By Douglas Jose Pereira dos Santos and Jonas Walker, Fortinet
The potential attack surface of organizations continues to expand, and the speed and sophistication of cyberattacks continue to make defending the network ever more challenging. With IT teams on constant alert, and much of their time spent putting out fires, it can be difficult for organizations to pause and look at the big picture. To help, we recently sat down digitally with two of FortiGuard Labs' top threat researchers, Douglas Jose Pereira dos Santos and Jonas Walker, who spend their days deeply entrenched in the threat landscape. They took some time to share what some of these attacks mean and how organizations can get out ahead of the constant assault of cyber warfare.
As you look back over your many years of research, what is one thing that comes to mind about the trajectory and history of the cyber threat landscape?
Jonas: The motivation of threat actors has changed dramatically. In the early days, the primary purpose of viruses was mainly research. Later, they were used to disable computers and delete files. In general, hacking was more about fame and prestige than money. However, it is worrying that leveraging emails to distribute malware – a strategy first invented several decades ago – is still very effective these days.
Douglas: Yes. Not only that, but the fact that in 2020 (in comparison with the nineties and the early 2000's) we rely much more on our digital assets, which makes those assets more alluring to attackers. If someone hacked into an email from a company years ago, the worst it could do is destroy or steal the data. That’s because far less of a company's assets were digital. Now, with DX, the stakes are much higher for companies and cybercriminals alike.
What has changed the most about today's threats vs. the threats of ten or even just five years ago?
Jonas: Most of the time, cyberattack goals are about money. Most breaches today are driven by cybercriminals who steal sensitive information to sell on the Dark Web, or encrypt systems and ask for a ransom. As a result, hacking has become much more sophisticated and lethal. For example, more than half of all attacks are managed by cybercrime organizations that are better organized than most companies. They have CEOs, account managers, and dedicated call centers that support the victims in paying ransoms. They approach their work like any business, except that their revenue streams are stolen data and extortion. Their new Cybercrime-as-a-Service ecosystem is one of the biggest reasons why the cybercrime industry grows dramatically and generates more than one trillion dollars in revenue every year.
Douglas: Over time, digital resources are increasingly interconnected. Malicious threat actors are capable of adapting very rapidly to their current surroundings, and are able to quickly penetrate systems which lack proper security implementations. And now, with significant improvements and innovations in computer hardware, software, and artificial intelligence, interconnectivity between systems has increased even further, which leads to a broader attack surface. And threats have become more sophisticated in every way. Now we have the so-called file-less attacks that don't include a payload, per se, and live entirely in memory. This has been a very dramatic paradigm shift, especially for the AV industry.
Social engineering is still a very successful entryway for cybercriminals looking to launch their full threat arsenals. Why is that?
Jonas: Humans are and always will be the weakest link in any corporate IT security system. Even though so many corporations educate their employees using various awareness training, phishing techniques have evolved dramatically in recent years, making them increasingly difficult to detect by the average user. New polymorphic phishing attacks, for example, are highly effective and very difficult to defend against but quite easy for attackers to launch. Even for those cyberattackers without development skills, with the help of a credit card, they can purchase highly sophisticated automated toolkits on the darknet for a modest amount of money. For these attackers, all it takes is one employee to fall for a social engineering attack, and they have one foot in their victim's network from which they can move laterally to their primary target.
The trick is to remove humans out of the equation as much as possible. Organizations need to upgrade the secure email gateways and add Machine Learning (ML) to better detect email-borne threats, and add a tool like CDR (Content Disarm and Reconstruct) to neutralize those threats. ML should also be added to the analysis end of the equation as it is able to consume and correlate far more data than human analysts can process.
Douglas: Yes, and this is true not only for social engineered phishing attacks, but for all attacks: creativity for cyberattacks has no limits, and we know it. It might not be every week, but we do see new ways every other campaign. So on top of the lack of user awareness, new techniques and ways of luring victims are continuously being deployed.
What are some of the biggest game changing threats or threat techniques you can recall as you look back over time?
Jonas: One of the most lethal combinations is a sophisticated attack that targets humans when they are in a state of fear, uncertainty, and doubt. The current COVID-19 pandemic is a great example. The internet enables most people to do their own research, and sophisticated attackers are ahead of the curve. They have anticipated the generic behavior of individuals and prepared their campaigns for the events around us by stuffing the internet, and our in boxes, with disinformation, malicious files, and links to infected web pages. Ironically, we now live in a world where human viruses and cyber viruses cross attack paths. This is extremely effective, generating a lot of money while causing a tremendous amount of physical and monetary damage.
Douglas: Yes, and if we look back further, the more we see researchers doing work on hardware-related vulnerabilities. I believe that it is very likely that we will see more game-changing vulnerabilities like Spectre, Meltdown, BlueBorne, and Broadpwn. Without true visibility and control over everything in their infrastructure, organizations will miss these threats when they breach their networks.