By Jon Loew
Great authors don’t reveal too much of the villains, monsters, or evil entities in their work. They learned long ago that the audience is almost always disappointed when they try. As CEO of a cybersecurity vendor with products and services defending government, corporate, and consumer computers all over the world, my colleagues and myself are frequently asked ‘what were last year’s scariest cyber attacks’. This question is almost as difficult to answer as judging the funniest comedian. Many of our peers put out good opinions. All of them are flawed, including our own. That said, if you’re reading this, you’ve undoubtedly seen cyber attack headlines. Which ones should be regarded as the scariest? None of them. This isn’t fiction and the truth of our cyber reality is far scarier than you know. Seriously, the term ‘ignorance is bliss’ has never been truer than in the context of cybersecurity. You may happier not reading further.
Let’s look at three of the most reported cyberattacks of 2017. The first two are closely related. They were ransomware attacks named WannaCry and NotPetya, infecting 100,000’s of computers worldwide. These are the computers that were hacked via an unpatched kernel-level component in older Windows machines. Yet, the attack cycle was actually quite crude. More clever post-exploit tactics would have been even harder to block or detect. NotPetya exploited the same vulnerability as WannaCry but didn’t limit its spreading mechanism to just that exploit. Instead, it used lateral movement tactics to steal high-privilege credentials to gain a foothold on otherwise non-vulnerable machines. This made NotPetya more dangerous than WannaCry. But even so, both had another characteristic in common: they outed themselves yet collected little ransom.
Equifax is the third big headline hack. The adversaries made off with personally identifiable information for millions of people. Such information can be used to conduct identity theft/fraud. Over six months later, where are the reports of dramatically increased identity theft/fraud? Pundits and writers alike wrote of this potential. I too worried. But something else concerned me even more, what if there was no great spike in fraud? If none, that might suggest that little of that data was truly new to the dark web. And if this were so, then that means the data had already been acquired from the thousands of smaller reported attacks and the countless others that never made the news. Did you see that headline? I didn’t. Similarly, a Japanese airline was hacked, in-flight and went almost completely non-reported. Allegedly, the flight was hacked and the hackers actually gained control of the aircraft, adjusting the altitude from a remote location. This was a small instance that didn’t lead to a big trend, which like the smaller reported attacked, flew under the radar – no pun intended
Now, from online data breach databases, you’ll find a number of organizations with two or more breaches in the same year. Now consider a single statistic from the “2017 Cost of Cyber Crime Study” by Ponemon, sponsored by Accenture, each surveyed organization reported an average of 2.5 successful attacks per week. That equates to 130 ‘successful attacks’ per year. Some industries are required to report some data breaches that conform to some criteria. Not every endpoint compromise is a data breach. But consider the likelihood that they are greatly under-reported. People solve great problems when faced with irrefutable facts. Otherwise, great problems fester.
I’m speculating that the vast majority of these ‘successful attacks’ concern an end-user’s endpoint. If it’s just a laptop, no disclosure. But, how does one know only that laptop was impacted? Did you know that most endpoint protection software products are incapable of blocking the kind of pass-the-hash/ticket attacks that enable the adversary to spread to the rest of the enterprise? Their interim goal is to compromise what is called a Domain Admin account. In a Windows environment, that generally means the adversary can do and get anything eventually. Did you know that good penetration testing firms seldom fail to gain Domain Admin with their clients? The adversaries’ tools are getting better and easier every year such that mediocre cyber criminals can gain Domain Admin within hours or minutes while leaving less and less behind that might be detected or examined via forensics. The average breach discovery time is measured in weeks/months. One never absolutely knows the full extent of a breach. This contributes to more under-reporting.
Most CISO’s suspect that over half of their cyber defense costs are downstream from the compromised endpoint. Most endpoints are protected by ineffective tools. And they have been for years. This has led to a ‘detect and react’ posture. The enterprise maintains layers and layers of tools and personnel to detect, contain, and restore all affected systems sometime after the adversary has ‘successfully attacked’. Labor costs keep increasing yet the breaches continue.
The enterprise-wide cost is difficult to quantify because of the differences in how organizations categorize their spending on tools and personnel. You may know that the increased credit card and banking fees you have been paying as consumers are manifestations of these cyber costs. But every enterprise is affected. It is a massive tax on the economy. Yet, this tax pales in comparison to the value of the stolen intellectual property and proprietary information. The impact is fewer jobs and less economic growth.
Everyone pays for cyber crime, yet nobody knows their share. So, the breaches continue.
The scariest attacks of 2017 don’t have a name. They are not featured in the headlines. They are the unreported and the under-reported. The cyber criminals are not undefeatable supernatural, evil entities. I’ve seen good people with the right tools and practices defeat them. There were practical solutions that would have defeated every cyber attack headlined in 2017.
What scares me most from 2017 are the acceptance of the status quo as good enough, the inertia obstructing meaningful change, the acceptance of breaches as inevitable, and the lack of precisely quantified costs. These keep good people from making good choices.
About Jon Loew
Aside from his duties as Board Director of AppGuard, LLC., Jon serves as CEO of KeepTree, Inc. In that capacity, Jon has overseen the development of the web and mobile applications of the KeepTree platform, established partnerships with the National Basketball Association, Sony Corporation, World Wrestling Entertainment, and various parts of the U.S. Military. Jon has also recruited top executives from the United States and Japan to serve as full time executives, Advisory Board Members, and Board Directors.