As 2019 draws to a close, we take a look at how the year has panned out on the cyber front. What have been the main trends witnessed over the last 12 months, and what can we learn from them to prepare for 2020 and beyond?
Ransomware: The ‘Gift’ to Criminals That Keeps On Giving
The main threat in 2019 continued to be ransomware, a relatively simple attack which encrypts information on endpoints and servers and demands a ransom payment in exchange for releasing the hijacked data. A ransomware attack does not attempt to be stealthy; notification of its existence is part of the MO, and aside from locking files, ransomware does not (directly) cause other damage to the infected system. That said, it’s precisely the knock-on denial of service effects arising from crucial data being made unavailable that make the business case to pay or to not pay turn in the criminals favour.
From a technical point of view, this is a threat that should be quite simple to deal with, and reducing the number of organizations that continue to offer criminals an easy pay day while putting their own essential services at risk is something that should be top of the agenda for every CISO in 2020. If there is a proper backup strategy in place, all the organization has to do is erase affected workstations and recover from the most recent pre-infection snapshot or image. Even better, a trusted EDR solution is easily capable of preventing ransomware in the first place and rolling back infected devices in the second.
In practice, however, too many organizations are caught unprepared. Too many businesses have sprawling networks with poor visibility and a wide-range of legacy devices. Too many businesses are using outdated information systems; too many have insufficient awareness of the threat; too many do not backup regularly or update software frequently enough. The practicalities for some organizations are far from trivial and not to be underestimated, but the reality is that no matter how big the challenge, businesses that fail to get their networks in order and implement simple, best practices across their endpoints can expect to be severely affected by ransomware attacks.
Take, for example, the Baltimore Municipality, which experienced a ransomware attack in May 2019. The attack left the city offline for weeks, and the recovery was slow and expensive. The Baltimore Municipality estimates the cost of the financial attack to be $18.2 – the city’s Information Technology Office has spent $4.6 million on recovery efforts since the attack and expects to spend another $5.4 million by the end of the year. Another $8.2 million cost comes from potential lost or delayed revenue, such as money from property taxes, real estate fees and fines.
The 2019 Baltimore attack was the first in a wave of (sometimes coordinated) attacks on U.S. cities and towns throughout the remainder of the year. The most notable attack was against 22 Texas cities and agencies. In addition, the education sector has been hit hardest by criminals. Since the beginning of 2019, there have been hundreds of ransomware attacks against US public schools – more than the total number of all attacks on US entities in 2018. Some school districts have been disabled for months because of such attacks.
Ransomware attacks have more than doubled globally over the past 12 months, with the United States being the target of more than half of the world’s incidents. The situation has become so dire that ransomware is considered a threat to US national security and there are real fears that ransomware attacks could interfere with the upcoming U.S. elections, either through voting machines or voter data being targeted for encryption.
Ransomware Take Away for 2020: take yourself out of the firing line, get proper protection and implement a robust backup and contingency plan. This is not just Security 101, but Security 911. 2019 teaches us that those who fail to make the right, crucial call to get on top of their networks will be caught out.
APTs: Making Nation-State Attacks Great Again
Government-backed, advanced persistent threat actors have been particularly busy this year. The Chinese, Iranians and North Koreans have all been seen engaging in hacking activities during 2019, while the US government has itself made unofficial admissions of cyber attacks against Iranian facilities this year.
Notable attacks seen during 2019 were a widespread attack on the airplane maker Airbus, an attack on a host of financial entities that generated $3 billion in revenue for North Korea, and Iranian attacks on Saudi entities and companies. In addition, it turns out that the Chinese passenger plane C919 unveiled this year is almost entirely copied from a series of American and other manufacturers, suggesting that stolen IP played a big role in its development. The US Secretary of Defense recently said that China is committing the biggest IP theft in human history. Needless to say, most of the information was stolen through cyber measures.
Unlike previous nation-state cyber attacks, these attacks are wide-ranging, affecting a variety of bodies, individuals and companies while striving to reach their final goal. In the process, many more entities that traditionally are not considered the targets of these sophisticated attackers are being hit. These include infrastructure companies and service providers. Undoubtedly, the changing threatscape will also require these entities to invest more in securing their information and infrastructure.
Clues to this could be seen in a new regulation by the US Department of Defense, the CMMC, which will apply to 300,000 sub-contractors this year to the organization’s major arms manufacturers and suppliers, requiring them to deploy appropriate safeguards as a condition for participation in tenders. Never ones to take half measures themselves, the Chinese government has come to the conclusion that it no longer trusts US tech, and has ordered all government and public institutions to remove US hardware and software and be 100% completely domestically-sourced by 2022.
