British Airways, Cathay Pacific, Equifax: the list of companies who have faced a cyberattack is long and growing longer. The Ponemon Institute quantified the costs of these data breaches at a global average of $3.86m per incident in 2018. A discussion on cybersecurity trends for 2019 with Check Point says next year will be another year of hard-hitting cybersecurity attacks and breaches.
Companies such as Check Point, an Israeli multinational provider of software and combined hardware and software products for IT security are looking for new ways to provide that security. Strangely, its global head of threat detection Orli Gan says the solution will not come from them, but from manufacturers, governments, and law enforcement.
The cybersecurity firm predicts every company will be victim to a cyberattack as 2019 approaches. Gan tells Verdict: “You can just choose whatever name you want, any company in the world and they either were, or are, or will be hit by a cyberattack.”
Cybercrime is the fastest growing branch of crime
Orli Gan compares cybercrime in 2019 to popular bank heist film series Ocean’s 11.
“That’s not real - people stealing money off a bank? Cybercrime is a far more lucrative less risky way to make money.”
There are two types of cyberattack, Gan says. “When you look deeper into how cybercrime or attacks are made you can see people in it to make money and people there to make a point, people demonstrating a point through ‘hacktivism’, the modern-day Robin Hoods.”
Cyberattacks by nation-states which Gan describes as “the riskiest, most sophisticated type of attack” are also morally ambiguous.
“You see nation-state attacks, and those are where it’s a little difficult to say, who’s the good guy who’s the bad guy? When they’re successful they have the most to gain. It’s shutting down power plants or taking down the water supply.”
In September 2018, Check Point uncovered an Iranian state-sponsored mobile surveillance operation against its own citizens, dubbed “Domestic Kitten”. It claims the “attack” had been in place since 2016 and used fake, decoy content to entice its target to download mobile apps loaded with spyware. These apps then collect sensitive information about hundreds of targeted Iranian citizens that include Kurdish and Turkish natives and ISIS supporters.
North Korean cyberhackers Lazarus are another group of potentially politically motivated attackers. Verdict reported in September that its worldwide attacks, on Sony and other US and South Korean websites appeared to be funded by the Kim Jong-Un regime.
There were also concerns about election hacking in the US, in particular, hacks from Russia and recently concerns for democracy around the US mid-terms. The UK government announced in October 2018 that Russian military intelligence was behind a string of cyberattacks, but experts said the US and UK should be focused on improving cybersecurity capabilities, rather than making a show of standing up to Russia.
In spite of this warning, the threat of political interference is set to continue into 2019. Ross Rustici, senior director, intelligence services, Cybereason said then, “It is unlikely that Russia will change its operations because, fundamentally, they have been resoundingly successful.”
Cryptomining is taking over from ransomware
On a daily basis, however, cyberattacks are primarily designed to make money for cybercriminals, says Gan. This is taking over from the “very hyped” ransomware that was big in 2017, such as the WannaCry ransomware virus that infected computers in school, hospitals and businesses in 150 countries.
“We see a quite steady decline in 2018 in the use of ransomware, it’s definitely not gone but it’s slightly more targeted these days towards companies that are more likely to pay significant amounts of money for the data they stand to lose,” Gan reports.
On the rise in 2018 and set to continue into 2019 is cryptomining. Malware enables cybercriminals to hijack the victim’s central processing unit (CPU) power to mine cryptocurrency, using as much as 65% of the end user's CPU power.
Check Point says cryptomining malware has been the leading attack type in 2018, with 42% of organisations globally being hit by cryptomining malware from January to September, more than double the 20.5% affected in the second half of 2017.
Gan describes cryptomining as a stealth crime, a “180 degree turn from ransomware” in terms of how it is perceived by organisations. It is more popular than ransomware simply because it is easy to start, hard to trace and earns money for the criminal for a long period of time, says the firm.
“Ransomware is a very immediate problem, as soon as you’re hit your data is gone and you have to deal with it right away, and you sometimes have a ticking clock, that says the price will double or you’ll lose your data forever," he says.
“So it’s a very immediate, very noticeable attack, whereas cryptomining is very different: their goal is to remain under the radar for as long as they can, if no one notices them then no one would even mind them.”
