You are here
Is your business being held to ransom?
IN today's hyperconnected world, the real question isn't if a security breach will happen but when. And breaches mean loss of money, time and customers, on top of outages. At Cisco alone, we block 19.7 billion threats a day. Although as cyber incidents such as WannaCry and Nyetya show, the impact of attacks are becoming much more destructive.
Many of the security trends that we explore in Cisco's latest cybersecurity report examine how attackers are innovating ransomware and Distributed Denial of Service (DDoS) campaigns.
New attacks emerging
As the threats posed by hackers constantly evolve, attacker behaviour is shifting to malware and ransomware that seeks to destroy a network or hold its owners to ransom. We have seen two new types of attack emerging - ransom denial of service (RDoS) and destruction of service (DeOS).
Attackers are looking to completely disable an organisation's network and hold the company to ransom for bitcoins or to just simply destroy the system. Their toolbox to achieve such devastation has grown with the rise of the Internet of Things (IoT) and connected devices providing new entry points. The cloud is also providing a new platform for attackers to look for security gaps. Another weak spot is outsourcing - as the number of external vendors increases, so too does an organisation's attack surface.
A global survey carried out by Cisco partner Radware shows that last year, nearly half of all companies suffered at least one cyber ransom incident. And worryingly 17 per cent of these were RDoS attacks.
Asia suffered more cyber ransom incidents (39 per cent) than North America (35 per cent) showing what a huge challenge this is for the region.
Ransomware originally started as a problem for unsuspecting consumers, but now businesses are increasingly being targeted by threat actors. Organisations, big and small, promise a much bigger payday for attackers than a private individual, especially if they get the ransomware distributed across a company's entire network.
What we have seen from previous attacks is that they can be extremely harmful and have a long-term effect on an organisation when its entire network has been compromised.
Business email spam more lucrative
While ransomware attacks tend to hog the headlines, it is in fact business email compromise (BEC) that costs organisations more money. BEC fraud is far more lucrative than ransomware and is often underestimated by business owners. Between October 2013 and December 2016, BEC raked in US$5.3 billion for fraudsters, compared to about US$1 billion last year for ransomware attacks. This profitable type of scam relies on social engineering - exploiting people rather than machines.
A basic BEC campaign will involve an email (often spoofed to look like it has come from a co-worker) targeted at financial employees who are allowed to send money via transfers. Attackers do their homework and study an organisation's hierarchy and its employees using the internet and social media. Once armed with enough information, they piece together the likely chain of command.
The attacker will then send an email that appears to come from the CEO or other high-ranking executive asking the receiver to urgently wire money to a "business associate" or to pay a vendor. The bank account belonging to the cyber criminals is typically foreign-based.
BEC scams are aimed at big targets - with two high profile tech companies being victims of BEC attacks and wire fraud. These were blue chip tech companies that most people expect to have advanced levels of cybersecurity. But BEC messages don't contain malware or suspect links, so they can usually bypass all but the most sophisticated threat defence tools. Organisations with an online presence, from tech giants through to those with just a handful of employees, are all potential targets. Because BEC fraud is a low-cost and high-return type of cybercrime we expect it to grow as a threat.
Malicious email and spam
At the same time, cybercriminals are also diverting attention back to malicious email to deliver ransomware and other malware quickly and cost-effectively. They're also getting creative with their methods to evade detection. For example, Cisco threat researchers observed growth in spam containing macro-laden malicious documents, including Word documents, Excel files, and PDFs, that can defeat many sandboxing technologies by requiring user interaction to infect systems and deliver payloads.
Spam-sending botnets are also thriving and adding to the deluge of global spam campaigns. Our cybersecurity report shows monitored activity from a botnet called Necurs. The botnet owners relied heavily on low-cost, low-quality spam campaigns, suggesting that these less resource-intensive efforts successfully generated revenue.
With a rise in the different types of attacks and in the level of sophistication, spotting threats quickly is becoming increasingly important. Cisco measures the window of time between a compromise and the detection of a threat, calling it "time to detection" or TTD. From November 2016 to May 2017, we have dramatically reduced our time to detection rates from just over 39 hours to about 3.5 hours on average. With faster detection times, attackers are now under more pressure to evolve their threats to evade detection and devise new techniques. Although defenders cannot afford to stand still and watch as attacks become more sinister and destructive.
Responding to security threats requires time, talent and money - resources that most security professionals would agree are in seemingly short supply. Therefore, effective security requires automation and the need is urgent. Automation can help organisations understand the threats they may not have time to study. It helps security teams maximise precious resources, and reduce the time spent on detection, investigation and remediation - so they have more time to manage previously uninvestigated threats. At Cisco, we build our security solutions to be open, so products integrate into a compelling architecture. We embed automated services so that customers don't have to manage every alert or incident individually. This creates a force multiplier effect, removing the burden from teams drowning in alerts while simultaneously expediting detection and response.
In the face of increasing attacks, cybersecurity needs to be made a top priority and organisations need to invest in automated tools to help their security teams stay on top of alerts, gain visibility into their dynamic networks, as well as detect and respond swiftly to threats.
- The author is Cisco, Managing Director, Security, Asia Pacific & Japan.