, that allowed hackers to QA their product’s performance against numerous security engines, was as welcome and laudable as it is rare, due to the obvious challenges in investigating and prosecuting what are invariably transnational crimes. This particular QA service was representative of a threat-as-a-service economy making threat campaigns and distribution a point-and-click affair, effectively multiplying the number of cybercriminals at work.
I discussed in my last blog how a good part of malware and phishing campaign authors have “professionalized” and are working for highly structured criminal enterprises, which continue to incessantly test and evolve their methods. Among new ransomwares we’ve analyzed in detail recently, the ‘Termite’ ransomware was built based on three other different ransomwares—Gibon, NinjaLoc, and XiaoBa—and the Ryuk ransomware revealed several interesting ideas. Attacks are highly targeted and tailored to each organization; it searches for and kills an impressively large list of processes for antivirus programs, backup systems and databases; and after encrypting the files, it destroys the encryption key and removes shadow copies and backup files. One can see the authors market testing different non-technical aspects, as Ryuk uses two different ransom notes, one longer and more detailed than the other, and with varied values. A search for payment of one payment demand variation shows a single payment of 50 Bitcoin, around $325,000, which was then split into multiple Bitcoin wallets in order to (in theory) complicate tracing, with other payments varying from 15-35 Bitcoin.
Phishing attack services proliferating
On the phishing front, the threat business ecosystem keeps lowering barriers to entry and providing turnkey attack services. We’ve been analyzing a rash of new phishing kits appearing in the market that are cheap to buy or subscribe to, easy to deploy, and are layering in detection evasion techniques, like block lists for security companies’ crawlers. With phishing kits selling for as little as $50 on the dark web—which in one actual example for that price includes a hosted website, one link directly to the website for a period of a month, and three extra links for backup if one was taken down or blocked—it’s no wonder that attack volumes are up and more organizations are being affected.
If I have one wish for ‘Cybersecurity Awareness Month,’ it’s that we all need to be aware of the need for innovative responses on the part of the security industry, to counter a threat industry which is innovating both technical and business models at a rapid pace.