2018: THE YEAR IN CY­BER THREATS

ALTHOUGH LACK­ING IN THE HEADLINEGRABBING CY­BER AT­TACKS OF 2017, THIS YEAR HAS BEEN NO LESS IM­PACT­FUL

Network Middle East - - FRONT PAGE -

Wan­nacry’ and ‘Not­petya’ of 2017 gave way to ‘Leafminer’ and ‘Cam­bridge An­a­lyt­ica’ in 2018. The lat­ter made fewer head­lines but were as deadly to vic­tims. Sim­ply put, cy­ber­crim­i­nals picked up from where they left off the year be­fore. Sy­man­tec’s re­cent In­ter­net Se­cu­rity Threat Re­port re­vealed as much. Sy­man­tec re­searchers un­masked sev­eral re­gion-fo­cused at­tack groups, in­clud­ing Leafminer, Gall­maker and Chafer. Chafer is an Iran-based tar­geted at­tack group, at­tack­ing or­gan­i­sa­tions in the Mid­dle East and be­yond, and de­ploy­ing sev­eral new tools. The group staged a num­ber of am­bi­tious new at­tacks last year, in­clud­ing the com­pro­mise of a ma­jor tele­coms ser­vices provider in the re­gion. There is also ev­i­dence that it at­tempted to at­tack a ma­jor in­ter­na­tional travel reser­va­tions firm, says Gor­don Love, vice pres­i­dent, EMEA Emerg­ing Re­gion, Sy­man­tec.

The at­tack group Leafminer tar­geted a broad list of govern­ment or­gan­i­sa­tions and busi­ness ver­ti­cals in var­i­ous re­gions in the Mid­dle East since at least early 2017. The group tends to adopt publicly avail­able tech­niques and tools for their at­tacks and ex­per­i­ments with pub­lished proof-of-con­cept ex­ploits. Gall­maker, on the other hand, es­chews cus­tom mal­ware and uses Liv­ing off the Land (Lotl) tac­tics and publicly avail­able hack tools to carry out ac­tiv­i­ties that bear all the hall­marks of a cy­ber es­pi­onage cam­paign. The group takes a num­ber of steps to gain ac­cess to a vic­tim’s de­vice and then de­ploys sev­eral dif­fer­ent at­tack tools and we saw they at­tempted to in­fil­trate tar­gets in the Mid­dle East.

This year had an un­der­ly­ing pri­vacy preser­va­tion and data pro­tec­tion theme. Pri­vacy con­cerns were pushed into the lime­light fol­low­ing sev­eral key mo­ments in 2018 that had a global im­pact. Cam­bridge An­a­lyt­ica’s use of pri­vate cus­tomer data pro­vided by Face­book will likely be re­mem­bered as the event that thrust pri­vacy and data pro­tec­tion into the pub­lic con­scious­ness. Face­book was fined for “se­ri­ous breaches of data pro­tec­tion law” and a “fail­ure to suf­fi­ciently pro­tect the pri­vacy of its users.”

In­deed, in a 2018 sur­vey of For­ce­point cus­tomers, “Con­cerns over pri­vacy” ranked as the top se­cu­rity is­sue, notes Mah­moud- Samy Ibrahim, area vice pres­i­dent at For­ce­point, EMEA Emerg­ing Mar­kets.

When it comes to mal­ware, de­spite the fact that ran­somware at­tacks dur­ing 2018 were less in num­ber, they have been more tar­geted, says Dim­itris Raekos, gen­eral man­ager at ESET Mid­dle East. “We have recorded a lot of at­tacks es­pe­cially on govern­ment and health­care sec­tors mainly via RDP brute force at­tacks or via so­cial en­gi­neer­ing,” he adds.

