July 20, 2017

U.S. Cybersecurity: Trends, Drivers and Disruptors Part 2

Lloyd McCoy HeadshotBy Lloyd McCoy Jr.
Manager of Market Intelligence
immixGroup, an Arrow company

 

This four-part series is a summary of a presentation from Lloyd McCoy Jr. as part of Arrow’s 2017 Security Symposium, held May 3-5 at the Omni Fort Worth Hotel in Fort Worth, Texas.

Part 2: The Threat Landscape

In the last part of this series, we took a big picture look at the cybersecurity market. In this part, we’ll look at what’s driving this demand and the threats that are out there, because the nature and extent of a threat figures prominently in procurement decisions customers make toward security. Most threat actors can be grouped into the following major categories.

Financial cyber threat actors

Financial cyber threat actors are highly motivated and have recently made their efforts more targeted than ever before. Previously, they were targeting senior managers; now, they are going after HR clerks and payment authorizers. They are hitting mid-market companies hard, frequently in the areas of payroll and wire fraud, since security is not as robust as in a larger organization. Their tools are customizable – not just a shotgun approach – and they’re using analytics on their backend to determine targets so they can craft a socially engineered attack. This reflects a reality where the soft underbelly of organizations are human beings.

They are also taking lessons from nation state attacks. For example, in terms of attack coordination methods, they’re using multiple people in an attack. Another tactic they’re adopting is the way they go about reconnaissance. Once they get on the victim’s machine, they conduct further observation, recording workflow and activity, so that, when the time comes, they have enough information to attack.

Ransomware is the highest profile subset of financial cyber. CryptoLocker is one of the most famous examples. Over 90 percent of ransomware comes through emails and messaging. Attackers are bypassing antivirus, hiding themselves in an installer, and using a lot of smokescreens and encryption. To regain access or control of the data, the user must pay a ransom, typically via bitcoin. The encryption is unbreakable, and simply removing the malware will not solve the problem. The victim is forced to pay for the unique software key that will unlock everything.

A couple of ways the manufacturer and partner community can help is through offering secure backups and a more modern anti-virus that, for example, disables macro scripts from files transmitted through email. Also, and perhaps just as importantly, they can guide customers into looking­—and then looking again—at their data governance strategy.

Nation state threats

As formidable as ransomware attacks are, nation state threats are probably more so. They are extremely skilled, coordinated and strategic. The most high-profile example of a nation state attack is probably when the Stuxnet cyberattack was used to slow down Iran’s progress towards building an atomic bomb. It demonstrated what you can do against critical infrastructure and physical things.

Cyber espionage is the most common activity we see from nation states, usually because a country wants to advance their own military posture and perhaps weaken our military advantage in a future conflict. Ninety-six percent of cyber espionage originates from China. But, as we saw with the Sony hack, the OPM breach two years ago and, more recently, the 2016 presidential elections here in the U.S., it’s more than military secrets. Nation state attacks can have far reaching political, economic and psychological effects.

Ransomware and nation state actors are two of the most important threat classes, but here are a few others worth noting.

Lloyd McCoy

Hactivists

Hactivists are your politically-motivated cyber criminals of the world. If you’ve seen the show Mr. Robot, you know what we’re dealing with. The true talents of the hacktivists lie with coordinating and communicating amongst their organization, proving more powerful and effective as a collective than as an individual. Think Anonymous and WikiLeaks.

Like other activists, they work to push their political agenda, often pursuing activities that expose perceived wrongdoing, or to exact revenge to raise their profile or make it to mainstream news. Their skill levels vary, typically ranging from complete novice to intermediate, but, occasionally, you’ll see highly-skilled professionals. I predict we’ll see a rise in hacktivist inspired cyberattacks in coming years as it becomes easier to acquire the kit and skills for hacking and because of the upsurge in political strife that we’re seeing around the world.

Organized crime hackers

Organized crime hackers are professional criminals motivated by money – they hack to steal data, computing resources or directly steal money. Organized crime hackers are well-funded and extremely organized, and may have relations with nation state hackers or hacktivists in some opportunistic cases. Ransomware intersects with this category as well.

Terrorist Hackers

Terrorist hackers are the most recent persona to enter the threat landscape. Motivated by politics and religion, these cybercriminals work with high levels of determination and persistence to achieve a political and religious end, often by means of creating fear and chaos. Like hacktivists, they are highly coordinated and strategic, borrowing techniques from other hacker personas

Insider Threats

Finally, you have your insiders, who can be unwitting. Earlier, I described employees as the soft underbelly of an organization. They are the greatest vulnerabilities because of poor cyber hygiene and because they’re susceptible to social engineering. It’s tough to defend against that. Malicious insiders on their way out or a disgruntled employee are even harder to stop, which is why least privilege access and encryption are so important.

We’ve taken a big picture look at the cybersecurity market and the threats driving this demand. In the next part of this series, we’ll look at the modernization of cybersecurity and how it’s changing in the face of cloud, IoT, mobility and more.

The Arrow market intelligence team understands what drives the procurement of technology. It uses that knowledge to help suppliers and partners shorten their sales cycles. Please reach out to your Arrow representative and ask about how you can engage with the team.

To listen to a recording of Lloyd’s presentation, click here.