Estimated reading time: 5 minutes
Every year, cybercriminals develop more sophisticated methods. Now, they are even adding machine learning to the mix. At the same time, their attack surface is growing – thanks to 5G, which will connect billions of IoT devices, and give every enterprise the ability to run their own private networks…
2020 was a chaotic and confusing year for the world. But not everyone suffered. Manufacturers of hand sanitiser prospered. Video conferencing providers did extremely well.
And then there were the cyber criminals.
The pandemic re-arranged the world in ways that suited them perfectly. The rise of remote working pushed enterprises – and their staff – to rely more heavily on complex cloud-based IT systems.
Organisations struggled to master this new infrastructure. Indeed, according to The 2021 Thales Global Data Threat Report, 46 percent of security professionals said their infrastructure was not prepared to handle pandemic-induced risks.
Regrettably, this offered criminals many opportunities to refine their techniques and strike at historically vulnerable people and businesses.
And strike they did.
According to the 2021 SonicWall Cyber Threat Report, criminal activity soared. It noted the following alarming statistics:
• Ransomware attacks up 62%
• 109.9 million cases detected of Ryuk ransomware, which locks essential files and demands large ransom fees.
• 268,362 ‘never-before-seen’ malware variants
• 56.9 million IoT malware attempts (66% up on 2019)
One key reason for the rise in activity is the sophistication of the methods available to cybercriminals.
Automated tools reduce the attackers’ problem of scale. Today’s hackers are trying to hit as many targets as they can, while at the same time reducing risks to themselves. Automated systems can do this far more efficiently than humans.
Philippe Monot, Director of Marketing for Cybersecurity Services at Thales, uses a home invasion analogy to explain the situation.
“An enterprise is like a castle with thousands of doors and windows,” he says. “Attackers want to find the single door or window that’s unlocked. It’s not so easy to do this manually. But with automated tools they can systematically test them all.”
Regrettably, the price of these sophisticated tools is tumbling – putting this powerful technology within the reach of more and more criminal gangs.
Attackers can buy off-the-shelf cloud-based products on the dark web. They don’t even need to be IT-proficient to use them. According to McAfee, cybercrime has become so ‘professional’ that some hackers even provide 24/7 technical support for customers who do not have a strong computing background.
Their ‘customer-friendly’ services even extend to business models. Criminals can access payment options including revenue share and pay-as-you-go – which are bringing more and more participants into cybercrime.
Bill Conner, President and CEO of SonicWall, concludes: “Technology is moving at an unprecedented rate. Threats that were once thought to be two or three years away are now a reality, with do-it-yourself, cloud-based tools creating an army of cybercriminals armed with the same devastating force and impact of a nation-state.”
To make things worse, criminals are now developing new artificially intelligent artefacts. These tools will increase the number of attacks, while also making them stealthier. This is because AI-based malware can enter a system without detection and then subtly change it from the inside.
William Dixon, head of operations, Centre for Cybersecurity for the World Economic Forum, outlined the threat in a 2019 blog. He said: "The future of cybersecurity will be driven by a new class of subtle and stealthy attackers. Their aim is not to steal data, but rather to manipulate or change it.
Artificial intelligence: both a threat and a defence
As cybercrime becomes more sophisticated and harder to detect, enterprises need to adapt their defences accordingly.
In the new environment, it's no longer sufficient to deploy rules-based detection systems that look for well-known attack patterns. Instead, defence systems also need to detect previously unknown threats – and do so fast.
For this reason, security experts are now investing heavily in their own AI-based tech. The systems are based on two algorithmic approaches.
The first is “supervised”. Here, the system looks for unusual situations in vast streams of mixed-type data (endpoint analysis, network data, OT logging). It is trying to find examples of co-ordinated unauthorised access, malicious actions and so on.
Supervised AI algorithms also take into account the vertical sector of the enterprise user, and the type of IT assets it uses. In so doing, it can recognise known behaviours and use this knowledge to identify future attacks.
A good example of an AI-based detection system is Thales Cybels Analytics. The company says the solution can reduce the time taken to detect advanced persistent threats from three months to just a few days.
Cybels Analytics also presents its results via an easy-to-use graphical interface. This is important, as it lets users run their own searches, spot anomalies at a glance and save time at the investigation stage.
Philippe Monot says this approach is already working well for many organisations. “The system can scale to collect hundreds of thousands or even millions of events per second and analyse them in real time to find abnormal behaviours,” he says. “But it can also scale down to monitor specific and sensible perimeters and provide good detection, analysis and response in those situations.”
Of course, other attacks are harder to detect. Insider threats for example. When an authorized user is behaving unpredictably (intentionally or not), the anomalies tend to be much more subtle.