There was a dra­matic in­crease in the vol­ume, so­phis­ti­ca­tion, and sever­ity of se­cu­rity events within the Mid­dle East in 2018—even be­yond the over­all ex­plo­sion in global at­tacks, says Amit Roy, ex­ec­u­tive vice pres­i­dent and re­gional head for EMEA at Pal­a­dion. Apart from the much talked about data leaks and phish­ing at­tacks, there were tar­geted at­tacks on govern­ment or­gan­i­sa­tions and in­sur­ance com­pa­nies in Qatar, so­phis­ti­cated at­tacks in Saudi Ara­bia, the UAE, Qatar, Kuwait, Bahrain, Egypt and Afghanistan from ‘Leafminer’, and a new threat ac­tor group called ‘Darkhy­drus’ tar­get­ing Mid­dle East gov­ern­ments.

“There’s one rea­son for this: or­gan­i­sa­tions in the Mid­dle East face many more po­lit­i­cally-mo­ti­vated at­tacks than or­gan­i­sa­tions any­where else,” Roy ob­serves.

It is not all doom and gloom. Cy­ber­se­cu­rity ven­dors made re­mark­able progress in halt­ing at­tack­ers that have men­aced busi­nesses for years.

Take UEFI rootk­its, for in­stance, a set of ex­tremely dan­ger­ous tools for im­ple­ment­ing cy­ber­at­tacks, hard to de­tect and able to sur­vive se­cu­rity mea­sures such as op­er­at­ing

For all the dam­age cy­ber-at­tacks are ca­pa­ble of, noth­ing is more detri­men­tal to so­ci­ety than the cost of sev­ered trust.” MAH­MOUD-SAMY IBRAHIM, AREA VP, FOR­CE­POINT,

EMEA EMERG­ING MAR­KETS

sys­tem re­in­stal­la­tion and even a hard disk re­place­ment. No UEFI rootkit has ever been de­tected in the wild – un­til ESET re­searchers dis­cov­ered a cam­paign of Rus­sian SED­NIT APT Group that suc­cess­fully de­ployed a ma­li­cious UEFI mod­ule on a vic­tim’s sys­tem.

The dis­cov­ery of the first in-the-wild UEFI rootkit is no­table for two rea­sons, says Raekos. “First, it shows that UEFI rootk­its are a real threat and not merely an at­trac­tive con­fer­ence topic. And sec­ond, it serves as a heads-up, es­pe­cially to all those who might be in the crosshairs of SED­NIT group,” he adds.

Re­cent re­search found that the av­er­age or­gan­i­sa­tion in the Mid­dle East has an av­er­age dwell time of up to 2.5 months. This is just not fast enough when com­pared to other re­gions, Roy ob­serves. “But, we are see­ing or­gan­i­sa­tions em­brace near­real-time de­tec­tion and re­sponse ser­vices like AI- driven Man­aged De­tec­tion and Re­sponse (MDR) to keep up with at­tack­ers,” he adds.

From a data pro­tec­tion stand­point, the Euro­pean Union’s mid-2018 im­ple­men­ta­tion of the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) will likely prove to be just a pre­cur­sor to var­i­ous se­cu­rity and pri­vacy ini­tia­tives in coun­tries out­side the Euro­pean Union.

While we’re al­most cer­tain to see an uptick in leg­isla­tive and reg­u­la­tory ac­tions to ad­dress se­cu­rity and pri­vacy needs, there is a po­ten­tial for some re­quire­ments to prove more coun­ter­pro­duc­tive than help­ful, warns Love

“For ex­am­ple, overly broad reg­u­la­tions might pro­hibit se­cu­rity com­pa­nies from shar­ing even generic in­for­ma­tion in their ef­forts to iden­tify and counter at­tacks. If poorly con­ceived, se­cu­rity and pri­vacy reg­u­la­tions could cre­ate new vul­ner­a­bil­i­ties even as they close oth­ers,” he adds.

