The generation born between 1960-2000 has witnessed the greatest ever transformation in technology - personal computers, digital bulletin boards, the Internet, social media, mobile and smart phones, and now both applications and data that live in the cloud.
This transition brought new challenges, especially in the field of computer security. In the late eighties and much of the nineties, viruses became an issue for the industry. It was then that ESET began developing technologies to detect and remove them.
However, as new and more impactful threats began to be spread by cybercriminals, the motivation behind them also changed. The creators of early viruses designed code that mainly caused disruption, the intent was aimed at proving what could be achieved.
With the arrival of the 21st century the motivation shifted, and we saw the first social networking viruses that stole and sent personal data such as IP address, email and contacts to anonymous email accounts.
As an example, we can look at the virus that targeted users of Microsoft MSN Messenger or other digital bulletin boards in 2008. In that case an interesting point of intersection occurred, when subsequently some of the world’s largest websites used identical code to that of the virus to track web users for advertising purposes.
This focus on the theft of personal data continues. Cybercriminals’ new main aim, the use of malware for monetization, saw the year 2017 globally recognized as ‘the year of ransomware’. Financial reward remains the key motivator in its newest incarnation, coin-mining.
This point of intersection is not a lone instance. Code is code, whether labeled clean or malicious, its use is ultimately down to the motivations behind its deployment and a reminder that technology can’t fight itself by itself. Instead, integrated risk management (IRM) strategies must run in parallel, looking at changing motivations and advances in technology.
In 2010, Stuxnet appeared, a malware with a more dangerous motivation, destruction. Allegedly the first state sponsored malware, Stuxnet allowed for the continued reporting of healthy operational data while simultaneously, industrial processes tore affected infrastructure apart for no apparent reason. The motivation behind the malicious code had evolved again.
In 2015 power outages in Ukraine caused by Black Energy demonstrated that malware could be used in ways that we had only seen in Hollywood films, throwing about 230,000 people into darkness for up to six hours. It was followed by Industroyer in 2016,which caused another blackout of around one hour. This attack showed a deep understanding of industrial control systems and protocols - not a standard skill set in a cybercriminal’s repertoire.
There is much speculation as to who’s behind major infrastructure attacks able to black out cities. Are they just proof of concept for more complex and widespread events we may see in the future? Governments are concerned. The U.S. Department of Homeland Security for example, created a ‘Critical Infrastructure Security and Resilience Month’ last November.
If there is a convergence of motivations regarding destruction and monetization via cyberattack, then we could be seeing the next evolution in ransomware. Cybercriminals targeting the critical infrastructure of buildings or campuses could bring an organization’s operations to a halt. Ultimately, increased connection brings increased risk of being exploited
What’s all this got to do with the risk to enterprise and businesses in general?
When asked how and where we can see these motivations impacting the choice of a security partner, I would point to the phenomena of rushing to deploy solutions based on the promise of sweeping new technologies, for example Artificial Intelligence (AI) in cybersecurity.
However, defining exactly how AI may come to protect us isn’t so straightforward. We’ve found out that most IT professionals don’t really know the differences between AI and Machine Learning (ML), the technical term for the algorithm-based intelligence that cybersecurity engineers employee in their products. In the interim, the tough task of integrated risk management may suffer.
Maybe you’ll get lucky, attacked only in ways that machine learning algorithms understand. But relying solely on tech to avert damage to business and infrastructure, when it can only really be mitigated through IRM and a strong vendor relationship has become increasingly clear. This has been demonstrated by recent impacts from persistent, targeted and diverse cyberattacks.
Malware outbreaks like WannaCryptor, while not specifically targeting infrastructure, can still bring transport and health systems to a standstill. In the days that followed the attack, an independent security lab, MRG-Effitas, tested security solutions to see which products blocked the underlying exploit EternalBlue. Only three passed the test - one of which was ESET.
Security partners need to demonstrate the resources and motivation to look beyond the capability of machines and the data used to train them. With WannaCryptor, it meant understanding root causes and motivation, with Industroyer, the methods used to attack infrastructure.
Imagine the scenario mentioned earlier, when code from the virus built to target users of MSN Messenger was reused by legitimate website coders to track visitors for advertising purposes. What if this happened in reverse, with malware powered by ML/AI? Malicious actors could turn ‘good tech’ to bad purposes, unleashing a new scale of destruction or monetization. To be combated, the threat must be understood.
Don’t despair, both as cybersecurity vendors and as buyers, we need to look beyond narrow technology focused vistas and employ a wider integrated risk management lens. This allows us to view cybersecurity as a wholistic landscape, full of points of intersection, with more always appearing on the horizon.
If you happen to be attending the Gartner Security & Risk Management Summit next week, check out my presentation: Malware of mass destruction, hype, myth or reality?. And remember, while technology can help organizations manage the flood of threats, it is the human led components of cybersecurity that allow enterprises, organizations and individuals to persistently benefit from and enjoy safer technology.