printer friendly version

The democratisation of threats

Cybersecurity breaches captured numerous headlines in 2021, with several high-visibility incidents (for example, the Log4Shell exploit) focusing the public’s imagination on emerging threats such as ransomware, and government policy quickly spinning up in response. Notably, we’ve seen a ‘democratisation’ of such threats due to the appearance of a ransomware economy and a continued blurring of the lines between state actors and eCrime organisations – which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same.

Ransomware hits Main Street

Ransomware overtook personal data breaches as the threat that dominated cybersecurity news around the world in 2021. The US Treasury’s Financial Crimes Enforcement Network (FinCEN) reported in June 2021 that the total value reflected in ransomware-related suspicious activity reports (SAR) during just the first six months of that year had reached $590 million, exceeding the $416 million reported for all of 2020.

We are now seeing ransomware gangs applying lean start-up principles to their operations. They begin with skeleton teams making scattergun, speculative attacks and crudely requesting their rewards in cryptocurrency. Following one or two successful attacks, these teams treat the ransoms paid as seed capital, using it to grow their operations and invest in better software, talent and exploits.

At the elite end, ransomware teams run processes that include detailed research to identify targets, advanced communications, media relations to stoke fear and increase the likelihood of a payout occurring, and even IT desks and ticketing systems to allow their clients/victims to get their data back and operations running again. Many attackers now track CVEs to find gaps for exploitation that have remained undetected by organisations that fail to take a proactive approach to their security.

One of the terrifying consequences of the increase in the scale and impact of attacks is that it brings critical national infrastructure and healthcare facilities more into play as targets. In 2021, the Colonial Pipeline attack shut down gasoline supply to half the east coast of the US for several days, pushing prices above $4 per gallon and costing tens of millions of dollars on top of the ransom paid. Research shows that death rates increase when hospitals suffer ransomware attacks, and the tragic case of an infant death in 2019 may have been the first life lost that can be directly traced to ransomware.

Given the economics of ransomware, this problem will not disappear soon: director of the NSA and head of US Cyber Command, General Paul Nakasone, predicts persistent ransomware threats ‘every single day’ for the next five years.

In advance, the Dutch government signalled that it would be countering ransomware with offensive operations, and the head of the UK’s National Cybersecurity Centre said that responding to ransomware would include integrating and deploying a range of tools, including economic measures and military capabilities.

This gradual legitimisation of offensive deterrence follows the ‘release the hounds’ doctrine first proposed by Bugcrowd in 2014 and popularised by Patrick Grey on the Risky Business podcast.

Attack surfaces and supply chains exposed

While security teams have spent countless hours addressing the ‘new normal’ of hybrid work environments (such as the use of home Wi-Fi with cheap hardware configured to default settings), few have budgeted for it in advance. This means that many remote workers have a lightly defended entry point into the corporate network. Advanced attackers are now using these entry points to gain a foothold.

The overall effect is a massive expansion of IT footprints and associated attack surface. Research by the Enterprise Strategy Group found in 2019 that the average organisation’s attack surface was 40% “unknown”. And that was before short-term workarounds to enable working from home that became permanent, and the decision by many organisations to adopt remote working policies.

2021 was also a record year for mergers and acquisitions (M&As). Given that M&A activity is a principal driver of shadow IT and forgotten assets, this will accelerate the trend of vulnerable attack surfaces being exploited by malicious actors.

Acquisition activity and entropy, over time, leads to a reliance on legacy software that is often poorly maintained and more likely to contain vulnerabilities. These can be especially dangerous when there are unmaintained OS components in the mix, as these can enable lateral movement to access high-value assets. Trends associated with the pandemic have accelerated risks associated with unknown and vulnerable assets, a trend that was already observed prior to the start of the pandemic

Supply chains have increased in size and complexity, and with them the attack surfaces that each organisation needs to secure. For example, data from BlueVoyant ^[1] shows that companies with over 1000 employees share data with more than 1000 third parties on average, and this number is sure to grow. The risk is even higher for vulnerabilities that touch numerous interdependencies, such as the Log4J vulnerability.

This demand has created a thriving industry for scanners and automated tools. However, automation is hardly a silver bullet. Attackers have access to those same tools and can supplement them with domain knowledge, creativity and intuition, and they are also skilled in working through OODA loops (observe–orient–decide–act) quickly during the lag times associated with scanners.

Only an approach that turns that weakness into a strength – by adopting the same tools, techniques and mindset as attackers to uncover vulnerabilities before they do – leads to success.

Use of n-days by APTs

Whereas, in the past, advanced persistent threats (APTs) were defined by state-of-the-art tactics and clandestine operations, this approach is shifting. Diplomatic norms around hacking have weakened to the point where nation-state attackers are less concerned with stealth than they were in the past.

Because APT behaviour is determined by the incentives of free markets, they are figuratively willing to put down their sniper rifles and pick up shotguns on occasion. Lower-level targets are now on APTs’ radars, and they are willing to use ‘n-days’ (simple exploits of known vulnerabilities) and less sophisticated attacks to crack them. The convergence of tactics between APTs and cybercriminals coincides with an increased willingness from state actors to engage in malicious activity for economic gain or camouflage. For example, Crowdstrike has found that Iranian cyber operations were engaging in eCrime to complicate attempts at attribution, while Teiss ^[2] reported that the main source of revenue for the North Korean state is cybercrime.

Researchers on the Bugcrowd platform have responded by focusing their efforts on commercially available off-the-shelf products, which are being targeted more frequently when n-days drive attacker behaviour.

From penetration testing, to crowdsourced, to multi-sourced

Penetration testing is the oldest outsourced service in security, with traditional penetration testing dating back to the 1990s in its current form. Arguably, penetration testing extends even further back to the UK government’s ‘tiger teams’ of the 60s and 70s, formed to identify and exploit vulnerabilities in computer programs. This evolved into ‘adversarial simulation,’ which became incorporated into the PCI-DSS standard in 2006.

Penetration testing has evolved more over the past three years than over the previous 20, as ownership on the client side has moved from the governance, risk and compliance teams to the security team.

The change in ownership shifted the focus from meeting strictly regulatory goals to also finding vulnerabilities that go beyond the checklist. All this turmoil has caused industry leaders to consider penetration testing from first principles, and to reassess the definition of a penetration test in a world where vulnerabilities can constantly be uncovered by remote hackers.

The traditional model of paying a small team of penetration testers for set-piece projects has evolved, with Bugcrowd now offering a modern ‘Pen Testing as a Service’ solution that integrates the crowd into pen test workflows to replace or complement traditional, compliance-focused testing.

This new approach has broadened the range of models available, enabled rapid launch times, and provided much more flexibility for customers with pen testing needs. Buyers can now consider their needs around compliance, budget, deadlines and physical security, and implement the right pen testing models accordingly.

This article was extracted from The Priority One Report 2022 from Bugcrowd. The full report is available at https://www.bugcrowd.com/resources/report/priority-one-report/ (or via the short link: www.securitysa.com/*bug2)

^[1] https://www.bluevoyant.com/resources/managing-cyber-risk-across-the-extended-vendor-ecosystem (or via the short link: www.securitysa.com/*blue1)

^[2] https://www.teiss.co.uk/news/cyber-crime-is-now-the-north-korean-regimes-biggest-source-of-income-9016 (or via the short link: www.securitysa.com/*teiss1)

Share this article:

Further reading: