Adapting to the Ever-changing Threat Landscape
By Brian Hussey, Global Director of SpiderLabs Incident Response & Readiness, Trustwave
Every security professional remembers the day they realized their job is not simply applying patches or plugging in a new security technology, but instead is a daily battle of wit with resilient, creative and adaptable adversaries. My moment happened before joining Trustwave, when I was still working with the FBI.
Part of my role at the FBI was to travel around the world and teach cyber investigation techniques to our law enforcement partners. I was traveling to a poverty-stricken area in Kiev, Ukraine, where I was fortunate enough to work with a group of intelligent and dedicated cyber police. These individuals were extremely dedicated to their job, and limitations such as working on Windows 98 laptops and using only free, open source tools did not seem to concern them.
"While organizations are increasingly turning to MSSPs to solve their security woes, I encourage you to create a hybrid model that optimizes internal security operations with managed services"
One day after training, the Kiev team invited me out for drinks. On the way to the bar, they offered to take me to “Cybercrime Alley.” I had no idea what they were referring to, but I was intrigued and agreed to go. The team proceeded to drive by some of the most lavish high-rise apartments I have ever seen, with Ferraris and Lamborghinis frequenting the street. This juxtaposition of worlds was astonishing, and Kiev’s law enforcement team explained that this was where the local cybercriminals live.
The 2015 Trustwave Global Security Report cited a 1,425 percent return on investment for cybercriminals who use ransomware. In the Ukraine and in other places around the world, cybercriminals live a life of luxury; further discussion with the Ukrainian team revealed that many of the top Soviet-era universities were still churning out highly intelligent technical experts. These experts faced a clear choice between poverty and luxury, making the draw to cybercrime an understandable, albeit odious, temptation.
After seeing these two extremely different social classes, the constant churn of technical experts, and the general difficulties in prosecuting international cybercrime, I realized with clarity that this problem is never going away. It will be constantly driven by a sophisticated group of expert cybercriminals who know how to adapt their attack paradigms to meet their goals.
The Carbanak Group is an excellent example of this. Throughout 2013 and 2014, the group gained fame by hacking banking institutions across the world and stealing an estimated $1 billon. This highly profitable string of attacks began to dry up when security researchers discovered and spread word of their modus operandi. Carbanak quickly pivoted into credit card breaches using standard phishing techniques and RAM scraping malware, easily monetizing credit card data on hundreds of online carder forums.
When the standard phishing techniques were no longer effective, the Carbanak Group switched to leveraging vendors as third-party entry points into their victims’ networks. Recent high-profile attacks prove this to be a very effective method, as third-party vendors are rarely forced to maintain the same security standards that are kept internally. The Carbanak Group’s most recent pivot occurred in 2016, when they infected the support portal for the largest vendor of POS systems in the world, estimated to have put over 1 million POS servers at risk.
What does the Carbanak Group example mean? Carbanak is a microcosm of a much larger threat landscape. There are hundreds of criminal collectives (both state-sponsored and strictly criminal) working against us, and we must be able to prepare for threats that can change on a daily basis and not settle for a “one size fits all” approach.
My goal is to encourage you and your team to be just as agile as your adversaries. We must move quickly to deploy the newest threat intelligence across our networks, actively conduct penetration testing to identify and secure vulnerabilities, and have an incident response plan and team in place for when the attacks do come.
This is why security conferences are so important to our industry. Spending time listening to experts, talking with leading managed security services providers (MSSPs), and identifying new startups that could change the landscape is invaluable for your own security strategy.
While organizations are increasingly turning to MSSPs to solve their security woes, I encourage you to create a hybrid model that optimizes internal security operations with managed services. Focus on forming a partnership that combines the best of external expertise and technology with internal knowledge of your industry and your network. Finally, always be looking for new ways to protect and defend. The day we rest on our laurels, overconfident in our security approach, is the day the attackers bypass our defenses.