Attributed to: Anthony Perridge, Security Sales Director, Cisco
The Industrialization of Hacking has created a faster, more effective and more efficient sector in the Middle East, profiting from attacks to our IT infrastructure. By monetizing malware with cryptocurrency these professional, entrepreneurial and resourceful hackers have created cybercriminal business models that share many similarities with legitimate businesses within the region. They have a revenue stream, a budget, market researchers, a global pool of developers, QA analysts and testing, help desk support and even guarantees.
With these tried and true business practices they’re creating and selling effective cybercrime tools and in the process, closing the gap between sophisticated and unsophisticated attackers. Now anyone in the Middle East is capable of buying and launching a damaging attack relatively easily. We’ve seen this most recently in a renewed rise in exploit kits and a proliferation of ransomware, the proceeds of which allow hackers to innovate faster and target victims with a never-ending stream of unknown attacks.
Today there are 10 billion connected devices but that number is expected to grow exponentially – exceeding 50 billion sensors, objects, and other connected “things” by the year 2020. The number of global threat alerts is increasing year-on-year and the number and type of attack vectors are only continuing to increase as we continue to connect the unconnected. This is creating a daunting challenge for those responsible to defend the infrastructure.
According to the Cisco 2015 Mid-year Security Report, operators of crimeware, like ransomware, are hiring and funding professional development teams to create new variants and tactics, which help them become more profitable while continuing to avoid detection. Ransomware operations have matured to the point that they are completely automated and carried out through the dark web. To conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies, such as bitcoin. Criminals are turning to the anonymous web network Tor and the Invisible Internet Project (I2P) to relay command-and-control communications while evading detection.
So what are we in the Middle East doing about it? If you read up on the topic or attend industry conferences you’ll learn of multiple examples of law enforcement officials and IT security experts coming together to tackle the problem. Sharing information and collaborating, they are focused on zeroing-in on the masterminds behind these attacks and bringing them to justice. IT security professionals in the region charged with protecting their organization’s digital assets need to take a similar approach, sharing information and collaborating – but in this case across security technologies and threat intelligence feeds – in order to take action.
Most organizations in the Middle East have deployed security technologies across some combination of networks, endpoints, web and email gateways, virtual systems, mobile devices and the cloud. Typically these technologies can’t – and don’t – interoperate. Relying on a ‘silver bullet’ to address attacks, for example expecting blacklisting technologies alone to thwart exploit kits, will prove ineffective. These attacks are designed to evade them. Further, many security teams are stretched so thin they don’t even have the resources to cover the security basics like patching, configuration management or, in the case of dealing with ransomware, good backup polices.
In order to deal with whatever new challenge cybercrime-as-a-service serves up in the Middle East, what’s needed is visibility and control everywhere and all the time: across attack vectors and the full attack continuum – before an attack where defenders need comprehensive awareness and visibility of what’s on the extended network in order to implement policies and controls to defend it, during an attack where the ability to continuously detect malware and block it is critical and after an attack where defenders need retrospective security in order to marginalize the impact of an attack. They must identify the point of entry, determine the scope, contain the threat, eliminate the risk of re-infection and remediate the disruption.
This is done by gathering and analysing telemetry data continuously, going beyond signatures to identify known attacks and looking at file behaviour to surface indicators of compromise that would otherwise go unnoticed. Local data needs to be woven together with global intelligence for greater insights into the nature of the attack. Information needs to be shared across the environment and multiple control points to speed detection and response before data files are stolen or encrypted.
Once you can see what files are doing and can identify them as malicious, even after an attack, then you need retrospective security in order to marginalize the impact of an attack by identifying the point of entry, determining the scope, containing the threat, eliminating the risk of re-infection, and remediating.
Cybercrime-as-a-Service is increasing the sophistication and frequency of attacks to the point where they seem to be pervasive. When evaluating your approach to security in light of this increasingly popular approach to attacks, seek out solutions that are equally pervasive – providing visibility and control everywhere and all the time.