Here’s an article I wrote the other week for IDG Connect. The situation is rapidly evolving, but most of the commentary is still bang on:
As the world’s IT manufacturing centre and a huge market in its own right, anything that happens in the China can have a significant impact on the tech industry. So the boardrooms of multi-national IT players everywhere will once again be on high alert as the new coronavirus brings factories to a halt in the Middle Kingdom.
As if the persistent threat posed by Donald Trump’s protectionist trade war wasn’t enough to contend with, the newly named Covid-19 is already having a chilling effect on key supply chains and components. It may further accelerate plans for manufacturers to move facilities out of China and could even impact 5G deployments, according to analysts.
Bigger and badder than SARS
First reported to the World Health Organisation (WHO) on December 31, Covid-19 has now claimed over 1,000 victims and infected nearly 43,000, mainly in China. As such, it’s now more deadly than the SARS epidemic of 2002-3, which had a major impact on the Chinese and global economy at the start of the century.
It’s impact on tech is two-fold: in closing down factories in quarantined areas and preventing workers from travelling to facilities; and in subduing the usual sales bonanza in China around the Lunar New Year holidays at the end of January. In many cases, it appears as if workers have been stranded in their home towns, unable to travel back to the regions in which they usually live and work.
The annual Mobile World Congress (MWC) event in Barcelona has even been cancelled after big-name Asian firms pulled out. This is not insignificant, according to Forrester analyst, Alla Valente.
“For the thousands, if not millions of meetings, conversations and deals that would have taken place, this has long-term implications for vendors, suppliers and customers,” she tells me by email.
Huawei also postponed its annual developer conference in Shenzhen this week. Analysts tell me that tech giants including Dell, HP, Apple, Samsung, Qualcomm, Microsoft, Google, Intel, Sony, LG and even Facebooks’ Oculus brand are in the firing line. But some sectors are more exposed than others.
Where is Covid-19 hitting hardest?
Displays: With five large display factories located in the Covid-19 ground zero of Wuhan, it’s perhaps not surprising that this sector is impacted. According to analyst Omdia, utilisation rates at Chinese display fabs will drop by 20-25% in February with total production/output set to fall by 40-50%. Producers are hit by both component and labour shortages thanks to quarantining efforts by the Chinese government.
LCD polarisers and LCD module printed circuit boards (PCBs) are in particularly short supply due to logistics issues, even as most facilities resume production. This could apparently affect 5G smartphone production as well as other products: China reportedly makes around half the world’s supply of TVs, laptops, and PC monitors.
Smartphones: Along with the problems in LCD displays, many of the world’s biggest producers of smartphones including Apple have major production facilities in China. Two major Foxconn facilities used by the iPhone-maker were reportedly given the green light to reopen this week, but only 10% of workers had so far been able to return. Foxconn shares slumped 11% since markets reopened following the New Year break. Analyst Trendforce reportedly cut its forecast for iPhone production in the first quarter of 2020 by around 10% to 41 million handsets.
It’s not just production of smartphones that’s at stake. Although the giant Chinese market was set to rebound in 2020, this now seems unlikely, in the short term at least. IDC expects China’s smartphone shipments to slump more than 30% year-on-year in Q1 2020, and warned of “uncertainty in product launch plans, the supply chain, and distribution channels, in the mid and long term.”
Servers: According to reports from Taiwan, server shipments grew by over 13% in Q4 2019 but are expected to be affected by Covid-19 in the first three months of 2020. Although demand from large datacentres remains strong, the virus outbreak has impacted the upstream supply chain, which will cause shipments to decline 9.8% from the previous quarter, versus a previous estimate of 1.2% growth.
What happens next?
Although some reports from China claim hopefully that the disease appears to be slowing, it took five months before the SARS outbreak was officially recognised by the WHO as contained. As such, it’s still far from certain when travel restrictions will be relaxed by Beijing so that workers can return to production plants. The longer the current situation continues, the bigger the potential impact on supply chains.
