5 Network Security Takeaways from the 2019 Threatscape Report

by Bricata on October 1, 2019

Cybersecurity has long been a game of cat and mouse and that’s the context for the 2019 Threatscape Report. The threat intelligence team at Accenture iDefense developed the report by examining available information for the first six months of the year and identified “five factors that are influencing the cyberthreat landscape.”

In summary, those five factors boil down to:

threats emerging from the combination of disinformation and technology evolution;
an evolution in cybercrime organization and methods;
mixed motives create new risks in ransomware;
supply chain risks; and
side-channel vulnerabilities in infrastructure.

The report is very thorough – running more than 100 pages – and we reviewed it for the findings most related to network security and surfaced these takeaways.

1) Disinformation and technology evolution.

The report likens disinformation to hacking. Where cyber-attacks are enabled by network speeds and global connectivity, those same resources can be used to spread disinformation and “hack” hearts and minds.

The authors list several techniques for spreading disinformation including:

Sponsorships Available

Information operations enabled by “the openness and speed of communications in cyberspace, sometimes drawing on cyberthreat operations such as hacking, distributed denial-of-service (DDoS) and defacements, are considered a particular threat”;

Creating inauthentic social profiles to gain trust or conduct surveillance;

The increased network speeds of 5G is expected to bring “local processing of data by so-called edge servers and base stations” with local control that risks becoming a target to “tamper or spread disinformation to 5G users”;

Forging “deepfakes” by using AI to create authentic-looking images and videos “could be used for anything from discrediting or blackmailing a political opponent, rival company or extortion target.” These tools could also be used “during target reconnaissance on social networks or social engineering campaigns.”

The report details many case studies. One example in financial services stood out to us because we have customers in that vertical:

“The financial services industry – and, more specifically, high-frequency trading algorithms, which rely upon fast, text-driven sources of information – are likely to be targeted by large-scale disinformation efforts in the future.”

The report anticipates adversaries will continue to develop new tactics, techniques and procedures (TTPs) as new technologies provide new capabilities.

2) The evolution in cybercrime organization and methods.

Traditionally, cybercrime has been motivated by financial gain. That shows no sign of slowing, even as other forms of cybercrime evolve “to reduce risks of detection and disruptions.” The report breaks this evolution into four categories it labels, “conventional cybercrime operations, localized cybercrime, targeted attacks and “hack ‘n’ hustle.’”

Conventional cybercrime operations. High profile law enforcement activities have caused cybercrime groups to “shift their operating model from one of open partnerships on underground forums to one of close-knit syndicates.”

Localized cybercrime. Local “underground economies” are emerging target “domestic populations due to familiarity with their own societies, cultures and environments.”

Targeted attacks. These are “big game hunting” attacks that are financially motivated. Targeted attacks are carried out using “commodity ‘crimeware’ available for download or purchase from underground forums and marketplaces and frequently uses legitimate penetration testing tools.”

Hack ‘n’ hustle. This a new threat where adversaries gain illicit access to a network and then sell access “to deliver ransomware rather than carrying out advanced intrusions.” The authors identify two known groups suspected of selling access to networks in this fashion since the beginning of 2019. Analysts are moderately confident at least one of these groups relies on compromise Remote Desktop Protocol (RDP) connections for this purpose.

3) Mixed motives create new risks in ransomware.

Ransomware has traditionally required human interaction for delivery – clicking on a malicious link in a spam email for example. However, the sale of network access opens up a new method of delivery:

“…threat actors appear to be planting ransomware directly on networks by purchasing from underground communities Remote Desktop Protocol (RDP) access to compromised servers obtained through vulnerability exploitation and RDP brute forcing.”

Complicating this new vector for ransomware attacks is a shift in motivation:

“Some threat actors use ransomware for destructive purposes, in addition to, or instead of, financial ones.”

And later added the motivations are blending:

“While the motives behind such an attack may appear to be financial, targeted ransomware attacks may at times serve hybrid motives, whether financial, ideological, or political.”

The report makes several recommendations for mitigating the risk of ransomware attacks that include basics such as keeping anti-virus software updated, patching system vulnerabilities and backing up data. You may also find these five fundamentals for mitigating the risk of laterally spreading malware helpful.

4) Supply chain risks and M&A.

The supply chain presents adversaries with the opportunity to target smaller organizations – with “less-robust” cybersecurity preparation – that are connected to larger organizations both virtually and physically through portals, networks and relationships:

“Cyberthreat actors have identified supply chains as an effective means to infiltrate victim organizations. Even in industries like aerospace and defense in which most companies have adopted mature security hygiene practices or in which the regulatory landscape has forced such adoption, supply chains still present risks.”

The report identifies supply chain risks to cloud hosting, accounting providers, IoT devices and also poses risks to financial transactions like mergers and acquisitions (M&A):

“M&As present unique challenges related to politically motivated cyberthreat campaigns and cybercrime because one of the entities in an M&A could run the risk of inheriting current and future vulnerabilities and risks associated with the other party. If one of the entities is unknowingly a victim of a previous compromise, once merged, the adversary could potentially inherit a new victim as well.”

In a separate but related point about cybersecurity and M&A – we recently published a case study demonstrating how we helped a large healthcare provider securely connect to the networks of newly-acquired medical practices. The case study is freely available for download without registration.

5) The cloud prompts side-channel vulnerabilities.

The cloud offers well-documented benefits and businesses have increasingly moved to the cloud. Yet the cloud migration has prompted researchers, and perhaps provoked adversaries, to search for and discover side-channel vulnerabilities in the cloud infrastructure:

“The side-channel vulnerabilities affect most modern microprocessors, servers and workstations alike. However, the largest risk occurs in one major class of services – cloud computing.”

Multi-tenant public cloud services are desirable targets because a successful side-channel exploitation provides access to other hosts on a shared server. The report says there are steps organizations can take to mitigate the risk, but the right approach will vary.

Further, side-channel vulnerabilities are changing the traditional boundaries of how and where services providers and their customers assume risk. That reinforces findings we observed in the 2019 Cloud Threat Report published earlier this year by Oracle and KPMG.

The report concludes by underscoring the notion that cybersecurity is a continuous process and not an event. What is defending the enterprise today, may not work tomorrow, as adversaries will continue to evolve and develop novel ways to defeat defenses. To that end, security risks are best viewed as business challenges just as businesses view “the disruptive forces that are changing their industries.”

The full report is freely available for download without registration on the Accenture website.

If you enjoyed this post, you might also like:
What the Top 25% of Cybersecurity Pros do Differently in Strategy, Risk and Communication