Cyber Threat Analysis 30 Jan 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Most Companies Still Willing To Pay Ransom To Recover Data, Survey Shows

The St. Louis Public Library (SLPL) system has become the latest to recover from a ransomware attack without paying a dime in ransom money, even as a new survey shows that organizations overall continue to be more inclined to pay up than not in a similar situation. Instead of trying to negotiate with the attackers, who wanted $35,000 in ransom, library officials immediately contacted the FBI and began work on restoring service using backup systems.(Dark Reading)

No amount of DFIR work will be as cheap or effective as paying the ransom if you don’t have current backups from which to restore operations. The efficacy of ransomware prevention offerings has yet to be critically assessed, but 20+ years of trying to “prevent” bad things from happening on computers – and coming up short – doesn’t instill confidence. This is only a problem that is going to get worse, but one we can combat with basic blocking and tackling. As with any type of cyber threat, the faster you detect it the faster you can respond and the better your chances of minimizing loss or damage.

Why Hacking Back Rarely Works

In November, the UK announced a formal policy of hacking back against nation state attackers. While it might be a viable government policy, for most enterprises, a cyberattack is a crime, not an act of war. Legal and moral issues aside, when it comes to hacking back, what security professionals should be asking themselves is at the end of the day, will it serve their organization enough to justify the effort and risk? (SC Magazine)

Get your finger off the trigger and stop looking down the barrel of that particular gun. There is a case to be made for a regime that enables qualified and capable enterprises to defend themselves and the national interest. But there is a difference between a ‘well organized militia’ and a bunch of yahoos armed with a suite of attack tools taking aim at last-known IP addresses. No one likes to be a victim, but an ill-conceived and poorly-informed offensive campaign is a recipe for making move victims in the course of your attempting to achieve some sense of vengeance. And to what end? Data stolen is lost forever.

AI isn’t just for the good guys anymore

Last summer at the Black Hat cybersecurity conference, the DARPA Cyber Grand Challenge pitted automated systems against one another, trying to find weaknesses in the others’ code and exploit them. There have been no examples of hackers leveraging artificial intelligence technology or machine learning, but nobody adopts new technologies faster than the sin and hacking industries. (CSO Online)

In the battle against technical threats you have to think asymmetrically. You, as a discrete enterprise, cannot hope to compete with all the dynamic and motivated threat actors out there, who can do what they do much faster and cheaper than you respond. It is important to remember that the motivations behind these attacks are consistent and rooted in human nature. Anger, hate, jealousy; stealing things, breaking things, hurting people; these are motivations humans can recognize and take action to stop. No amount of computing power can make a person click on a link if they’re sufficiently aware of the threat it poses. You need a suite of tools to fight off attacks; don’t forget the most valuable one of all: your people.

Businesses increasing their cybersecurity budgets, but spend it in the wrong places

Businesses are spending more than ever on cybersecurity, but there’s still confusion about what to spend it on. Security spending as a whole is up, says a new report, but the report indicates there is an ongoing disconnect between the security solutions organisations spend money on and the ability of those solutions to protect sensitive data. That disconnect is reflected the 30 percent of respondents who say their organisations are ‘very vulnerable’ or ‘extremely vulnerable’ to attacks on data. (ZDNet)

We spend money on security because its what we have to do, not because we want to. That thinking is what leads us to situations like the one we are in now: buy what everyone else is buying or that “best practices” tell you to and hope for the best. Pen tests? Red teaming? Sure, they will tell you where you came up short, but they never tell you where you succeeded. It is this melding of positive and negative feedback that can serve as the start of developing a methodology to assess cyber security spending ROI.

Explaining cybersecurity threats in a decision-maker context

As cybersecurity professionals, I’m sure you’ve  had this experience:  you find a risk to your organization’s systems, data and reputation, and you want to take action. The decision maker listens to you describe the problem and says, “That is the most important system we have. Build a plan of action and milestone, and we’ll get the authorizing official to accept the risk and keep the system up.” You walk away knowing that nothing has been fixed — that a piece of paper won’t keep your system secure and your agency is now vulnerable to a loss of data and customer trust when the inevitable breach makes the news. (GCN)

As was pointed out last year: you’re not making sense to the people who can make a difference: the check writers. Assessing and accepting risk is par for the course in most commercial concerns, and security should not feel slighted if their recommendations are overruled. Business are in business to make a profit, not secure data. Since you probably cannot provide data that supports an ROI calculation, security is always going to lose out to the course of action that best benefits the bottom line. Every line of business shows up with data to support their arguments: figure out how to do the same and you will start to win some of those profit-loss calculations.

Smartphone Ransomware Is a Looming Threat

Imagine turning on your smartphone to send a text and finding [a ransomware] notice instead. Such a message was found recently by a pair of mobile cybersecurity analysts. The first ransomware attack on a phone occurred in 2013, but until now has been confined to small numbers of victims, primarily in Eastern Europe. Now, the company says, the threat has gained a toehold in the United States.  (Yahoo Finance)

Foreigners get all the cool stuff first. It doesn’t help things that that quality of defensive mechanisms available for mobile platforms are not on par with PCs (modest a bar as that may seem). At least in the early days expect ransomware to spread faster and farther on mobile than it has on desktops. Having said that, the impact of ransomware on mobile users could be less significant given that most if not all data accessible via a mobile tends to be sync’d with a cloud. What data is stored locally (downloaded attachments) are probably still available in email (again, cloud-based). The impact of effectively bricking millions of mobile phones is not trivial, but its also not the same as losing decades worth of business records or personal memories.