This demands an "unsupervised" approach to threat detection. Here, the AI has to study ‘messy’ raw data over a longer period in order to pinpoint irregular patterns.
But the system cannot assign meaning to these automatically defined groups. Only analysts can do that, leveraging Threat Intelligence databases. For this reason, an AI-based decision won’t be applied unless it can be justified in a way that a human operator can understand.
Perhaps the most pernicious threat from AI-based crime comes from social engineering. Here, cybercriminals use AI systems not to launch a coordinated attack on an entire network, but to deceive an individual.
It’s already happening. In March 2019, the CEO of a UK-based energy firm took a call from his German boss, who instructed him to send $243,000 to a Hungarian supplier. It was urgent. Do it within an hour, he was told. He sent the money.
But the caller was not his boss. Instead, it was a cybercriminal using artificial intelligence-based voice altering software to impersonate his accent. This was believed to be the first voice-spoofing attack in Europe.
It worked because cybersecurity tools (at the time) were set up to detect known malware or unusual patterns of activity in corporate data. They couldn't spot spoofed voices.
The story once again illustrates the cat-and-mouse nature of technology and cybercrime. Law enforcement and tech firms know they are in a constant race to stay ahead of the cybercriminals.
They accept that every tool they develop to detect and repel attacks can also be turned against them.
Could 5G could make cybercrime worse?
For all the excitement around 5G, security experts know it has the potential to usher in a wave of entirely new threats.
Why is this? It’s because 'standalone' 5G is an entirely new type of network, which is built on virtual infrastructure. The 5G Core turns (mostly) physical network components into software.
In previous cellular generations, the physical infrastructure was built on proprietary hardware and software. This provided a level of protection. Indeed, mobile networks largely avoided the data theft that has impacted the traditional computer industry.
The move to a virtual 5G core could change that. It uses more standardised systems. This could make it much easier for malicious users to break in.
Indeed, in a recent survey conducted by Telecoms.com when respondents were asked what their main concern was about 5G security, more than 40 percent said the use of unsecured network technologies concerned them most.
To compound this threat, the targets might well be ‘private’ 5G networks run by enterprises.
Why? Because the vast capacity of 5G gives mobile network operators (MNOs) the ability to create smaller virtual networks at the edge of the 5G core. This is called ‘network slicing’. MNOs can allocate slices to enterprises – so that these organisations can run their own mini-networks customised to their needs.
Yet many of these enterprises will lack the security expertise needed to combat the attacks that come with running a network.
The other potential new vulnerability created by 5G is its increased attack surface.
More capacity means more connected devices. And these devices will not be smartphones. They will be unmanned sensors, meters, trackers – every one a potential entry point for hackers.
GSMA Intelligence forecasts that IoT connections will reach almost 25 billion by 2025. The industry needs to make sure that these devices build in security by design if it is to prevent damaging attacks.
Test, detect, analyse, respond: the Security Operation Center
Without doubt, the threat from cybercrime is growing every year. Hackers have more and more sophisticated tools at their disposal. Meanwhile 5G is set to vastly increase the number of connected devices through which they can gain access to enterprise data.
To counter the threat, companies need to do more than simply repel attacks as they happen. They need to prepare, test and analyze.
And the best way to do that is by setting up a Security Operation Center (SOC).
A SOC is typically an organization based on people expertise, processes and tools. Those can be either deployed on premise or coming from services in the cloud. In addition, the SOC can be totally or partially outsourced to a Managed Security Services Provider (MSSP). In all cases, it acts like a central command post and tower control examining data from across the organization's IT infrastructure.
The SOC’s work typically starts with a vulnerability assessment. Assessing the level of vulnerability can take a lot of work, given the sheer number of infrastructure components at risk – servers, networks, desktops, applications, gateways, security appliances and more.
When the vulnerability assessment is complete, the SOC can start its work of defending the organisation. It does this in five ways:
- Protection by design. To return to the castle analogy, the aim here is to make the walls thicker, and ensure the doors are locked.
- Testing. SOC operatives can launch ‘safe’ cyberattacks to gauge the effectiveness of defences.
- Detection and Analysis. By generating alerts from the IT infrastructure, the SOC can flag and prioritize perceived attacks. Those are deeply analysed for accurate response.
- Response and Remediation. When an attack is detected, it can be advisable not to act immediately. Better to try to understand the true nature of the threat, the initial attack vector and the attacker’s objectives. An appropriate response can then be deployed.
- Threat Intelligence. All the above functions are efficient if and only if the cyber experts have enough information on the threat landscape, the attackers’ tools, objectives and means and the related risks for their organization.