The cyber-threat to UK business is “significant and growing”, according to a new report from the UK's National Cyber Security Centre (NCSC) and National Crime Agency (NCA).
The report titled Cyber-Threat to UK Business details how in the three months since the NCSC was created, “the UK has been hit by 188 high-level attacks which were serious enough to warrant NCSC involvement, and countless lower level ones.”
This is down to a threat which is “varied and adaptable” and ranges from high volume, opportunistic attacks where technical expertise is bought, not learned, to highly sophisticated and persistent threats involving bespoke malware designed to compromise specific targets.
“The lines between those committing attacks continue to blur,” the report says, with criminal groups imitating states to attack financial institutions and more advanced actors successfully using ‘off the shelf' malware to launch attacks.
Ciaran Martin, chief executive of the NCSC said cyber-attacks will continue to evolve, which is why the UK public and private sectors must work together “at pace” to deliver “hard outcomes” and ground-breaking innovation to reduce the cyber-threat to critical services and deter attackers. He added, “We can only properly protect UK cyber-space by working with the rest of government, law enforcement, the Armed Forces, international allies and, crucially, with business and wider society.”
Justin Coker, vice president, EMEA, Skybox Security told SC Media UK: “Criminal “companies” now operate together, employing similar tactics as legitimate industries: selling packaged tools and platforms to their customers; providing malware-as-a-service; demonstrating innovation, usability and professional excellence; and offering outsourced capabilities with training and technical support.”
The rise of Internet of Things (IoT) devices gives attackers more opportunity. Consumer goods and industrial systems combined with the ever increasing commercial footprint online provides threat actors with more attack vectors than ever before.
“It is assessed that huge numbers of insecure devices can easily be found online,” the report reads. The Shodan search engine reveals more than 41,000 units of one insecure model of DVR are connected to the Internet as of January 2017.
All are vulnerable to being taken over by malware. The problem affects a wide range of manufacturers and products, and the risks of insecure devices were emphasised recently by NCSC Technical Director Dr Ian Levy, who demonstrated how an insecure device, in this case a doll, could be used to interfere with otherwise inaccessible products.
And the problem is growing: Insecure connected devices can easily be recruited into a botnet which can then be used to mount DDoS attacks on an overwhelmingly large scale. The attack on internet company Dyn's DNS servers provides some illustration of the harm that IoT botnets can do. “We should expect more such attacks, possibly on an even larger scale, in the future.”
Dr Malcolm Murphy, technology director, Western Europe at Infoblox told SC: “Many Internet of Things manufacturers may be contributing to this rise by not prioritising security when building their devices; many are being produced with predictable passwords that cannot easily be changed. Too many electronics firms want to make their IoT device as cheap as possible. Security is expensive and paying developers to write secure code might mean a gadget is late to market and costly. Ultimately though, insecure products will lead to greater attacks.”
The past year has seen the largest recorded cyber-heist, the largest DDoS attack and the biggest data breach ever being revealed. The attacks on SWIFT via a Bangladesh Bank, Democratic National Party and Ukrainian energy infrastructure also demonstrated the boldness with which threat actors can operate.
Cyber-crime is becoming more aggressive and confrontational, with an increase in the use of extortion, whether it is through DDoS attacks, ransomware or data extortion. The Crime Survey for England & Wales reports that computer misuse offences and cyber-related fraud are a more prominent threat than more traditional crime types.
To counter mitigation efforts, more ransomware is incorporating locker techniques that prevent the downloading of decryption tools. For example, new variants have been observed that copy and extract the files and then delete the originals. Once the ransom is paid by the victim the copied files are sent (as seen targeting MongoDB installations).
As the ransomware market begins to mature, new strains increasingly employ unusual features to attract media attention in a saturated marketplace. The threat of ransomware attack means that business should consider further mitigation and preventative solutions to combat it. These include maintaining appropriate backups and defensive systems that automatically sandbox email attachments.
Andy Norton, risk officer EMEA at SentinelOne told SC: Clearly the tactic of ransoming things is here to stay, and the footprint of what is available to ransom is only getting bigger too. In fact, a device may not be the limit of this. We see data breach information every day on the dark markets for sale and, instead of making this data available for sale, criminals could ransom the affected company for a smaller sum of money than the GDPR fine, in return for not causing harm to victims of the data breach and making it public knowledge.”
The report highlights three areas for businesses to consider:
Technology. It is possible to defend against all but the most determined and technically capable attackers by investing appropriately in cyber-resilience. However, many companies continue to fall victim to attacks enabled by the exploitation of basic and well known vulnerabilities (such as SQL injections or Local File Inclusions).
People. Cyber-security is a complex socio-technical system, in which people are a crucial component and can be the strongest link. Consideration given to good security design, usability, workflow and balancing information loads (giving the right training and awareness interventions at the right times) can help prevent compromises. An organisation's staff can be one of its most effective defences, yet for many businesses a lack of user-centred security design is leaving them vulnerable.
Processes. The digitisation of processes and business is happening at an unprecedented pace, which can create vulnerabilities which could be exploited. Indeed, digitising a bad manual process often makes attacks scale more effectively. Many businesses, especially smaller ones, may have difficulty in balancing cyber-defence with their available resources, especially if it impacts upon accessibility (both for staff and customers) or profitability. These issues are exacerbated by the size and/or complexity of some businesses themselves.
Donald Toon, director of prosperity at the NCA wrote in the report that, “Successful law enforcement and industry collaboration doesn't just enhance the UK community's response to the cyber-threat; it underpins it. Together we can make UK cyberspace the safest place to do business globally.”
Toon added: “To fully understand the threat landscape, we need access to industry's threat intelligence. And to take down organised crime groups, we need to work collaboratively with industry partners on attribution and infrastructure mapping.”
The release of the report coincides with CYBERUK, a three-day summit organised by the NCSC at which 2,500 industry experts will discuss how to reduce the cyber-threat and deter would-be attackers. A series of interactive workshops, seminars and discussions will take place in the Liverpool Arena from March 14 to 16.