Omdia claims, for example, that while currently global semiconductor supply appears unaffected, this could change if the public health situation worsens. Meanwhile, IDC analysts warned in an emailed note: “Since a large amount of the surface mount technology (SMT) and PCB manufacturing factories for both consumer goods and datacentre products are produced in China, and even in Wuhan in some cases, much of the supply chain is at the mercy of the government closure of critical infrastructure.”
For Forrester’s Valente, Covid-19 has the potential to disrupt not just 5G rollouts but the wider global economy.
“It will delay product launches – if they’re lucky. With so many supply chains adopting the Just-In-Time approach to inventory and manufacturing, some launches may need to be cancelled outright,” she argues.
“As the pandemic impacts more supply chains, what happened when products, parts, resources run out? Will all the business depending on them experience disruption? The long-term impact is greater than the economy of China or the region. We’re living in an interconnected business economy, and Covid-19 could impact the global economy.”
The future: diversify
In the meantime, the best thing organisations can do to mitigate the risks posed by the next Covid-19 is to revise and update business impact analyses (BIAs), according to Forrester. This should include four main steps:
- Classify business processes according to criticality
- Improve supply chain resilience by diversifying with multiple suppliers and geographies
- Identify which customers should receive priority treatment
- Provide extra resources and enhance automation to take the strain off your reduced workforce
The analyst warned that climate change will make pandemics like this more common in the future. As the tech industry picks up the pieces once Covid-19 has blown over, the lasting impact may be an acceleration of a trend already begun thanks to the US trade war. Namely, moving tech production out of China.
If there’s one cybersecurity story that dominated the headlines more than any other in 2019, it was the surge in high-profile ransomware attacks on the US public sector. Municipalities all over the country were caught out, leading to major disruption of local schools, emergency services, courts and other public services. It was a reminder, if any were needed, of the absolutely critical role IT systems now play in society.
But what can IT security chiefs learn from the travails of the past year to improve resilience as we head into a new decade? I spoke to several experts recently for an upcoming Infosecurity Magazine feature.
Drowning in ransomware
According to estimates from Emisoft, 103 municipalities and 759 healthcare providers, along with 1,224 schools, may have been impacted by ransomware as of December 2019. These include major cities such as Baltimore and New Orleans, as well as countless other smaller local authorities like Pensacola and Riviera Beach.
Why are these organisations suffering in such great numbers? According to the experts I spoke to, it’s a combination of under-investment in cybersecurity, and the propensity of some high-profile targets to pay-up — encouraging copycat attacks.
“Public sector bodies have been very heavily targeted by ransomware lately. This trend has likely been helped by some public sector entities paying substantial sums to ransomware criminals,” said SANS Institute dean of research, Johannes Ullrich. “Access to information is also very important to public sector entities to conduct business, and under-investment in business recovery plans has led to a lack of backups or other fallback mechanisms.”
According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, current security systems are struggling to keep pace with evolving threat techniques.
“Ransomware is designed to avoid detection and exploit the social nature of the network by hiding in files or hyperlinks that businesses need for day-to-day operations. In addition, ransomware only has to be executed once to be successful and it must be detected as well as removed quickly before it can lock or overwrite files. This is unlike other malware that may need to remain in a system for a significant amount of time, or evade detection within a vulnerable system, allowing more time for detection and removal,” he told me.
“While the time-sensitive value of data and services within these organisations makes them prime targets, the main challenges are not much different than other sectors. Vulnerabilities are numerous, people make mistakes and the threat evolves quickly, creating a perfect storm.”
Weathering the storm
The good news is that a defence-in-depth approach utilising key best practice controls can make a big difference, he added. These include AV, up-to-date patching and configuration management, regular backups, and employee security awareness training.
