"We are probably in a cyber-conflict with a lot of people including Russia. It feels like we are already engaged in a cyber-conflict [with Russia] with lots of attacks, but whether you would call it a war...? There is less actual damage," commented Robert Hannigan, former director general of GCHQ in response to a questioner at his InfoSecurity 2018 keynote today who'd asked, 'Are we in a cyber-war with Russia?'
In his presentation: 'Weaponising the web: Nation-state hacking and what it means for Enterprise cyber-security', Hannigan noted that there are two main issues to contend with: trying to retrofit security onto internet; and trying not to make the same mistakes of 30 yrs ago so that we will need to retrofit our future.
Hannigan suggested that despite all the changes, the three attack threats remain the same: lone actors, cyber crime, and nation states - though the nature of the nation state threat had changed the most, to become a problem for everyone, rather than just one for governments to tackle.
Within the lone actor category, there were those such as the TalkTalk hackers, talented individuals who'd done it to impress their mates. They are a problem but were more so 10 years ago when other weren't so many other problems - and as individuals they can eventually end up on the side of defenders.
Others who today don't need to be technically capable include hacktivists, now using the digital world to pursue their political ambitions in real world, and the insider threat, such as a disgruntled employee who can now do disproportionate damage to reputation and financially impact real data. Plus there are competitors, spying on each other. eg companies have found themselves continually losing contracts to the same competitor by the same margin.
And there are terrorists, who have aspirations to do dramatic attacks, but are mostly along way from having that capability - though with services that can be bought, or via a nation state that could sponsor cyber-terrorism - they remain a threat that has to be kept ahead of.
What's changed is the volume of attacks and the fact that you now don't need to be an expert as you can buy the tools or the manged service via the dark web.
That let on to covering cyber-crime, with the criminals described as spotting the opportunity, moving with agility mimicking the digital economy on the dark web - with things like shopping trollies, customer service, 'you may also like', selling illegal services. Hannigan even confirmed, "We know of assassinations arranged by darkweb," though said its likely that most 'assassination services' are actually law enforcement. The result is a commodity market in hacking, managed services, eg pay for a DDoS attack - its low cost and easy to do - and this has escalated the problem. Criminal groups are thus solving their lack of skills problem. Some large criminal groups are run by a CEO equivalent to organise the group and pay off law enforcement where they are based, which needs to be somewhere with either no rule of law or a corrupt rule of law - plus good broadband. They can then pull in skills from anywhere in the world as needed. The people they need to run a 'criminal cloud' includes say bot herders etc, they can buy infrastructure or take if from others, and they need introduce specialists, and data miners - who can name their price.
Once they have penetrated a network they will sit there and identify what is monetisable, sometimes they are better at that than their victims, and can then blackmail people, sell credit card details, compromising information or do the actual fraud themselves. Most importantly, they need networks to cash out which is increasingly difficult to do - previously they used credit cards and money transfers, but now its mostly bitcoin. And they can use other criminal activity to cash out.
They are also able to change their network, measure success and drop product lines that are not producing the goods and invest elsewhere. So for defenders, its about hardening defences, not achieving perfection. The criminals are looking for soft, cheap high-volume targets - not small targets unless they are very lucrative.
As we harden our defences, they are going for different targets, high net worth individuals, family operations etc, as cyber criminals increasingly scanning for companies with a vulnerability. Companies who thought they were below the radar can now get caught as collateral damage (eg Wannacry) plus criminals are increasingly scanning for that complacency and vulnerability.
There is also the overlap with crime and nation states. "It's always been there, and online we are seeing the whole spectrum - classic corruption of paying off government officials, to criminals as a proxy of nation states, paid off by them, sitting in same room in some cases, and we can see cases where people have conducted state activity in the day and crime at night - so a mix of crime and political intent."
Hannigan suggest that one good thing in identifying nation state activity online is that nation states, "...behave online as they do in the real world. North Korea is trying to steal money in the physical world so why wouldn't they it do it online - Wannacry, Swift attacks - are not crazy, rational acts, but part of seeking money."
Iran was described as engaging in calibrated attacks, eg DDoS on banks, BBC Persian services, Universities - for effect. It was suggested that if the nuclear deal collapses, we should expect cyber-attacks to increase as they are a capable state and there is connected criminal activity.
At the higher end of sophistication comes Russia. "It's not new for us, we've seen [Russian hacking] activity from the 90s when there was not much to attack just government and military. Russia has now put a lot of people and money in all three agencies, but the biggest change is in its intent." Hannigan suggested they, "Could be intel gathering for a reason we don't understand. If you become not worried about being found out and want to be disruptive - that change is the concern." The US or UK finding Russian penetration of utility infrastructure is not new, its a capability they always had, but the change in their decision to weaponise internet use, such as switching off domestic power in Ukraine, makes it more of a concern. Utility attacks, on energy and telcos, is a rational espionage decision, and a lot of the details of US attacks show traditional approaches such as spear-phishing and watering holes. But what is different is the level of sophistication, but level of sophistication that allows it to evade most tools, such as infiltrating a trusted vendor account in a really clever way for its spearphishing mails, also using social media so its messages are not crude. And the watering holes are not fake websites, but they are infecting actual sites you would use in your sector.
Second, there is the subversion of infrastructure and the IT supply chain - as seen in a CISCO advisory showing they can tamper with traffic, destroy credentials. "Its a worrying place to find things, particularly installed by a hostile state on the backbone of the internet, but its less clear why they have targetted domestic routers," said Hannigan, while noting Russia is quite keen on live testing, including in Syria, where it stopped a French TV station, flagged as an Islamic caliphate attack, but was actually testing and false flagging by Russia.
Nation states are getting more sophisticated, but also more brazen and less worried about getting caught and named. " If they feel that they don't have a stake in the digital systems, why not? And there is always a level of deniability, even if it is attributable. But the likelihood is that a miscalculation will see someone killed - its just a matter of time. ...[And if there were US]patients dying it puts pressure on governments to do something decisive. And there is the risk of unintended collateral damage as seen with NotPetya.
What should we do?
We need to keep worrying about the old problems which are not going away - DDOS, ransomware. And new things are being amplified, as the IOT delivers a massive expansion of the attack surface, not being corrected by the market, as the cameras still work, low cost and have no or little security built in. Hannigan suggest that eventually government regulation is likely to be needed to fix this, but that for now companies need to look at what is connected to their networks
Regarding the level of panic we should we give our customers, Hannigan reiterated that state threats have become a threat for all of us, but also it still holds true that 80 to 90 percent of attacks can be prevented by doing the right thing, in particular:
Keep software up to date
Avoid poor network configuration
Avoid poor credential management
Other questions from the floor included the likelihood of arms-selling countries selling cyber-weapons. In most cases, its more about countries helping allies rather than selling weapons, said Hannigan, but North Korean was described as selling arms to anyone, thus it could be the first place to start - though it was not perceived as having much to sell. On information sharing and GDPR, the ICO was quoted as having said that a failure to report [breaches] is an invite to be fined, but that its easier to say you will share information than to do it.
Law enforcement was described as struggling and not having the specialist personnel they need, "and it will be a while before they do." On the idea of people needing security clearance to work in CNI, it was noted that some already do and more are likely to need clearance in the future, such as the SOC team in infrastructure companies. Energy companies were also singled out as being particularly poor at knowing their own attack surface to to the complexity of system, including legacy due to M&A.