APT Take Away for 2020: expect more of the same. As nations vie for strategic advantage in cyberspace, it looks increasingly like the battle will extend to securing and homogenizing the supply chain by the big players, with the smaller players likely having to pick their side.
IoT: Yet Even More ‘Stranger Things’ on Your Network
As the number of Internet of Things (IoT) devices invading enterprise networks continues its inexorable growth, both nation-state actors and criminal enterprises have this year naturally taken an interest in exploiting IoT devices.
Earlier this year, APT actor Fancy Bear, aka Strontium, attacked printers, video decoders and IP/VOIP phones to gain wider access to corporate networks. Meanwhile, copy-cat Mirai botnets continued to exploit unpatched devices susceptible to Eternalblue throughout 2019, with one security vendor reporting that virtually all attacks seen on their honeypots were automated scripts designed to attack at scale.
Increasing attention to the security of internet-connected appliances is, therefore, a necessity for every organization. It’s becoming ever-more difficult to avoid such things appearing on your network as manufacturers continue to add internet and ‘cloud’ capability to the most mundane of devices.
IoT Take Away for 2020: network visibility is going to be crucial. You cannot defend what you cannot see, and every blindspot is a potential soft access point into your wider network.
Breaches and Leaks: All Your Data Are Belong to Us!
Many of the “cyberattacks” we hear about are not attacks at all, but data breaches that are a result of malicious or negligent actions that expose sensitive information to the wider world. Digital data leakage has always existed, but as the amounts of data are growing exponentially and organizations are moving to cloud-based systems, data breaches are becoming more frequent and more severe.
Data breaches on frightening scales – like an entire nation – are the price of organizations becoming dependent on the cloud for storing information while at the same time lacking the knowledge, skill or will to implement secure cloud best practices.
For example, many organizations store their entire customer database on cloud services such as Amazon AWS or Microsoft Azure. These are robust platforms when used properly, but it’s also easy for clients to misconfigure firewalls, leave open permissions, use weak or recycled passwords or fail to secure other credentials.
Such basic failures have led to millions of sensitive records being exposed this year: medical records, financial information, personal information and more. As is so often the case, the technology is not at fault here. The challenge today is to develop the skills of the DevOps who operate these cloud environments to be aware of the dangers and to act intelligently.
As an example of what can happen when organizations fail this challenge, see the Canadian Bank of Nova Scotia developers who retained parts of the source code as well as passwords and credentials for sensitive systems on the open source storage system Github.
Breaches Take Away for 2020: do the right thing. There’s no shortage of best practices information on how to prevent and deal with data breaches, but research has shown that even some of the top consulting firms fail to take their own advice. Don’t be one of them.
Disinformation: Fake It Till You Make It, Politics’ New Normal
This year, we experienced a rise in a trend that affects our lives more deeply than just “cyber-hacking” – the increasing involvement of cyber attacks in politics. From Israel’s Prime Ministerial candidate’s mobile phone that was allegedly hacked by Iranians, through to Israeli offensive cyber companies whose products serve various regimes around the world for spying on political parties, to campaigns with political motivations by countries such as Russia and North Korea, and even ransomware campaigns featuring images of President Trump (or Hillary Clinton).
There is an understanding in the industry, as well as in the behavior of democratic states, that there will no longer be any “cyber-less” elections. The UK election in December 2019 has already witnessed several cyber incidents: DDoS attacks on one of the major parties, disinformation strategies by the other, and Russian-backed entities allegedly leaking information related to key election issues have all been seen.
With Deep Fakes and disinformation campaigns now being treated as genuine electoral tactics, there is even greater need to increase general awareness among the public about this threat to democracy as we move toward the US 2020 election season.
Disinformation Take Away for 2020: security mechanisms around influential political figures and political party apparatus must be tightened and more effort is needed to secure voting processes from tampering. On top of that, we all need to treat the 24/7 news cycle, designed to maximize instant likes, retweets and to hit that “gone viral” sweetspot, with a healthy degree of skepticism.
2019 was a clear continuation of the years that preceded it, but more intense — more attacks, more data breaches and greater damage throughout the world. Will 2020 bring any relief or will the threats keep escalating? The problems we’ve seen in 2019 aren’t going to “magic” themselves away, but nor are we helpless. The big takeaway from 2019 is that organizations and companies, governments and individuals must invest more in information security, education and prevention. Cybercrime is a solvable problem that no one needs to be a victim of.
But for those that continue to ignore the reality and refuse to accept the challenges of doing business in the modern, connected world, then 2020 will likely be bleaker than its predecessor, and not the other way around.