"The internet, instead of being a social platform, is a battlefield".
It was with those words that Avi Shavit, the Strategic Adviser Cyber Security at the Israeli Innovation Authority, which is part of that government's Ministry of Economy, kicked off his talk during the Technology in Government Cyber Security congress, held in Canberra. Shavit's experience as a member of a task force appointed by the Israeli Prime Minister to suggest the Israeli roadmap in cyber warfare and as a Strategic Advisor in Cyber Security for the Israeli Innovation Authority means he has a direct view at the current threat landscape and what's coming next.
To bring that point home, he showed the audience an excerpt of a recent security briefing he had received and highlighted a breach reported to him that occurred in an Australian airport. While it might not have made the news here, it crossed his path and gave the audience some pause.
Shavit started his look at the Cybersecurtity issues of today when he noted the difficulty in testing systems today. The volume, velocity, variety and value of the data businesses have to manage means existing processes for testing are no longer adequate. Added to that technical challenge comes the growing global cyber-skill shortage, which Shavit said is forecast tor each 3.5 million workers in the next three years according to Cybersecurity Ventures, and recent data from Gartner showing a third of businesses don't have a single cybersecurity expert in the business.
That backdrop created a canvas against which a number of major threat vectors are being used by malicious actors.
Cryptojacking is an increasingly popular tool for criminals. By fooling users into installing cryptocurrency mining software, thieves aren't stealing data but CPU cycles and energy to carry out the complex calculations required for mining cryptocurrencies. As always, the principle of following the money applies when looking for what motivates a large number of online criminals.
Ransomware continues to be a major issue said Shavit.
Another emerging cybercrime area, and one that combines the desire for criminals to make money with the insecurities of many people is "sextortion". Many people are aware that threat actors have been able to exploit vulnerabilities that give them access to webcams and microphones. With the increased access and ubiquity and access to pornography, criminals have combined these to create a new form of ransomware. The criminals send an extortion note via email telling the receiver that they have been captured via their webcam viewing pornography or performing a sexual act. The criminals threaten to send the incriminating footage to the intended victim's family unless they are paid a ransom in untraceable cryptocurrency.
Sitting behind these threats lies email. Shavit told the packed room that no filter can deal with the threat of phishing as 15 million new phishing sites are created each month. Calling it the "most successful kind of attack", phishing will continue to be a major weapon in the cybercriminal's arsenal.
Internal threats are a significant and sometimes understated issue said Shavit. The actions of internal personnel, either accidental or intentional, can lead directly to the loss of data or expose a vulnerability to threat actors that might have been otherwise mitigated. Data from several independent security reports suggests internally-initiated attacks are one of the most significant threat vectors.
In the immediate further, Shavit said we can expect more of the same but said NFC (near field communication) provides threat actors with a new way to compromise systems. We're seeing NFC chips installed in everything from the most sophisticated smartphones through to single-function smartcards and the companies deploying these chips have varying degrees of expertise in securing them. As a result, we'll see NFC-borne attacks become more significant.
While the vulnerabilities in off-the-shelf software receive a lot of attention, in-house developed systems have slipped past the attention of many people. Attackers already understand that the payoff in a targeted attack is potentially much greater than in an indiscriminate scatter-gun approach. As a result, they will look at how a company can be breached through self-developed applications. The impact of this can be significant if the in-house software is created by a managed service or SaaS (software as a service) provider. This was something seen in a recently reported attack against a South Korean service provider (https://www.cso.com.au/article/642122/auscert-2018-finding-monster-by-its-shadow/).
"Under the radar" attacks will also increase said Shavit. These are strikes made by criminals where their actions occur so slowly and stealthily that they are not logged or flagged as significant in SIEM (security information and event management) systems. These will require different detections tools and skills.
Combatting threats new and old
Shavit said many of the attacks of today were executed by established criminal organisations with talented attackers who look for the weakest link. They have access to a vibrant marketplace of tools and techniques that allows them to mix and match malware in order to build a successful attack method. That level of sophistication with threat actors means we can't possibly block every single threat. Shavit said this means ew need to prioritise which threats we will block.
This means behavioural analysis will become increasingly important, so unusual activity rather can be detected rather than looking for specific malware.
There also needs to be a shift way from protecting systems he said. The focus needs to be on data.
In closing, Shavit said this will lead to the development of trustworthy systems that do what's needed to protect data despite the actions and behaviour of users.