If poorly con­ceived, se­cu­rity and pri­vacy reg­u­la­tions could cre­ate new vul­ner­a­bil­i­ties even as they close oth­ers.” GOR­DON LOVE, VICE PRES­I­DENT, EMEA EMERG­ING RE­GION, SY­MAN­TEC

AI AND ML

Au­to­ma­tion and ma­chine learn­ing was a ma­jor un­der­ly­ing theme for se­cu­rity so­lu­tions launched and up­dated this year. For­ce­point launched its Risk-adap­tive Pro­tec­tion (RAP) so­lu­tion called Dy­namic Data Pro­tec­tion. Built to ad­dress the bar­rage of com­plex and so­phis­ti­cated threats fac­ing or­gan­i­sa­tions, For­ce­point’s RAP con­tin­u­ously as­sesses risk and au­to­mat­i­cally pro­vides pro­por­tional en­force­ment that can be di­alled up or down. This ca­pa­bil­ity is en­abled through hu­man-cen­tric be­hav­iour an­a­lyt­ics that un­der­stands in­ter­ac­tions with data across users, ma­chines and ac­counts. “In­tel­li­gent con­text speeds de­ci­sion-mak­ing and se­cu­rity con­trols spe­cific to chang­ing risk in en­ter­prise net­works. With the in­dus­try’s first au­to­mated en­force­ment ca­pa­bil­ity that dy­nam­i­cally adapts, se­cu­rity an­a­lysts are now freed to fo­cus on high-value ac­tiv­i­ties and elim­i­nate the back­log of alerts from tra­di­tional se­cu­rity tools,” says Ibrahim. ESET’S lat­est end­point pro­tec­tion ver­sion now in­cludes ESET Dy­namic Threat De­fence, an off-premise cloud-based sand­box pow­ered by three ma­chine learn­ing en­gines and hu­man ex­per­tise. The Dy­namic Threat De­fence not only pro­vides rapid anal­y­sis of zero- day and ran­somware threats be­fore reach­ing the net­work, but it is also less costly as doesn’t re­quire any ad­di­tional hard­ware or soft­ware agent and works as well for roam­ing users, says Raekos.

Pal­a­dion launched its AI- driven Man­aged De­tec­tion & Re­sponse (MDR) ser­vice this year. The ser­vice in­te­grates pro­pri­etary AI and ma­chine learn­ing into every stage of cy­ber de­fence.

“Now, our clients can fi­nally process—in real time—the hun­dreds of ter­abytes of or­gan­i­sa­tional data and global

threat in­tel­li­gence pro­duced by both dig­i­tal in­fras­truc­tures and modern cy­ber­crim­i­nals— dra­mat­i­cally in­creas­ing their se­cu­rity pos­ture’s speed and ef­fi­ciency,” Roy says.

Sy­man­tec, on the other hand, launched the Ad­vanced Threat Pro­tec­tion (ATP) 3.1 with Tar­geted At­tacks An­a­lyt­ics. The com­pany’s Tar­geted At­tack An­a­lyt­ics (TAA) tech­nol­ogy en­ables ATP cus­tomers to lever­age ad­vanced ma­chine learn­ing to au­to­mate the dis­cov­ery of tar­geted at­tacks – the most dan­ger­ous in­tru­sions in cor­po­rate net­works, says Love.

“The TAA tech­nol­ogy im­ple­ments ma­chine learn­ing to an­a­lyse a broad range of data, in­clud­ing sys­tem and net­work teleme­try from Sy­man­tec’s global cus­tomer base which forms one of the largest threat data lakes in the world. Sy­man­tec’s cloud-based ap­proach to this tech­nol­ogy also en­ables the fre­quent re-train­ing and up­dat­ing of an­a­lyt­ics to adapt to new at­tack meth­ods with­out the need for prod­uct up­dates,” Love of Sy­man­tec ex­plains.

