With the increasing use of big data and analytics in cyber-security products, systems are stronger and more effective than ever – yet the number of attacks grow each year. And those attacks are more spectacular – and devastating – than ever. 2017 alone saw major, widespread attacks such as WannaCry and NotPetya, based on the leaked NSA software, which gave hackers seeming “super powers” to raid and invade networks. And the victims of those attacks have been some of the largest companies in North America, including Verizon, Bell Canada, Cloudfare, and many others.
It's no coincidence that 2017 was also the year of ransomware. Attacks featuring that form of malware were up 250 percent in just the first quarter of last year over the last quarter of 2016. Where once hackers used exploit kits and browser vulnerabilities to invade networks, directly hitting databases, user accounts, or any other source of information they could utilise, they have now returned to the tried and true methods based on user-interaction and the general nonchalant manner in which many individuals handle cyber-security – such as using social engineering and phishing to attack systems and invade networks, by embedding malware-laced macros into attachments.
1. (Continued) Rise of Ransomware
That this path is as lucrative for hackers – perhaps even more so – than the exploit kit way of doing things is borne out by the statistics. Recent studies say that 91 percent of cyber-attacks and resulting data breaches in 2016 began with a spear-phishing email. A separate study by Freidrich-Alexander University shows that even with companies hammering into employees the dangers of clicking on suspicious links and attachments, and with full knowledge of the risks involved, as many as 56 percent of e-mail recipients and some 40 percent of Facebook users still clicked on those rogue items – many of which nowadays contain ransomware, which the FBI calls a multi-billion dollar industry. One reason for that is because hackers have become very sophisticated at determining the “price point” at which victims will pay up; An IBM study showed that a whopping 70 percent of ransomware victims paid the ransom demand in order to free up their data.
As we've seen several times in 2017, lateral movement can create quite a chaos. Ransomworms, a combination of a ransomware with self-replicating worm capabilities, have emerged in 2017 and paved the way for a world-wide spread, encrypting machines all over the world. We estimate that these will also increase in 2018, as ransomworms contain the best of two worlds: the encryption engine (money maker) of a ransomware and the wide-spread capabilities (money multiplier) of a traditional worm.
2. More sophisticated ‘old-fashioned' attacks, too
Clearly, ransomware is a trend that will continue to grow in 2018. But don't rule “old-fashioned” data breaches out, either; there were plenty of those in 2017, with the Equifax breach probably the best known of them. And then there was the retroactive revelation that it wasn't one billion Yahoo accounts that were breached in 2013, but three billion – a number that, if approached on a one-for-one basis, would constitute a whopping 40 percent of the world's population, and nearly 100 percent of those worldwide who have Internet access.
In these “traditional” attacks, hackers continue to target any data source that could net them profit - databases of user information like credit cards or social security numbers. Here, too, phishing attacks are an essential weapon in the hacker's quiver; an initial beachhead on the computer or device of an employee gives hackers the opportunity to laterally move through systems, looking for a weakness that will allow them to get to the data treasure they seek or installed on a bigger number of machines for Ransom creating a much bigger effect than a single wipe of a specific computer.
Many users are aware of the dangers of phishing messages, but as defences have become more sophisticated - and awareness among employees of the dangers of email has grown - attacks have moved beyond traditional phishing tactics. For example, researchers in China recently discovered an exploit based on remote code execution that allows hackers to attach malware to a GIF image (CVE-2017-2416). The image can be sent by email, in the guise of what might appear to be a perfectly legitimate image, perhaps even one stolen from a user's computer and then doctored and sent back and will allow hackers to install ransomware or other malicious elements.
3. Proliferation of zero-day exploits
More recently, security firms revealed the existence of two more remote code execution vulnerabilities, CVE-2017-0199 and CVE-2017-8759, both zero-day attacks that were being attached to images – and distributed via phishing attacks. There's no question that utilising zero-day exploits such as these will grow in the coming year, as it gives the hackers an advantage over the traditional protection solutions.
4. The ‘endless loop' remains intact
Bad players have proven, time after time, that they are more than capable of producing sophisticated malware that will fly past security solutions. As the security industry adapts, in means of detecting the newly formed threats and block it, malware authors will find ways to bypass the block and carry on. Thus, an “endless loop” - where cyber-defenders are always playing catch-up with hackers, who always seem to have a new trick, like a new zero-day attack (hardly a day goes by without a new one) up their sleeve.
This endless loop can come to an end in two ways: either one side will stop, or one side will evolve – and it's quite clear that from the hacker's perspective, there is no need to do anything different, so successful have their recent campaigns been. Meanwhile, the security industry is relying on principles from 20 years ago, when detection and blocking were at the top of our technology. Since then, there have been major technology leaps forward which can be used for security purposes as well, leading the security industry away from detection, a time consuming and know-it-to-block-it process, to prevention, a seamless process which creates no latency. If the traditional methods to stop hackers haven't been working - and they haven't - it's time to try something new.
5. To break hacking, break with ‘tradition'
That change, we believe, will include a change in emphasis from detection to prevention. Companies have for years relied on the detection/response model – utilising technologies like anti-virus, sandboxes, and even EDR (Endpoint Detection and Response) – to protect themselves. And they have invested large amounts in that protection. The bottom line, though, is that hackers still manage to get past even what are touted as the most effective defences. With a prevention approach, hackers are not given an opportunity to even deliver their malware, which is “arrested” before it can even get to the victim.
A good example of this is Web isolation, where web content is rendered in an isolated environment and checked for malfeasance before being passed onto the endpoint. Gartner sees the system as a superior way to keep threats out, commenting that while “formation security architects can't stop attacks, they can contain damage by isolating end-user internet browsing sessions from enterprise endpoints and networks.”
A system tailor-made for phishing scheme-based malware is CDR - Content Disarm and Reconstruction – which checks files before they are passed onto an endpoint. The files are dissected, with each component examined for and vetted for proper form and safety. The files are then reconstructed and passed onto the system, keeping all functionality intact. Eschewing detection – which can only take place when a threat is on the system – we move to prevention, which keeps the threat away in the first place, just the solution IT departments will be looking for as hackers ratchet up their game yet again with new and more sophisticated attacks.
Contributed by Itay Glick, CEO of Votiro
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.