“They should also consider a multi-dimensional approach that integrates hardware, software, network, and behavioural monitoring into a zero-trust resilient solution,” explained Styles. “These solutions typically have the ability to remain operational even if the threat has defeated perimeter defences or is an insider threat.”
For Kevin Lancaster, general manager of security solutions at Kaseya, one of the biggest threats to US public sector bodies is their use of legacy systems. This makes prompt patching more challenging, but also more important than ever.
“The US Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organisations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days,” he told me.
“Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.”
Local governments must get proactive, by developing and testing incident response and business continuity/disaster recovery plans — if necessary, in concert with third-party providers. However, city staff are also a vital asset in helping to mitigate the threat, Lancaster added.
“For government organisations to be fully prepared to tackle cyber threats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity,” he concluded. “With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus can be prioritised and worked upon to implement effective up-skilling.”
When we talk about ethics in cybersecurity, it’s largely a matter of where researchers should draw the line so that their behaviour doesn’t start to resemble the black hats their tracking. But there are also serious choices to be made by the security vendors they work for in terms of who ultimately gets to use their products. After all, in the wrong hands, legitimate tools could make the world a darker place, and expose vendors to potential fines and reputational damage.
I spoke to some experts about this for an upcoming Infosecurity Magazine article.
Complexity is everywhere
Discussions around ethics and cybersecurity came to a head recently when WhatsApp launched legal proceedings against a well-known Israeli ‘cyber intelligence’ firm, NSO Group, alleging it had helped to develop and deploy malware that was subsequently used to spy on civilians in the Middle East and elsewhere.
Firms like these notoriously operate in a grey area, claiming they only sell their wares for legitimate law enforcement and intelligence uses. Yet what about the much larger market of ‘regular’ cybersecurity vendors? What controls have they, or should they have, in place to limit who gets hold of their kit? After all, deep packet inspection tools could be subverted by despotic regimes to monitor legitimate internet traffic, and IP address filtering to enforce rigorous state censorship, for example.
Trade association techUK has developed a lengthy guidance document for organisations not sure of where their legal obligations stand, and how to comply. But even then, programme manager, Dan Paterson, told me that it can be difficult for especially smaller vendors to conduct due diligence effectively, particularly in the tricky area of dual-use technologies.
No cause for concern?
Even if they can’t, there may be no cause for concern, according to Privacy International’s state surveillance program lead, Edin Omanovic. He told me that, in fact, current UK export rules rely too much on “non-binding and unenforced risk assessments”, which makes it easy for unscrupulous vendors to sell to hostile nations.
It’s a point echoed by Luta Security CEO, Katy Moussouris, who is helping the US government negotiate the global control regime known as the Wassenaar Arrangement. She suggested when I spoke to her that export controls in tech aren’t even really there to restrict the flow of goods outwards, but merely to give domestic governments a better understanding of what its companies are producing.
If that’s true, then what’s the harm? Well, there are still major risk calculations that organisations must undertake — and it’s not just about selling to authoritarian regimes, according to Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec).
“As with any other aspect of security, vendors need to consider risk when choosing their customers. Selling to the wrong customer might mean that a vendor has no way to support its product or resolve contractual disputes, resulting in wasted resources. It might mean that the vendor loses its unique IP, and ultimately its market position,” she explained to me.
“It might mean that the vendor loses the trust of many customers, if a new line of business opens those customers up to new threats. Even if there is no direct risk to the vendor itself, dealing with customers seen as unethical can still damage a business’s reputation. The vendor may still feel that going ahead with a sale is the right decision, but it needs to have weighed the risks beforehand.”
As with most things cybersecurity, therefore, it all boils down to risk management. And with CSR increasingly important in what is a crowded marketplace, ensuring you’re seen to be acting ethically is vitally important, even if export controls aren’t.
Last week, the world’s oldest travel agent, Thomas Cook, collapsed, leaving around 150,000 holidaymakers stranded. But the demise of one of the UK high street’s best-known brands didn’t just end up costing the government, which had to foot the bill for repatriation. It resulted in another opportunistic phishing campaign of the sort that often follow major news events.
In this case, reports soon emerged of consumers targeted with phone calls and emails purporting to come from ‘refund agents’ who just needed their bank/card details in order to reimburse them for their holiday. I spoke to some security experts to find out how far brands are exposed to such campaigns, and what they can do about it. The consensus is that communication with customers is key.
“Organisations and users are at their weakest, post-incident, when it comes to fraud. As we’ve seen time and time again, hackers almost immediately distribute phishing attempts to try and capitalise on an incident,” Proofpoint cybersecurity strategist, Adenike Cosgrove, told me by email. “The repercussions are huge: it will affect customers as well as financial institutions dealing with the aftermath, as their contact centres are inundated with calls from concerned consumers.”
The primary impact of such scams is on customer confidence and trust in the brands they do business with, according to Gemma Moore, director at security consultancy Cyberis. However, they’re almost impossible to stop, she told me.
“What brands can do is manage their customer communications closely and ensure that their customers are well-briefed about how the brand will communicate with them and under what circumstances,” Moore continued.
“Brands can work to educate their customers to treat communications with a sceptical eye. Many banks, for example, regularly remind their customers that they will never contact them asking for sensitive information like card details by email or telephone. Ultimately, vigilance is the best defence for people who are targeted in this way and brands can help this by maintaining clarity.”
Banks add confusion
So, organisations need not only to have a clear communications strategy but also to remind customers what this is, so that any phishing attempts that deviate from the norm will be easier to spot. With the Thomas Cook incident, however, UK banks added to the confusion by texting their customers with messages containing links and phone numbers to call. Some recipients understandably believed these to also be phishing attempts, especially as some claimed not to have even bought a holiday with Thomas Cook recently.
Once again, transparency and consistency is key to keeping customers safe.
“How the banks communicate is key. There is an argument that they should not use text messages as SMS phishing is rife and would potentially confuse consumers,” said Cosgrove.
Brands must not only try to mitigate the impact of attacks on consumers, of course, but also attempts to phish their employees, which could lead to serious data breaches, ransomware infection or other threats. At the same time, and backed by a global cybercrime economy built on stolen data and dark web sites, cyber-criminals are constantly evolving their tools and tactics to trick both employees and consumers.
One technique gaining in popularity is “angler” phishing, where fraudsters set up Twitter accounts masquerading as brands’ customer service operations. They monitor complaints from customers and then jump in to hijack the conversation, often requesting additional personal info and financial details from the victim.
“Another key trend we are seeing is an increase in domain fraud, where criminals leverage domains to target a known brand or company by sending phishing campaigns that look like genuine communication,” Cosgrove explained.
“Recent research shows that 96% of organisations found ‘lookalike’ domains posing as their brand, with registrations of fraudulent domains growing by 11% last year.”
This is where brand and domain monitoring services could come in handy, although as with any cyber-threat, defence-in-depth is recommended. Phishing campaigns are relatively easy to launch and have a decent success rate, so don’t expect any major change in tactics anytime soon. Ultimately all organisations can do is educate their customers about the dangers, create clear, careful communications policies, and closely monitor abuse of their brands and domains online.
The Domain Name System (DNS) is one of the least understood but most crucial parts of any IT environment. Although it’s operated via a global network of servers under the control of ISPs, non-profits, registries and others, attacks can strike to the heart of any organisation. DDoS, phishing, malware downloads, C&C communications and even data exfiltration can all take place via DNS channels.
Because it’s always on and running in the background, converting domain names to IP addresses so users can surf the web, it’s a great conduit for attackers. But that also makes it a useful place to gain advanced insight and control. I spoke to a range of industry experts on the key challenges and opportunities facing firms.
A new favourite
DNS attacks are becoming increasingly popular with nation state hackers. Sea Turtle and DNSpionage campaigns over the past couple of years have targeted Middle Eastern governments and military organisations. They typically compromise key DNS servers, and change the queries stored in them to enable man-in-the-middle phishing attacks designed to secretly steal important passwords. Part of the problem, according to Nominet’s head of IT security, Cath Goulding, is that the protocol is decades old.
“DNS was designed nearly 50 years ago. The people who created it could not possibly imagine the threats that we face today,” she tells me via email. “The advanced malware that we see could not be conceived 50 years ago, so DNS was not designed to defend against it. Humans simply can’t manually monitor the amount of data that passes through it, so we must rely on algorithms and machine learning to keep us safe.”
Gary Cox, technology director for Western Europe at Infoblox, adds that DNS is increasingly being targeted by hackers as other avenues are blocked.
“DNS has become more and more popular as a result of other security gaps being filled – by things like next-gen firewalls, IDS/IPS systems, highly capable endpoint protection going well beyond just basic Anti-Virus,” he explains to me. “New attack vectors are continually explored and exploited, and the latest twist from a DNS perspective is that DNS over HTTPS (DoH) is now being used to circumvent DNS security controls.”
According to DNS pioneer and Farsight Security CEO, Paul Vixie, services like DoH “are well intentioned but policy-ignorant, and many threats to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service.”
Another example of a DNS bypass attack which has garnered an increasing number of headlines over the past year is DNS rebinding. In this attack, hackers first get victims to click on malicious links or online adverts, with rebinding techniques enabling them to bypass the network firewall and use the victim’s browser as a proxy to target any devices on this network. It’s predicted that this type of attack could become increasingly popular in compromising IoT endpoints.
What can we do?
So how can IT security leaders hope to mitigate the risk of a DNS-based attack? After all, with the DNS servers themselves usually out of their control, there’s a limit as to what they can do, right? Well, yes and no. Goulding argues that by using analytics services that search DNS traffic, organisations can turn the ubiquity of DNS to their advantage, using it as an early warning system to spot and block attacks before they’ve had a chance to impact the organisation.
“Utilising a DNS monitoring tool is the first step to mitigating the DNS risk,” she explains. “And while not every firm can afford high-level DNS protection, taking steps to ensure staff education is crucial, too. For many workers, they might not be clear what is and what isn’t a malicious link or malicious add. Ensuring staff have the tools they need to work out what might be malicious and what not be malicious will ensure company safety.”
ISACA board director, Asaf Weisberg, adds that DNSSEC should be rolled across the industry “to strengthen authentication in DNS, by using a DNS Zone’s private key to digitally sign the DNS data, and allowing the resolver to confirm the validity of the DNS data through a corresponding public key that is being retrieved as part of the DNS query.”
However, efforts thus far have been poor. It’s claimed that less than 20% of DNS stakeholders have adopted the specifications – a figure ICANN wants improving urgently. Without this kind of cross-industry response, DNS could remain a security blind spot for organisations for many years to come.
The news coming out of the latest G20 summit in Japan has been largely focused, just as Donald Trump likes it, on his trade war with China. But has the self-styled Dealmaker-in-Chief made a tactical error by appearing to relax punitive rules imposed on one of the Middle Kingdom’s leading tech firms, Huawei?
While the details are still to be hammered out, the announcement would appear to be good news for US tech firms, in the short term at least. But it will only serve to buy Chinese firms more time as the country accelerates towards tech self-sufficiency, while failing to resolve the question of who builds America’s 5G networks.
A good day for Huawei
Trump’s announcement over the weekend came after he and Chinese President Xi Jinping met at the meeting of world leaders in Osaka. The two agreed to resume trade talks, halting the imminent imposition of tariffs on a further $300bn of Chinese imports to America as well as relaxing rules preventing US firms from selling components to Huawei. The latter agreement effectively reverses a decision made last month to stick Huawei and 70 subsidiaries on an “entity list”, although even this had been subject to a subsequent 90-day delay. That decision was touted as one made on national security concerns about the Shenzhen-based network equipment and smartphone manufacturer, although Beijing officials have claimed it was more aimed at constraining the global rise of China’s tech giants.
National Economic Council chairman Larry Kudlow subsequently clarified that these US national security concerns “are still paramount”, and that the new agreement did not amount to a “general amnesty”. Instead, it will only “grant some additional licenses where there is a general availability” of the parts needed by Huawei. These include key processors and software produced by US firms. Huawei was hit for six by the US Commerce Department order in May, which imperilled the supply of key smartphone kit from Qualcomm as well as Intel server and laptop chips, Xilinx and Broadcom networking kit and even Google Android support.
Kicking the 5G can
US technology firms will certainly be happy with the G20 decision. Losing one of their biggest Asia clients – one of the world’s top three smartphone producers – would have been a major financial blow. But it does nothing to address the other key China initiative taken by the Trump administration in late May: declaring a national emergency preventing the supply of IT services and equipment from firms (like Huawei and ZTE) considered under the direction of foreign adversaries.
There is therefore still a huge question mark over how the US competes with China more broadly when the only viable supplier of 5G networks at present is Huawei. Its kit is said to be cheaper and as much as a year more advanced than rivals like Nokia and Ericsson. Washington’s decision to block on national security grounds threatens to stall progress in IoT and smart cities, autonomous vehicles and other sectors which are waiting for 5G to accelerate to the next level of development. More important still, there may be significant military advances being held up by these 5G delays.
Former Pentagon official and visiting fellow at The Heritage Foundation, Steve Bucci, is optimistic that homegrown solutions can be found.
“Trump’s comments do not lift these [5G] restrictions, which is spot on. We cannot lift them safely,” he told me by email. “The answer is to challenge US companies to pick up the baton. They can do it technologically, and just need a little assurance their investments will not be in vain. Additionally, it would probably give our allies and friends a few more options.”
An uncertain future
Yet given the hundreds of billions Huawei and China have spent in gaining an advantage in 5G, it’s unlikely at present that US firms can catch up. That could mean long-term decline for its telecoms sector and missing out on a huge economic dividend.
“The leader of 5G stands to gain hundreds of billions of dollars in revenue over the next decade, with widespread job creation across the wireless technology sector,” a Pentagon report warned in April. “The country that owns 5G will own many innovations and set the standards for the rest of the world. That country is currently not likely to be the United States.”
In the meantime, the Trump administration’s initial decision to put Huawei on a trade blacklist will only have strengthened Xi Jinping’s arguments at home that China is still too reliant on the US for key technology components.
Roslyn Layton, co-creator of ChinaTechThreat.com, member of the Trump Transition Team for FCC, argued via email that “Huawei is in a death spiral”.
“If Huawei doesn’t have access to the essential patents from Qualcomm, Huawei is out of business. Huawei can’t make 5G equipment without these patents,” she added.
This may be true. But you can be sure that it and more generally the Chinese state will be working hard to become self-sufficient in these components. Deals like the G20 one simply buy them more time. The long-term picture for US tech suppliers with major markets in China and the many thousands of businesses waiting for 5G networks is far from rosy.
Credential stuffing has been around for years. But the signs are that 2019 might well be a stand out year, as the black hats start to monetise the huge volumes of breached identity data flooding the dark web. While historically many firms’ response has been to blame customers for poor log-in security, this approach is not going to wash going forward. To protect the brand and bottom line, they need to be more proactive.
I spoke to some experts for an upcoming Infosecurity Magazine feature to better assess the scale of the challenge, and what can be done to tackle it.
At its heart, credential stuffing is a pretty straightforward attack. Take large volumes of username/password data from dark web troves, many of which are now arranged in easy-to-use “combo lists”, and feed them into bot-powered automated programmes designed to try and unlock other accounts. Because users share passwords across multiple sites, the hackers will usually succeed: which is bad for consumers and possibly enterprises, if those accounts are corporate ones.