Ad­vanc­ing tech­nol­ogy is a dou­ble-edged sword though. Even as Ai-based so­lu­tions help­fully au­to­mate man­ual tasks and en­hance de­ci­sion mak­ing and other hu­man ac­tiv­i­ties, they also emerge as promis­ing at­tack tar­gets, as many AI sys­tems are home to mas­sive amounts of data, Love ob­serves.

In ad­di­tion, re­searchers have grown in­creas­ingly con­cerned about the sus­cep­ti­bil­ity of these sys­tems to ma­li­cious in­put that can cor­rupt their logic and af­fect their op­er­a­tions. The fragility of some AI tech­nolo­gies will be­come a grow­ing con­cern in 2019, Love warns.

At­tack­ers won’t just tar­get AI sys­tems, they will en­list AI tech­niques them­selves to su­per­charge their own crim­i­nal

The in­crease of IOT de­vices along with the vul­ner­a­bil­i­ties that do ex­ist in most of them will spark the in­ter­est of cy­ber at­tack­ers.” DIM­ITRIS RAEKOS, GEN­ERAL MAN

AGER AT ESET MID­DLE EAST

ac­tiv­i­ties. “Au­to­mated sys­tems pow­ered by AI could probe net­works and sys­tems search­ing for undis­cov­ered vul­ner­a­bil­i­ties, in­clud­ing “ghost” code such as old Ex­cel macros and other soft­ware rem­nants that ex­ist on many com­put­ers and can be ex­ploited for some at­tacks.

“AI could also be used to make phish­ing and other so­cial en­gi­neer­ing at­tacks even more so­phis­ti­cated by cre­at­ing ex­tremely re­al­is­tic video and au­dio or well-crafted emails de­signed to fool tar­geted in­di­vid­u­als,” Love says.

Cloud will con­tinue to open up mas­sive se­cu­rity vul­ner­a­bil­i­ties, while also en­abling cy­ber­se­cu­rity firms to of­fer cost-ef­fec­tive com­pre­hen­sive se­cu­rity ser­vices, says Roy. AI, on the other hand, will su­per­charge both cy­ber at­tacks and cy­ber de­fences – es­pe­cially in de­tec­tion and re­sponse. And while blockchain’s im­pact on cy­ber­at­tack and cy­berde­fence re­mains too early to ac­cu­rately pre­dict, it is doubt­ful it will be the se­cu­rity saviour some are tout­ing it to be. “There’s no magic bul­let to se­cu­rity, only con­stant evo­lu­tion,” Roy as­serts.

At­tri­bu­tion will be­come more dif­fi­cult to prove due to so­phis­ti­cated sub­ver­sion tech­niques, and new at­tack method­olo­gies will crip­ple or­gan­i­sa­tions who are un­pre­pared for the ever-chang­ing cy­ber land­scape, says For­ce­point’s Ibrahim.

“At­tack­ers will con­tinue to use ML and avail­able AI tools to spot­light se­cu­rity gaps and steal valu­able data. Ar­ti­fi­cial at­tack­ers are for­mi­da­ble op­po­nents, and we will see the arms race around AI and ma­chine learn­ing con­tinue to build,” Ibrahim adds.

That said, the AI se­cu­rity story does have a bright side. Threat iden­ti­fi­ca­tion sys­tems al­ready use ma­chine learn­ing

tech­niques to iden­tify en­tirely new threats. And, it isn’t just at­tack­ers that can use AI sys­tems to probe for open vul­ner­a­bil­i­ties. De­fend­ers can use AI to bet­ter harden their en­vi­ron­ments from at­tacks, Love ob­serves. For ex­am­ple, Ai-pow­ered sys­tems could launch a se­ries of sim­u­lated at­tacks on an en­ter­prise net­work over time in the hope that an at­tack it­er­a­tion will stum­ble across a vul­ner­a­bil­ity that can be closed be­fore it’s dis­cov­ered by at­tack­ers.

Closer to home, AI and other tech­nolo­gies are also likely to start help­ing in­di­vid­u­als bet­ter pro­tect their own dig­i­tal se­cu­rity and pri­vacy. AI could be em­bed­ded into mo­bile phones to help warn users if cer­tain ac­tions are risky. For ex­am­ple, when you set up a new email ac­count, your phone might au­to­mat­i­cally warn you to set up two-fac­tor au­then­ti­ca­tion. “Over time, such se­cu­rity-based AI could also help peo­ple bet­ter un­der­stand the trade-offs in­volved when they give up per­sonal in­for­ma­tion in ex­change for the use of an ap­pli­ca­tion or other an­cil­lary ben­e­fits,” Love says.

THE YEAR AHEAD

Though it is hard to pre­dict what Black­hats have in their plans for 2019, we can ex­pect more tar­geted cy­ber at­tacks in pri­vate sec­tor along with so­phis­ti­cated cy­ber war­fare tar­get­ing or­gan­i­sa­tions with crit­i­cal in­fras­truc­ture and im­por­tant data, says Raekos.

“With­out a doubt, there will be many more data breaches de­spite the newly ap­plied reg­u­la­tions like GDPR. On top these, the con­stant in­crease of in­ter­net of things de­vices both on com­pany net­works and homes along with the vul­ner­a­bil­i­ties that do ex­ist in most of them will spark the in­ter­est of at­tack­ers,” he adds.

SMES are also in­creas­ingly on the crosshairs of so­phis­ti­cated at­tack­ers. In the past, ad­vanced at­tacks took sub­stan­tial ef­fort to or­ches­trate, which made en­ter­prises the only tar­gets worth in­vest­ing in at­tempt­ing to breach, Roy of Pal­a­dion ob­serves. How­ever, au­to­ma­tion has re­duced the ef­fort re­quired to de­ploy so­phis­ti­cated at­tacks, and en­ter­prises have in­vested heav­ily in their in­ter­nal de­fence, mak­ing them much harder tar­gets, he adds.

In 2019, at­tack­ers will break into in­dus­trial IOT de­vices by at­tack­ing the un­der­ly­ing cloud in­fras­truc­ture. This is much more de­sir­able for an at­tacker since it rep­re­sents a much big­ger pay­day once ac­cess is ob­tained to the un­der­ly­ing sys­tems of these multi-ten­anted, multi-cus­tomer en­vi­ron­ments, warns Ibrahim.

“There are three is­sues at play here: the in­creas­ing net­work con­nec­tiv­ity to edge com­put­ing; the dif­fi­culty in se­cur­ing these de­vices as more com­pute moves out to the edge, as they do in re­mote fa­cil­i­ties and IOT de­vices; and the ex­po­nen­tial num­ber of de­vices con­nect­ing to the cloud for up­dates and main­te­nance,” he adds.

Trust will be a com­mon theme for 2019. For all the dam­age cy­ber-at­tacks are ca­pa­ble of—the un­der­min­ing of phys­i­cal sys­tems, dig­i­tal dis­rup­tion, and the loss of valu­able data and in­tel­lec­tual prop­erty (Ip)—noth­ing is more detri­men­tal to so­ci­ety than the cost of sev­ered trust, says For­ce­point’s Ibrahim. “Trust is the dif­fer­ence be­tween in­no­va­tion and IP loss, be­tween an or­gan­i­sa­tion’s long-term suc­cess or fail­ure,” he adds.

2018 was a pre­cur­sor to how tech­nol­ogy can be used for and against de­fence. The com­ing year will be a true war of wits as both threat ac­tors and se­cu­rity teams bat­tle for the con­trol of cor­po­rate as­sets.

Ad­vanced at­tacks took sub­stan­tial ef­fort to or­ches­trate, which made en­ter­prises the only tar­gets worth in­vest­ing in.” AMIT ROY, EX­EC­U­TIVE VICE PRES­I­DENT AND RE­GIONAL HEAD FOR EMEA, PAL­A­DION

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.