Escalating cyber war demands new approaches
It’s a common adage among cybersecurity defenders that they have to be right 100 per cent of the time while criminals only have to be right once. As the WannaCry ransomware attack (which hit hundreds of thousands of computers with little energy expended by its creators) indicates, the adage has unfortunately become a kind of dark truism.
In today’s cyber battleground, attackers often need only make a modest investment to achieve significant gains; meanwhile, the defending side must invest heavily in order to stave off chaos.
Meanwhile cyber crime has gone from being a hobby for fringe players living in their parents’ basements to being big business involving professional players.
“It’s grown into this enormous industry with its own customer service mechanism for helping companies pay ransoms,” said Microsoft Canada Chief Security and Compliance Officer Kevin Magee. “With ecosystems of suppliers of ransomware tools, ransomware-as-a-service, and even affiliate marketing, we’ve moved into uncharted territory. The bar for entry is now extraordinarily low, which is bad for organizations.”
What’s in the News
Magee’s words echo the findings of Microsoft’s new Digital Defense Report, which looks at the rising sophistication of the hacker class. But this sophistication is not some abstract thing. Bad actors have become students of human emotion and behaviour, and are experts at tailoring their tactics to trends and to the emotions flowing through the news cycle.
“You can match headlines to changes in their tactics,” said Magee. “Hackers are playing on people’s hopes and fears. Their goal is to catch people in an emotional state of mind, when they’re most likely to make a bad decision.”
A great example of this, as noted in the report, is in how heavily cyber criminals used the global COVID-19 pandemic to target consumers and wreak havoc on healthcare providers.
The WFH Factor
Magee said that while change is no guarantee hackers will have more paths to success, the rapid shift to work-from-home has had that effect. The answer to why is in the seams.
“People moved away from their usual habits and methods, which gave criminals a huge opportunity on the business email front to take advantage of new seams in business processes.”
Of course, ransomware hasn’t disappeared. In fact, as Magee noted, paying a ransom is becoming normalized. From a business perspective it’s often perceived as easier to “just pay” than to come up with a remedy so it doesn’t happen again.
But Magee warns that paying a ransom won’t magically make an attacker disappear. “The extortion aspect is shifting. There’s innovation happening even on that front. Criminals are finding new ways all the time to extract financial gain from their victims.”
Supply Chain Risk
As noted in the report, there has of late been a considerable rise in the incidence of supply chain attacks. Since the appearance of COVID-19, there has been much focus on the supply chain, and the security around it.
“We’re seeing small businesses fold, and people work remotely. Our habits have shifted dramatically. Amid so much change, bad actors will take notice and gear their ‘work’ toward it. One of the bigger questions at this point is actually how cybercriminals will leverage the changes yet to come in the supply chain and in rapidly shifting buying patterns.”
One thing Magee is clear on is that cyber criminals don’t take vacations. While to some made of lesser “stuff” this might be discouraging, there are many things business leaders can do to match and even thwart bad actors.
“I’m all for tabletop exercises and the art of the possible,” he said. “Diversity of voices and thought is important. You do well to listen to staff that have little to no security experience. They will bring few biases to the discussion as they’re outside it all. When you use these kinds of people, you can discover threat vectors you would not otherwise have thought of.”
Magee spoke of the importance of building “muscles of resilience.” COVID, he said, has forced companies to move quickly to build real organizational muscle. With this muscle comes confidence. “One thing that comes out of reading our Digital Defense Report is the fact that while there are a lot of attack vectors, it’s not limitless. If you begin to understand who might attack you, you give yourself more than a fighting chance.”
But knowledge must be passed on.
“The ‘new’ cyber war touches and challenges not just IT but everyone at an organization. Naturally security must be top priority at the executive level. Leaders should look at cyber-crime events as legal events, acts of war, and deal with them from that perspective.”
But Magee stresses the critical importance of soliciting diverse viewpoints to better anticipate criminals’ next moves. Having crack security experts on board is great, but in 2020 there is also great wisdom to be gleaned from outsiders.