What might the most damaging attacks of the future look like? The answer to the question may lie somewhere between the known patterns that attackers have established over the years, and signs that we are starting to see today.
A look back
It started with the sun and the moon.
Solar Sunrise was discovered in February 1998 as part of a detected compromise of a US military computer at Andrews Air Force Base in Maryland. It was found that it had also infiltrated many other military installations in the US. Initially the Computer Emergency Response Team believed that the attacks came from US and Israel universities, but they eventually determined that these were just being used as pivot points and that the attackers were in other locations.
The culprit? Two teenage boys in California who were being mentored by Ehud Tenenbaum, an experienced hacker. Tenenbaum was sentenced to eight years in prison.
Just a month after Solar Sunrise, Moonlight Maze was carried out against US cyber infrastructure. The attack, detected a year later, expanded the footprint from government systems, universities and research laboratories. The goal appeared to be exfiltration of data from unprotected computer systems.
Authorities suspected the Russian government even though full responsibility was not established. Two key lessons were learned from this episode:
Strong encryption could have saved the day. If this were in place, the stolen data would have been useless to the attackers.
Attribution of the attack to a single actor can be difficult.
Code Red Worm came in 2001. In a very short period, this worm infected 350,000 web servers – at that time, a high number. The worm took advantage of vulnerabilities in the Microsoft Internet Information Service software. From Day 1-19, infected systems performed network scanning to spread the worm further. From Day 20 to 27, these infected systems performed denial of service attacks against other internet service government agencies.
Nine years later, a more aggressive worm surfaced – the Stuxnet Worm. This worm targeted Siemens software that eventually destroyed Iran’s uranium-enrichment capability. It caused the centrifuges to accelerate and decelerate at a rapid and unsupported speed, causing the centrifuges to fail.
The worm came into contact with the facility physically – not through the Internet. This was social engineering at work – an unsuspecting employee introduced the worm, that was in a USB drive, to the Iranian facility. This was the first time a cybersecurity attack crossed over to the physical world to create real and significant damage.
The Stuxnet worm destroyed a military target, a feat on par with a conventional bombing attack. It was determined that this level of engineering could only have been carried out by nation state actors.
Finally, in December 2015, hackers massively disrupted the Ukrainian power supply by deploying a trojan that allowed attackers to gain command of the organization’s industrial control systems. The attack resulted in widespread blackouts in Ukraine.
This was the first known example of cyberwarfare against civilian infrastructure.
Not your usual malware
From these examples we know that advanced persistent threats (APTs) differ from typical malware in five ways:
1. They use advanced technical tools that are not available to the public. This includes sophisticated zero-day vulnerabilities that require significant resources to discover.
2. They exploit social engineering. Humans are said to be the weakest link in cybersecurity. APTs use humans to embed technical tools, as shown in the Stuxnet worm example.
3. They have clearly-defined objectives. They know what they want to achieve and how they can achieve it.
4. They have solid funding. APTs are supported by nation states. They can pay talented cybersecurity experts to render their expertise.
5. They have a high level of organization. APTs are resource intensive and highly disciplined.
Successful attacks in the future will likely take advantage of the Internet and manipulate human resources in targeting an organization or facility. Nobody else would be able to combine these two vectors in launching a critical infrastructure attack better than the nation state.
Nation states will have access to hardware and software needed to test the attack tools. They can afford to hire skilled researchers with the ability for reverse engineering. They boast of intelligence apparatuses to target the right technology and people, and they have a high degree of organization to put together multiple attacks using physical and logical access to systems.
Why the Internet? Vulnerable information systems on the public Internet are the ideal initial modes of entry.
And why human resources? More and more, advanced social engineering techniques allow attackers to access organization’s internal networks. Carefully crafted emails to selected employees will try to get those employees to launch the malware unknowingly.
Moreover, it appears that attackers of the future will continue to use the same methods and patterns, but at an exponentially faster pace through the help of artificial intelligence.
They will be able to work at high speed in attacking information systems and exploit the information brought back from vulnerability scanners and network scanners. Humans simply cannot do this – at least not at this rate. It is machines that will be running these attacks.
As a result, defenders will also have to rely on machine learning to counter and prevent these attacks. This is where analytics comes in.
Soon we will see AI analytics integrated into everything – for example, endpoint solutions. Over the next five years, we will see the SIEM software going more into providing more of an AI analytics component versus a rule set and basic machine learning.
The challenge for us CISOs is how to elevate this conversation to business leaders and show them that these are business risks rather than just cybersecurity problems. This is best done through showing evidence of how cybersecurity breaches have affected other organizations and what could have been done to prevent these.
From a training perspective, cybersecurity professionals should focus on educating the user population about phishing attacks, and on conducting testing that is in no way punitive.
Elevating, teaching and testing – these three are components of a strong cybersecurity program.