We have yet to experience, understand, and adapt to emerging types of cybersecurity attacks and resulting impacts. Organizations place a heavy focus on the immediate efforts to prevent and when necessary respond to present-day assaults on their environments. It is a marvelous firefight, where resources and attention are focused on the pressing problems at hand. But cyber threats are constantly evolving and while controls and processes are being developed to address today’s threats, the world is largely oblivious to emerging types of attacks. As a result, the public and private sectors are woefully unprepared for future types of incidents, which are far more severe than what we currently see. We must expand our vision from today’s issues to better prepare for imminent cybersecurity challenges.
Protecting against cyber attacks is an incredibly difficult job. Threat agents maintain the initiative and decide who and how to attack. Defenders must predict, prevent, detect, and respond to an active, resourceful, and intelligent opponents. Most of the emphasis has been on prevention, detection, and response. This places the focus on immediate problems and cleanup. With the overwhelming number of vulnerabilities and barrage of attacks, this seems a reasonable allocation of resources. Yet it is not sustainable. With the rapid expansion of attack surfaces, the infusion of resources available to attackers, and the rise in complexity of the electronic ecosystem, attackers have ever greater opportunities to succeed. Attacker’s capabilities are outpacing cyber defenses. But there is a glimmer of hope as the industry is starting to recognize the need to also predict how the enemy will maneuver in the future. EY’s 2014 Global Information Security Survey paints a picture where “Anticipating cyber attacks is the only way to be ahead of cyber criminals”
Over the years, a number categories of cyber attacks have emerged. Denial of Service (DOS) attacks for example, have been around since the beginning. Anyone remember the Ping of Death back in 1997? DOS types of attacks have evolved over the years leveraging many different tactics and resources. Nowadays, attackers’ use of armies of bot’s to deliver a Distributed Denial-of-Service (DDOS) attack or poison network routing services. Regardless of the approach, the same type of impact is experienced. Security tactics and tools have also evolved over the years to develop fairly robust countermeasures. For organizations willing to invest, they can largely mitigate the risks of denial-of-service attacks.
But the story does not end there.
New attack categories have emerged, spurring a race to develop necessary tools and processes to interdict attacker innovation. Akin to Dante’s Inferno, cybersecurity has a number of ever progressing tiers of pain and suffering related to modern computing. Although we are witness to a stream of attack announcements every day in the news, we have only begun our decent.
Different types of impacts will emerge, necessitating new approaches and controls. The evolution of attacks will continue to spiral downward, growing in scope. Each level building upon the previous in a compounding way. In order to prepare, we must first understand the four main archetypes of cyber based attacks, where we are in the cycle, and the spectrum of problems we will eventually face.
Evolving Categories of Cybersecurity Attacks
Level 1 - Denial of Service:
- TYPE: An Availability (A) type of attack, of services, systems, customer access, operations, etc.
- POPULARITY: Still the most popular type of attack, waged against web presence and in some cases computing operations infrastructures to bring down the availability of resources, presence, and engagement
- PURPOSE: Still a popular method for expressing social discord, basic sabotage, and ransom/blackmail schemes
- IMPACT: Results in inconvenience, operational delays, and perhaps embarrassment
- HISTORY: The first category of attack developed as the Internet was formed. Initially, methods focused on direct web defacement, system corruption, network interference and has subsequently evolved to use legions of robots ‘bots’ to overload websites with requests. Blackmail started as ‘protection’ schemes targeting sites such as online gambling services, which did not want to be pushed offline. More recently, malware has emerged which encrypts user’s files, only to be unlocked after a ransom is paid. Same result, different trick
- COMPLEXITY: Required entry skill and resource level of attackers is low. No skills required as bot herders offer professional tools and services, some with 24x7 customer support, which can be purchased or rented by attackers. For crimeware, more skill is needed but many tools and services are available as well
- SECURITY: Industry security is competent as the impacts and methods are familiar. Tools, processes, services, products, and protections exist which can be leveraged to protect and recover from the vast majority of these types of attacks
Level 2 - Data Theft and Exposure:
- TYPE: A Confidentiality (C) type of attack, exposing data and information to unauthorized parties. Attackers target sources to obtain personal information, access credentials, acquire private or sensitive data, financial data for fraud, or materials to expose and embarrass others
- POPULARITY: As of recently, this is the most recognizable attack in the news, growing greatly in the past 2 years with large corporations and governments reeling from headline grabbing breaches. More personal attacks, specific to private pictures have also captured the attention of the public. Governments, businesses, and social sites are typical victims. Notable incidents include WikiLeaks, Snowden, Target, eBay, Adobe, Home Depot, various celebrity nude-picture harvesting, and JP Morgan Chase
- PURPOSE: Two primary motivations have emerged, financial gain and social awareness
- IMPACT: Attacks result in financial loss (or increased risk thereof) and intense social discussion which may have effects on the governmental, social, and political landscapes
- HISTORY: Confidential data has always been valuable to those who hold it, hence the measures to keep it from the general public. Targeting information about people, accounts, and activity is age old, but with the advent of scalable technology handling ever more information, data breaches are becoming more commonplace and pose a larger impact
- COMPLEXITY: Modest technical skill or access is required to breach a network, database, or exfiltration of large amounts of data. Discrete services are for hire if you know where to inquire. Much of the user and account data is posted on dark-nets for sale. Other uses include using information for more targeted attacks and bringing to light covert activities for social discussion
- SECURITY: The security industry is about half-way through the maturity cycle in figuring out a good set of defenses to protect confidential data. But the attackers have had plenty of time to dig in and we will likely see a continued increase in breaches for the next couple of years. Much more work is to be done, but this is the most visible battleground and organizations are committed to get the risks of this type of attack under reasonable control. Such investment will fuel the development of better security technologies over time. Currently, this is the big battlefield.
