Theresa May wants a new “deep and special” security partnership between the UK and the EU after Brexit, focusing on military, intelligence and counter-terrorism. What about cyber?
Last week, the UK National Cyber Security Centre revealed the charity sector is particularly vulnerable to attacks. The week before, UK think tanks were hacked by groups in China, and the US is leaning on the UK for insight into cyber defence. A cyber arms race is developing, with cyber war on the horizon.
Businesses and the public sector must now push through effective cyber security initiatives to help mitigate this looming threat of cybercriminals, who are effectively open-sourcing their malware codes and creating unique, and largely undetectable threats known as ‘malware cocktails’.
Less is more
SonicWall, a cyber security company, have today released a report, suggesting that less attacks may mean more destruction for organisations. It found that despite ransomware levels falling, with attack dropping from 645 million attacks to 184 million between 2016 and 2017, but the threats posed by the malicious code are more dangerous than ever.
>See also: It’s war: the cyber arms race
“The cyber arms race affects every government, business, organisation and individual. It cannot be won by any one of us,” said SonicWall CEO Bill Conner. “Our latest proprietary data and findings show a series of strategic attacks and countermeasures as the cyber arms race continues to escalate. By sharing actionable intelligence, we collectively improve our business and security postures against today’s most malicious threats and criminals.”
“The risks to business, privacy and related data grow by the day — so much so that cyber security is outranking some of the more traditional business risks and concerns,” said Conner.
Security industry advances
Even with WannaCry, Petya, NotPetya and Bad Rabbit ransomware attacks stealing the headlines, the expectations of more ransomware attacks simply did not materialise as anticipated in 2017. As revealed earlier, the total volume of ransomware attacks has declined.
However, web traffic encrypted by SSL/TLS standards made yet another significant jump in 2017, increasing by 24%. This shift has already given more opportunity for cybercriminals and threat actors to hide malicious payloads in encrypted traffic.
>See also: How AI has created an arms race in the battle against cybercrime
Organisations are beginning to implement security controls, such as deep packet inspection (DPI) of SSL/TLS traffic, to responsibly inspect, detect and mitigate attacks in encrypted traffic.
With most browsers dropping support of Adobe Flash, no critical flash vulnerabilities were discovered in 2017. That, however, hasn’t deterred threat actors from attempting new strategies. Indeed, SonicWall provided protection against Microsoft Edge attacks, which grew 13% in 2017 over 2016.
Law enforcement turns the tide
Key arrests of cybercriminals continued to help disrupt malware supply chains and impact the rise of new would-be hackers and authors. Law enforcement agencies are now taking the initiative and making an impact by arresting and convicting malware authors and disruptors.
Cybercriminals are being more careful with how they conduct business as a result, including dynamic cryptocurrency wallets and using different transaction currencies. Increasing cooperation between national and international law enforcement agencies is strengthening the disruption of global cyber threats.
>See also: Five cyber security trends for 2018
“Stabilising the cyber arms race requires the responsible, transparent and agile collaboration between governments, law enforcement and the private sector,” said the Honorable Michael Chertoff, chairman of the Chertoff Group, and former US Secretary of Homeland Security. “Like we witnessed in 2017, joint efforts deliver a hard-hitting impact to cybercriminals and threat actors. This diligence helps disrupt the development and deployment of advanced exploits and payloads, and also deters future criminals from engaging in malicious activity against well-meaning organisations, governments, businesses and individuals.”
Cybercriminal advances
The total volume of ransomware attacks was down significantly year over year, but the number of ransomware variants created continues an upward trend since 2015. The variant increase, coupled with the associated volume of 184 million attacks, leaves ransomware a prevalent threat. Ransomware variants increased 101.2% in 2017.
SonicWall Capture Labs threat researchers created 2,855 new unique ransomware signatures in 2017, up from the 1,419 published in 2016. And in 2018, ransomware against IoT and mobile devices is expected to increase.
Hackers and cybercriminals continue to encrypt their malware payloads to circumvent traditional security controls. For the first time ever, SonicWall has real-world data that unmasks the volume of malware and other exploits hidden in encrypted traffic.
>See also: The cyber security remedy: prevention is better than a cure
Encryption was leveraged more than previous years, for both legitimate traffic and malicious payload delivery; and SonicWall Capture Labs found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day.
Without SSL decryption capabilities in place, the average organisation will see almost 900 file-based attacks per year hidden by TLS/SSL encryption.
“Industry reports indicate as high as 41% of attack or malicious traffic now leverages encryption for obfuscation, which means that traffic analysis solutions and web transaction solutions such as secure web gateways each must support the ability to decrypt SSL traffic to be effective,” wrote Ruggero Contu and Lawrence Pingree of Gartner.
Malware cocktails
No single exploit in 2017 rose to the level of darknet hacker tools Angler or Neutrino in 2016, but there were plenty of malware writers leveraging one another’s code and mixing them to form new malware, thus putting a strain on signature-only security controls. SonicWall Capture Labs used machine learning technology to examine individual malware artifacts and categorises each as unique or as a malware that already exists.
The battleground emerge in the cyber war
The reported identified chip processors and IoT devices as the emerging battlegrounds in the impending cyber war.
Cybercriminals are pushing new attack techniques into advanced technology spaces, notably chip processors. Memory regions are the next key battleground that organisations will battle over with cybercriminals.
>See also: The good guys are losing the cyber war but is the tide changing?
Modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments, to allow malicious behavior to remain hidden in memory.
Organisations will soon need to implement advanced techniques that can detect and block malware that does not exhibit any malicious behavior and hides its weaponry via custom encryption.
“Sandbox techniques are often ineffective when analysing the most modern malware,” said SonicWall CTO John Gmuender. “Real-time deep memory inspection is very fast and very precise, and can mitigate sophisticated attacks where the malware’s most protected weaponry is exposed for less than 100 nanoseconds.”