“I’ve seen password reuse on corporate accounts many times and it’s a standard operation to check our password leak database during the reconnaissance phase in every red team engagement,” SANS Institute certified instructor, Matthias Fuchs, explained to me. “Still, many organisations allow outside access to some corporate services like webmail. If they don’t use MFA there, the accounts are at equal risk as on private platforms. After all it’s just another website to try the creds on.”
Experts were agreed that credential stuffing will only grow as we head through the year.
“The sheer volume of credential stuffing attacks since the start of 2019 is alarming. The success of recent attacks against consumer services — TurboTax and Dunkin’ Donuts, to name a couple — is just continuing proof that protecting data instead of protecting identities and people is a failing security model,” Ping Identity CCIO, Richard Bird, told me.
“Unfortunately, organisations are not taking even the most basic steps necessary to thwart these types of attacks, so it’s likely that they will continue to proliferate. Companies must come to the table with better security solutions for their customers. Leveraging available technologies like MFA, device fingerprinting and artificial intelligence to detect anomalous behaviours are just a few steps that can be taken to protect customers and their data.”
Shape Security director of engineering, Jarrod Overson, claimed that credential stuffing would increase “at the rate that bandwidth and hardware allows.”
“Credential stuffing, like all attacks, involves a cost/value justification for the attacker and, right now, it costs virtually nothing to execute an attack that can take over thousands to millions of accounts,” he told me. “Without automated defences in place then an attacker’s best interest is to execute an attack as rapidly as possible to get results before the company recognises and puts in countermeasures. Even with protections in place, Shape recorded its biggest attack ever in January with nearly three billion attacks against one customer in one week against one user flow (the login).”
The bad news is that the black hats continue to evolve their tactics.
“Attackers are getting more creative in how they use personal information to either reset accounts, gain trust or establish online access to accounts. I think one big issue is that attackers are getting smarter in how they use the information and how they monetise stolen information,” SANS dean of research, Johannes Ullrich, told me.
“In the past, there used to be some obvious ways to monetise stolen information, like credit card theft. But the value of this information has been steadily decreasing because first of all, there is already more information out there then can be used, and entities like banks are getting better at blocking access. But attackers are slowly discovering the social component of this. They are now better able to identify trust relationships and to use leaked data to authenticate and take advantage of these trust relationships.”
Overson and his team are seeing the same patterns as cyber-criminals look to ape human behaviour in new ways.
“These advanced attacks involve the exploitation of mobile applications, browser extensions, or third-party scripts to drive the behaviour of an application even after a user has logged in,” he said. “We’re calling the trend towards attacks that simulate human behaviour ‘Imitation Attacks’ — this is an umbrella term that encompasses all illegitimate transactions made seemingly on behalf of a real user. This includes advanced phishing attacks, credential stuffing, password spraying, and other attacks that exploit the inherent functionality of an application.”
The big question for CISOs is how to stop it. Credential stuffing could lead to compromise of enterprise accounts, enabling multi-staged info-stealing raids or BEC attacks. It could also have a devastating knock-on effect on customer confidence and brand loyalty if consumer accounts are hijacked en masse.
For Overson, the answer is rapid response, but countermeasures which should also be removed when the attack subsides. He also recommends a “variable” response, which will make it harder for hackers to predict what defensive tactics the white hats are going to use next.
“There is no silver bullet against automated attackers, because the actors behind the attacks are human adversaries who will always attempt to retool around defences. The paths attackers are taking are the same paths that our users are taking and too much security-related friction in critical user experience flows leads to loss of revenue and business,” he warned.
“Mitigation requires fast-moving collaboration across teams along with security vendors to roll out targeted countermeasures for specific attackers while leaving average users unaffected. As attackers start to retool with more artificial intelligence and machine learning then rapid, limited, variable feedback becomes even more important.”