Hackers using technology with behavioural insights pose a greater threat than ever to cyber security.
What do consumer credit reporting agency Equifax and ride-hailing company Uber have in common?
One would imagine that as large enterprises, they would check the boxes for good cyber-security practices: a healthy security budget, deployment of leading-edge cyber security technologies, and round-the-clock monitoring by well-trained cyber professionals.
Yet they were revealed last year to have been successfully hacked.
Equifax was the victim of one of the biggest data breaches in history with about 145 million consumers' data compromised, including credit card numbers. Uber revealed it was breached in 2016, losing about 57 million users' and drivers' information worldwide. To make things worse, it paid the hacker US$100,000 to delete the stolen data, and to keep the hack quiet.
Last year was a watershed year with an unprecedented number of cyber hacks, leaks and data breaches. We believe 2018 will be worse, as attackers become increasingly creative with attack methods and increasingly destructive payloads that better target system vulnerabilities. Why is this so?
ASYMMETRIC THREAT LANDSCAPE
First, the threat landscape will continue to be asymmetrical. Threat actors have an edge over enterprises that are hard-pressed to staff up internal cyber security teams.
State-sponsored actors and, increasingly, organised crime groups are well funded, organised and resourced. They can afford to take their time to do research on their target, create the right malware and tailor their attacks to their targets. Even if they were to fail the first time, they can persist to try again and again at very little marginal cost.
These entities are aided by the breathtaking rate of technological advancement, but attackers have also begun to acquire an increasingly deep understanding of human nature. This has manifest itself in more nuanced attacks that make use of social engineering and behavioural insights.
What we have seen in recent years is the continued evolution of (and preference for) very complex and precise spear phishing campaigns, unlike spam or phishing e-mails which are mass attacks. A spear phishing campaign targets specific individuals, organisations or businesses, to collect sensitive information. It may take the form of a professional-sounding, personalised e-mail that makes use of personal data collected from public posts on social media sites and blogs to target subjects to lower their guard - to entice them to click on suspicious links or open documents that may be virus-contaminated.
Another form of personalised attack is the watering-hole attack, which takes place when hackers ambush their targets at the websites they frequently visit. The hackers would inject a zero-day exploit - a malicious code that takes advantage of vulnerabilities that software developers and cyber security professionals are unaware of, giving them no time, or "zero days", to prepare - on that website and lie in wait for their target.
When the target appears on the site, the exploit redirects the target to a different site where the malware is present and infects the organisation's network. Once that is accomplished, the cyber criminal has access to the organisation's network and is able to exfiltrate critical data, such as passwords and permissions, or pivot to attack other devices in the network.
The plain fact is that the adversaries sometimes understand us better than we do. They are in some ways more motivated to do harm than organisations are to protect their systems, in part because the rewards for breaching organisations can be greater than the gains from strengthening security.
Second, an extensive shadow industry is being created around hacking and data that will make it both easier and more lucrative to engage in such dark trades.
Hacking has created a shadow economy where data is bought and sold on the dark Web to organised cyber criminal syndicates. Data is the new oil. It is what threat actors are after, and what needs the most protection.
This has birthed a booming shadow economy. On top of personal data, exploits and zero-days are also available for sale. Large botnets are available for rent, and so are services such as ransomware-as-a-service and DDoS-as-a-service. DDoS attacks flood a target system with more traffic than it can handle, bringing it down.
There is a market for exploits, which are attacks on computer systems made through a particular vulnerability of the system, and for trading these exploits. There is a growing number of actors trading such exploits which drives up supply.
An iOS zero-day - an attack mechanism targeting previously unknown vulnerabilities in Apple mobile operating systems - can cost as much as US$1.5 million (S$2 million). It is no wonder that technically gifted programmers see the attraction of providing such services.
In 2018, we will see an increasing number of extortionist attacks around the world targeting critical infrastructure. Transportation, energy and medical institutions are choice targets as a service outage can cause severe public backlash and, therefore, increases the possibility of a payout.
In recent months, the healthcare industry has been a victim of more attacks. This is because of the value of healthcare data - such as medical histories - which can be used for a variety of cyber fraud.
Cyber attacks will cost US hospitals more than US$305 billion over five years and one in 13 patients will have their data compromised by a hack, according to industry consultancy Accenture in a 2015 report.
A 2016 study by Brookings showed that, since late 2009, the medical information of more than 155 million Americans has been exposed without their permission through about 1,500 breaches.
Healthcare institutions are vulnerable partly because government regulations forced healthcare operators to adopt electronic health records and other advances even if they weren't ready to adequately invest in security.
Would-be smart nations should take note that mass adoptions of digital solutions do not create a security nightmare, giving hackers an endless attack surface to target.
EVOLVE TO STAY AHEAD
So how should organisations respond? For swift detection and mitigation of threats, round-the-clock monitoring of networks, applications and devices, through an in-house security operation centre or outsourced service, is critical. The next generation of security operations centres also need to incorporate big data analytics and deep machine learning capabilities to keep on top of the massive amount of data generated.
Organisations need to be more aggressive in vulnerability assessment and penetration testing by conducting them more frequently. They might even consider providing incentives to white hat hackers through bug bounty programmes (which pay these hackers for discovering flaws).
At the operational level, the overall incident response framework must be routinely audited and strengthened. The incident response team must be drilled through specific skills training, table top scenarios, and full-fledged red team-blue team exercises (blue team being the defenders; red team the simulated attackers), where they are pitted against a group of white hat hackers trying to break through their security. External assistance should be sought if there is a lack of internal skillsets or personnel.
Singapore organisations especially need to take the threat of cyber attacks more seriously. A survey conducted by managed security services provider Quann and research firm IDC in June last year covered 150 senior IT professionals from medium to large companies based in Singapore, Hong Kong and Malaysia.
The results showed that 40 per cent of the respondents do not have incident response plans for when they are being attacked and 67 per cent do not practise their incident response plans.
Cyber security requires a comprehensive approach that goes beyond the chief information security officer or head of information technology. The executive leadership must not see cyber security as a cost centre and an IT issue, but as an integral part of corporate risk management.
Senior management and the board must understand the threat landscape and data protection strategies.
Beyond the board and management, every employee matters. A Cyber Security Agency of Singapore 2017 survey showed that Singaporeans display risky behaviour that jeopardises their own and their company's cyber security. It does not matter how advanced the corporate anti-virus is if employees indiscriminately download free but potentially malware-laden software from dubious sources. Every careless employee is an open door for hackers to exploit.
With the number and complexity of attacks rising, enterprises need to stay on top of their cyber security preparedness.
Effective cyber security is not about keeping up with the cyber security products arms race. Instead, it is about ensuring that seemingly mundane tasks, such as keeping patches up-to-date, ensuring that security hardware is maintained and managed well, and ensuring compliance with user policies and procedures, are performed well by human beings.
Even with the best technology, the human factor plays a critical role in ensuring enterprises stay cyber secure. Firewalls must be kept up-to-date but the most important firewall is still the human one.
•Foo Siang-tse is managing director of Quann, a managed security services provider. Shashi Jayakumar is head of the Centre of Excellence for National Security and Executive Coordinator, Future Issues and Technology at the S. Rajaratnam School of International Studies, Nanyang Technological University.
A version of this article appeared in the print edition of The Straits Times on January 26, 2018, with the headline 'Cyber threats: 2018 and beyond'. Print Edition | Subscribe
We have been experiencing some problems with subscriber log-ins and apologise for the inconvenience caused. Until we resolve the issues, subscribers need not log in to access ST Digital articles. But a log-in is still required for our PDFs.