January is traditionally a time to reflect on the past year and look ahead to the next. In this blog we review last year’s most important developments and consider what 2017 holds in store for us. We’ve selected a number of issues for you.
Looking back at 2016: espionage cybercrime and new legislation
Unrelenting espionage, including in Netherlands
Espionage continued unabated, and also targeted Dutch interests. In 2016, we investigated cases where countries including Russia, China, and the US may have been engaged in espionage. That will come as no surprise, but the events surrounding the elections in the United States were especially notable for the fact that information obtained from successful hacks was used to influence them. This led to public speculation on whether the elections in the Netherlands could be similarly affected.
Ransomware remained the most visible threat
The most visible threat in 2016 was ransomware, which – continuing the trend in 2015 – once again claimed many victims. Since the end of 2015 larger organizations have become likely targets of this crime. Criminals stand to gain much more from these attacks than those on home users because larger ransoms can be demanded, often running up to tens of thousands of euros. In 2016 Fox-IT investigated several such targeted attacks in the Netherlands. The untargeted attacks on home users in 2016 mainly involved misusing the identities of PostNL, T-Mobile, and Ziggo. In this context we responded to several requests from our clients to closely analyse ransomware to find out whether it had the capability to collect and divert personal data. This demand was driven solely by the new Data Protection Legislation
Credit cards and more microbreaches
Credit cards remain as enticing to criminals as ever. It is striking that the Backoff malware (known malware with specific modules for point-of-sale systems) is now being used more frequently for what are known as ‘microbreaches’. These are attacks on small retail outlets with the aim of gaining credit card information. Criminals benefit from the fact that it is difficult for credit card companies to ascertain the origin of the fraud. Another group being monitored by Fox-IT, the Navigator group, appears to be extending its focus to the hospitality sector – to hotels in particular.
Major bank robberies
At the top of the criminal ecosystem we find several groups actively engaged in committing major bank robberies. In 2016 close attention was paid to compromised banks that had lost a lot of money in attacks. Most of the attacks were promptly intercepted by SWIFT, the international payment system with 11,000 member banks, or by the banks themselves. But attacks in countries including Bangladesh, Vietnam, Ecuador, and the Philippines were not thwarted. Fox-IT helps SWIFT to boost the security of international bankers by improving the exchange of information on SWIFT’s customer security in partnership with the organization’s Customer Security Intelligence team, amongst other things.
Behind the scenes at Fox-IT
FoxCERT, Fox-IT’s incident response team, took action 187 times in 2016. There is no doubt that the volume of the cases we handled has risen on average compared with 2015. Helping clients who unexpectedly find themselves facing an incident is extremely rewarding work: it gives us the chance – under great pressure – to show what Fox-IT can do to solve our client’s problems when it really matters. That goes some way to explaining why satisfaction among clients who call on FoxCERT’s services has exceeded the 9/10 mark for years.
Although the work at Fox-IT’s Security Operations Centre is carried out under less pressure and on a less ad hoc basis, it is actually even more important. This is where our people monitor the infrastructure of affiliated clients 24/7 in order to promptly alert them to incidents. Before alerting our clients, we analyse and verify the information to make absolutely certain that it isn’t a false alarm. So if we call you, you can be sure that something’s wrong. Our cyber threat management platform has distilled a total of 55 million raw alerts into 43 thousand potential incidents that have been investigated by our experts. There were 2,973 cases involving an incident that called for an immediate response. We alerted our clients to an incident at an early stage on 2,973 occasions and thus helped them to minimize the impact.
Looking ahead to 2017: fines for data leaks, elections, and extortion
Fines for data leaks
Last year was the first year of the notification requirement for data leaks: who reports what, and what is reported? There was a clear trend in which our clients wanted a more in-depth investigation of potential data leaks. We also saw the Dutch Data Protection Authority (Dutch DPA) taking a more active approach in the second half of the year. Organizations that made a report more frequently received a letter or phone call from the Dutch DPA instructing them to immediately provide clarification and inform any people affected. No fines were imposed, but we expect that to change in 2017. The fines probably won’t be given for the report itself or how the investigation was conducted, but for the underlying cause of the report, with the Dutch DPA likely to be more severe if it turns out that an organization’s IT security was seriously under par.
Passing on fines to IT & Security suppliers
We expect that organizations fined under the Data Protection Legislation will pass on the fines to the processors, which are usually IT & Security service providers. Whether these claims will succeed is another matter altogether, but this is bound to create new dynamics between IT & Security suppliers and their clients. This will draw more attention to the importance of cyber security among customers and will prompt IT & Security suppliers to improve the security of their IT products and services.
Close-run elections, and what happens next?
The Dutch general election is due to be held on 15 March. Following on from events in the United States, this has led to a public debate in the Netherlands about the possibility of elections being tampered with by foreign powers. Enhanced awareness is always a good thing, but there’s nothing new about the threat: espionage and online interference have been around for decades, and nothing will change after the elections either. A serious incident could have an impact of Diginotar proportions. And even if there are no incidents, it’ll be just as important not to allow our attention to wane after the elections. We anticipate that the new government will invest substantially in cybersecurity, amounting to between five hundred million and one billion euros.
Extortion: on the rise and hard to stop
The threat of ransomware will remain a problem for many years to come, and is much harder to get to grips with than a threat of fraud with online banking, for example. When it comes to ransomware there is no single party that is able to monitor and control money flows. In the case of fraud with online banking that single party was the bank, which was therefore able to tackle the problem with great success. Ransomware, and for that matter online extortion in general, which involves payment in Bitcoins, is much harder to deal with. Criminals are also experimenting with forms of extortion without any ransomware being needed, as we saw with the attacks on the MongoDB database systems, which were placed online without any security at the beginning of January 2017 owing to the wrong configuration. A related issue is extortion using DDoS attacks: a popular criminal activity in 2016 and very likely to stay that way in 2017. We will also see IoT devices again being used for mega attacks. The threat of extortion is sooner rising than declining, and it is a matter for each organization and individual to make sure that they are adequately protected.
But also: 2017, plus c’est la même chose
Let’s be honest: unfortunately, not much will be changing when it comes to security in 2017. In 2017 the most determined hacks will again start by sending an e-mail, after which criminals or spies will quickly succeed in taking over an organization’s entire infrastructure. There has only been one single occasion when our red team was unable to do this within just a few hours. And we all know that there are still plenty of unpatched and unprotected systems connected to the internet that regularly cause disruption in the form of data leaks, means of extortion, or inadvertent aids to DDoS attacks. We expect to see regulation introduced in the IoT area, but unless the process is stepped up in response to a serious incident this is unlikely to get fully underway until 2018 at the earliest.
As things stand, organizations will continue to say that cyber security is an item on the board agenda and that it will take a bit longer before the strategies have been fully shaped and have filtered through to all levels of a company.
Another thing that won’t be changing is the inequality between the attacker and the defender. An attacker only has to get it right once to gain access, while the defender has to hold off against all the attempts. What most people don’t know is that the roles are then reversed! An attacker in your infrastructure has become the defender and now has the task of remaining undetected. You, the defender, are now the attacker: you only have to catch the opponent once. This underlines the importance of not only taking preventive measures: you will also need to take a smart approach to detection, limit the impact of a successful attack, and have an effective ‘digital emergence response’ close at hand.