The Evolving Threat Landscape is something that is constantly referenced, but just what is that ‘landscape’ and what does it mean for organisations intent on keeping themselves safe from attacks? In essence, the threats are emanating from a number of directions, but, broadly speaking, can be categorised under ‘Cybercrime’, ‘Sabotage’, ‘Subversion’ and ‘Espionage’. It’s a murky world and one that needs to be understood and recognised for the dangers it presents, if the right steps are to be taken to ensure effective protection.
Just to get some idea of the scale of what has been happening, Symantec’s own security intelligence indicates that, in the world of cybercrime alone, more 1,400 financial institutions have been regularly attacked with ‘Financial Trojans’ since 2013, affecting 88 countries, with a tripling of infections. The USA, Japan, the UK and Germany have been the hardest hit.
As the threat landscape evolves and matures, cybercrime gangs who favour fakeAV have moved into ransomware with a vengeance, with a 500% increase in infection in 2013 alone. Users are told they have been found accessing illegal content and that a fine must be paid to unlock the computer. If the user enters the payment PIN, it is sent to the attacker’s command and control server. Of course, the computer is rarely unlocked after payment.
An evolution of ransomware is Cryptolocker, with cybercriminals holding data to ransom. Data on infected computer is powerfully encrypted and payment demanded for decryption of files – not possible without a private key.
Cybercrime infrastructure has also become more robust and resistant to takedown attempts with a greater move towards a peer-to-peer (P2P) botnet infrastructure. While a traditional botnet (where they all connect to an attacker-controlled command-and-control (C&C) servers):
- Has a single point of failure
- Has only one or a few C&C servers
- Is vulnerable to takedown & sinkholing.
A peer-to-peer botnet:
- Has no single point of failure
- Every peer acts as C&C server
- Difficult to take down or sinkhole.
It’s no great surprise then that cybercriminals are increasingly moving to P2P, because their lack of a centralized C&C infrastructure makes them more resilient.
However, the cybercriminals are not having it all their own way. Let me just give you one example of where Symantec hit back, neutralising half a million ZeroAccess bots. ZeroAccess uses a highly resilient decentralised P2P botnet architecture, with every botnet member acting as a C&C server, making sinkholing almost impossible. Except Symantec created sinkholes that acted like peers and then we inserted our sinkhole addresses into peer lists. Peer lists then propagated through the botnet until eventually the bots only had our sinkhole peer addresses, detaching them from the botnet. This made a serious dent in the ZeroAccess infrastructure.
Similarly, close collaboration between law enforcement and the security industry, under the code name ‘Operation Tovar’, saw the takedown of GameOver Zeus & Cryptolocker. However, these infections are showing signs of increasing again, so the need for ongoing counteraction is paramount.
Ultimately, whether we are dealing with subversion through hacktivism, distributed denial of service (DDoS) attacks (rapidly on the increase, with attack size growing 216% in Q1-Q2 2014), sabotage or cyber-espionage – such as the Turla campaign, which has systematically targeted the governments and embassies of former Eastern Bloc countries – the message is clear: we are only ever safe for as long as we are not an active target. In other words, never imagine that a determined attacker will not come after you, if you have not yet been a victim; or will not come after you, time and again.
It has become something of a cliché of late that finding yourself under attack or infected is not a matter of if, but when. Like all clichés, of course, it is also true. The more you accept that reality, the more likely it is you will take every possible step to be ready for such an attack in the future.
The good news is that Symantec can provide the expert advice and solutions to help organisations along that path. They don’t have to do this on their own.