Cryptocurrency Monero is effectively untraceable
The top three most common malwares seen in 2018 were cryptominers mining the Monero currency, says Check Point. Monero is preferred over Bitcoin because unlike the more well-known cryptocurrency, Monero is effectively untraceable and can use typical computer hardware very effectively for mining, while Bitcoin requires custom-made and optimised chips.
Monero has always-on privacy features that cloak its transactions, so if someone sends you Monero, you cannot tell who sent it and if you send Monero the recipient will not know who it was from unless you tell them.
Bitcoin is not truly anonymous, so people can search for and trace every Bitcoin block, transaction and address.
How do cryptominers get control of the CPUs?
Gan explains how the cyberattackers take control of the CPUs:
“The infiltration into somebody’s infrastructure is not that different from any other malware, they have a very well-defined set of technology through which they enter an organisation.
“Often it would start with some sort of social engineering, a phishing email or website that you’re attracted to and continuously evolve it to enter someone’s network with malware. Getting exploitation and the delivery method hasn’t really changed much, we’re still the same silly human beings. It’s easy to fool us.”
Phishing will continue in 2019
Getting hold of private information such as usernames, passwords and credit card details by targeted phishing emails is only set to continue into 2019.
Phishing is one of the most common online fraud tactics developed over the past decade. In the third quarter of 2018, RSA detected 38,196 total fraud attacks worldwide and phishing scams were the most prolific.
Despite an awareness of the risk of phishing, many individuals still fall for fraudulent attempts to gain information. This kind of attack is particularly prevalent at this time of year, and there is expected to be a steep rise in the volume of phishing, with criminals looking to commit fraud during Black Friday on 23 November 2018 and Cyber Monday on 26 November 2018.
Without malware attachments, phishing emails can often slip through a company’s cyber defences. According to the FBI, this is costing businesses $12.5 per year in losses. In its Quarterly Threat Report, cybersecurity company Agari found that 54% of advanced email attacks use a brand’s name to deceive. They use names like Microsoft, Amazon and Bank of America to gain the user's trust.
Cyberhackers can also use other methods to get hold of private data, by buying blueprints, searching social media and stealing garbage.
AI attacks and predictive security
BlackBerry, another IT security firm has announced it is buying cybersecurity giant Cylance, a key player in the emerging field of AI-based cybersecurity. Cylance combines AI, machine learning and algorithmic science in predictive software that is able to prevent both known and unknown threats.
But as the Financial Times reported, "AI is not a 'silver bullet' against cyberattacks". Artificial intelligence can also be used against the organisations and individuals it tries to protect. It can be used to teach machines to attack computer networks on their own, and this approach is only set to evolve in the coming year.
How can organisations protect themselves?
For companies looking to protect themselves, there no single approach that guarantees success.
“There is no single silver bullet," Gan agrees.
"You have to understand the complexity of the problem, you have to address the different angles in different capacities, and you always have to have multiple advisories and engines that combined can give you that accuracy that you require from a product that you’re actually going to use.”
The accuracy of the security solution is very important, however.
“Accuracy is number one in order to be practical because when you’re not, the reality is that people in the organisation will start getting angry – ‘I needed that email but it was blocked by your security system.’”
Can we win the war against cybercrime?
Check Point is sceptical that there is a true solution to cybersecurity threats.
“Can we win [the war against cybercrime]? Not in the way it’s being done today," Gan says.
"Technology moves really fast and normally not with any regard to security.”
She tells Verdict the solution is not going to come from Check Point, or security software firms. Her idea is for a three-strand defence that involves manufacturers, government regulation and law enforcement.
She says we must regulate manufacturers of electronic devices to prevent them from using the most basic operator and instead use ones that comply with security requirements. “
That has to come from government and it has to come from regulation. The industry will not volunteer to do that.”
Gan’s third strand is law enforcement. Companies are attacked 30 or 40 times an hour, but no one is being hunted or punished for it.
“There has to be a little more retaliation, there has to be a little more fear,” Gan insists.
At the moment, Gan’s thinking is shown by the continued rise of cybercrime, set to carry on into 2019. She argues that “cybercrime is a far more lucrative, less risky way to make money,” than a simple Hatton Gardens heist. It is also an effective way to make a point across country and company lines.