Level 3 - Monitor and Manipulate:
- TYPE: An Integrity (I) type of attack, seeking to gain sufficient access to not only copy information but to also tamper with data and transactions for the attackers benefit. In most cases this requires long-term internal access and a deep understanding of processes
- POPULARITY: This is the next great category of attacks which have yet to materialize or at the very least, make the news in sufficient quantity. There is a great value in being on the inside and watching who and how thing operate, then selectively alter data and operations. This is not a quick one-time hit-and-run type of attack, rather it is a strategic maneuver against an adversary which can benefit the attacker in a number of ways over time. We are seeing top echelon players such as nation states, organized criminals, and advanced threat groups effort complex campaigns for a persistent capability within target organizations
- PURPOSE: When you become an ‘insider’ to a network, you can increase trust, conduct surveillance, and manipulate communications and transactions. This might be employed as part of insider economic espionage, fraudulently tampering with financial transactions, undermining military defense structures, feeding misinformation to intelligence agencies, or causing a massive and cascading critical infrastructure outage. Think what spy’s can do in traditional cloak-and-dagger situations. This is pretty much the same. Regardless of size, this is using the target’s electronic infrastructure against themselves
- IMPACT: Potentially catastrophic on the long term geopolitical front, but likely will remain discrete in the short term. Attacks against financial institutions will be severe, but this type of attack takes time, patience, and resources to pull off. So the frequency will likely be sparse
- HISTORY: Only hints have been seen by the public, limited to some cyberwarfare activities between feuding nations, advanced monitoring of social tools, and government sponsored surveillance and manipulation of communication infrastructures. The future of this category is largely unwritten
- COMPLEXITY: Attackers must be technically savvy and well-funded in most cases. The mindset is also different from the other categories. Threat agents must have patience, enduring commitment, durable resources, an understanding how the target works, vision to connect access with long term goals, and expertise in remaining stealthy over time is required
- SECURITY: Off the shelf technology is nowhere close to being able to address this threat. Most organizations are not even looking for this type of attack, as its appearance is largely passive. At best, a lucky detection might lead to eventual eviction, but a dedicated attacker would be able to likely return after making adjustments. The best defense is still paranoid people, well-funded to explore custom solutions, who have the right mindset (likely those who played such games before the Internet)
Level 4 - Own and Obliterate:
- TYPE: The triple threat of a Confidentiality, Integrity, and Availability (C/I/A) attack determined to destroy an organization or capability with no reasonable chance of recovery. The goal is obliteration and permanent cessation
- POPULARITY: Not seen yet. It is reasonable to suspect, well-funded programs in dark places are working on offensive cyberwarfare capabilities. If ever such technology or tools becomes available to cybercriminals, they will be used for extortion and ransom on a global scale never before seen
- PURPOSE: Cyber is the 5 domain of warfare. Being able to destroy one’s opponent without their ability to recovery is checkmate in the cyber world
- IMPACT: Total. The intent is clear. Destroy all critical technology, undermine relationships and morale, deplete financial resources, sabotage services, and render all capability to recover or rebuild to a viable state null and void. Burnt to the ground, ashes. “Abandon all hope…”, you get the idea
- HISTORY: To be written, as this type of attack has not been seen unleashed as yet. Before cyber, salting of fields and scorched earthy policies in war have attempted the same result
- COMPLEXITY: Ultimate. Modern compute systems are designed for resilience, redundancy, and recovery. Realistically, such attacks on highly dynamic heterogeneous compute environments are difficult to orchestrate with any confidence. Mature organizations have multiple communication paths, data backups, disaster recovery processes, business continuity planning, and knowledgeable people supporting the technology. To succeed at this type of attack all these must be known, poisoned, undermined, or made irrelevant. Administrative power and oversight is required. The normal security controls must be bypassed and a destruction plan must take into account architecture, business operations, partnerships, social structures, legal agreements, and a myriad of other complexities. Impossibly difficult, until someone actually figures it out. Such attacks are custom and require regular updating to remain current
- SECURITY: There is no holistic security for such a class of attack. Cybersecurity is a piecemeal affair focused on reasonable, likely, and relevant events. This is beyond. It will be the endgame for some.
Today we are under attack and the threats are increasing. We have successfully survived the first level of Denial-of-Service category of attacks, which are commonplace. Security competency has reached a sufficient level to manage ongoing risks. We are now in the struggle as part of the next level of attacks, Data Theft and Exposure and witnessing tremendous leakage of identity, private and confidential data, transactions, communications, and financial accounts. The industry has yet to reach maturity in addressing the threats and managing the risks.
As we descend to lower levels, the challenges get tougher, legacy problems still remain and compound, and overall solutions become more complex. Mitigation controls differ greatly and previous tools have little relevance to new categories of attack. New security instruments must be developed and integrated. Today’s pain and inconvenience will seem tepid compared to emerging categories.
Will we collectively be ready as Monitor and Manipulate attacks emerge? I wager we will not as time is short and we are on the cusp of entering this realm. But this is a learning game.
The world of security has a chance to improve, get smarter, predict and anticipate future threats, and prepare for the inevitable. Defensive capabilities must accelerate to keep pace with attacker innovation. Security must get smarter, take the initiative, and drive stronger technology which is more resistant to compromise. People must also upgrade, behaving in more secure ways and better understanding risks.
I for one have hope, but the window of opportunity is shrinking. When we reach to bottom and see organizations be destroyed, it will be a Pandora’s Box which will have cascading effects across technology and society. Nobody wants to look back and wonder why we did not see this coming and act.
IT Peer Network: My Previous Posts