Just where is the Global Cyber-defense Market going, and why is it failing so spectacularly to protect the data assets of the largest and most heavily protected government institutions and corporate companies in the world. It is a great question, particularly when you consider that $167 Billion was spent on Cybersecurity in 2019 and this is predicted to increase to $248 Billion by 2023 [Source: Forbes]. If you ask a Cybersecurity Analyst “what more can organisations must do in order to strengthen their defense line”, you will be told that the threat levels are increasing every day, so organisations need to invest more money into cybersecurity.
If this is true, then it does not answer the question as to why many of the largest and best protected global corporations and Governments institutions worldwide have been victims of major Cyber-attacks despite deploying the most expensive defence solutions in the market. It is apparent to even the most casual observer that successful cyber-attacks are happening at an alarming frequency, and it is happening to trusted institutions where we all believed our private data was secured and impenetrable from unscrupulous fraudsters, criminals or even state sponsored hacking by some rogue Governments.
Companies like Gartner have made fortune advising clients on their assessment of the best security products in the market. They even created and promoted their Magic Quadrant of cyber vendors product capabilities, a league table which many clients interpret as a ‘magic bullet’ and the simple answer to all their cyber security concerns. Many companies are aware that Cybersecurity is a complex issue, and they use Gartner to compensate for gaps in their knowledge and because they do not have the resources to assess all the products in the market. Most Corporations and Government organisations deploy a ‘defense in depth’ strategy which results in them deploying multiple expensive Cybersecurity products with overlapping capabilities – expecting improved security protection through deploying multiple security products.
So why are cyber-attacks becoming more commonplace in large corporations and Government agencies, and what hope is there for the rest of industry that do not have the deep pockets of global organisations? Clearly the answer cannot be that the current cyber-defense strategies are working, and increasing cybersecurity budgets by 38% every four years is the answer.
To best understand the scale of the problem, let’s look into some recently notified, large organisation security breaches, reported over a four-week period between 20th November and 17th December 2020. It is important to note that we have only selected a small number of notified, and publicly acknowledged cyber-attack incidents.
20th Nov 2020 – Manchester United Football Club (www.manutd.com)
Manchester United computer systems were hacked in November 2020 which resulted in staff being unable to access email and some other functionalities for several days. Investigation on the severity of the cyber-attack are ongoing, and while it is believed that their fans data was not impacted, the UK National Cyber Security Centre (NCSC) is assisting Manchester United to determine the nature and extent of this security breach.
For more information on this, see: Manchester United Football Club Cyber Attack
30th November 2020 – Embrear (www.embrear.com)
The Brazilian aerospace giant Embrarer manufactures commercial, executive and military aircraft and are the world’s third largest aircraft manufacturer after Boeing and Airbus. At the end of November the company announced that it suffered a ransomware cyber-attack resulting in the disclosure of data “attributed to the company”. The Cyber-attack resulted in a large volume of data to be encrypted including database servers and backup data.
As a result of this incident, the company initiated its emergency procedures to investigate and resolve the incident and began proactively isolating some of its systems to protect the system environment, temporarily affecting some operations.
For more information on this breach, see Embraer Cyber Attack
5th December 2020 – Leonardo (https://www.leonardocompany.com/en)
Leonardo is an Italian conglomerate specialising in aerospace, defence and security which counts NATO among its customers. As with any large Corporation with highly sensitive and security classified information, they invest significantly in protecting this data with a dedicated security division and multiple Cybersecurity products.
Despite this, two of their former employees implanted malicious code into their systems that had the ability to capture every keystroke typed on their systems for two years, between 2015 until 2017, but was only reported upon and made public in December 2020.
For two years these two former employees were able to export the data from 94 different devices without being detected to a domain name called fujinama.altervista.org. Despite Leonardo deploying numerous Cybersecurity products containing Artificial Intelligence and Machine Learning features, they are still unable to quantify the impact of this Cyber-attack, and three years later all that can be confirmed is that 10GB of confidential data and military secrets has been compromised.
For more information on this breach, see: Leonardo Data Breach
14th December 2020 – Symrise (www.symrise.com)
Symrise is a German manufacturer of fragrances and flavours, whose products can be found in over 30,000 consumer goods and food products including those from Nestle, Coca-Cola, and Unilever. The company lies just outside the leading DAX share index with turnover of over €3.4Billion in 2019.
In December 2020, Symrise AG confirmed that they were the target of Clop Ransomware attack, when 500GB of their data from over 1000 infected devices was encrypted by cyber criminals. The company announced that they shut down all essential systems in order to be able to assess the consequences of the attack and to prevent possible further effects. Plant production was stopped and entire facilities shut down to further investigate the scope and implications of the attack.
Share price fell by 2.3% immediately after the announcement and is expected to remain under pressure until production fully resumes again in the coming weeks.
For more information on this breach see: Symrise Cyber Attack
14th December SolarWinds (www.solarwinds.com)
SolarWinds Inc. is an American company that develops software for businesses to help manage Networks, Systems, and Information Technology infrastructure and security. Their Orion Cybersecurity platform has over 300,000 customers globally including prestigious clients such as AT&T, Ford Motors, Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, US Treasury, US Departments of Homeland Security, US Departments of Defence and Commerce etc…. Microsoft also uses the SolarWinds Orion product and incorporates it into some of their own security products which they sell to their customers.
The Solarwinds Orion Cybersecurity product itself became the target of a Cyber-attack, with the software product updates being infected with the SUNBURST malware which created a backdoor into 18,000 customers who updated their Orion software with the infected updates. This very sophisticated exploit of the SolarWinds security platform was meticulously planned and executed by infecting the digitally-signed component of the Orion .dll software to communicate via HTTP to third party servers.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
FireEye, Microsoft and multiple other Cybersecurity products were all deployed alongside the Orion platform in virtually every single one of these 18,000 infected customers, yet none of these “defense in depth” systems detected SUNBURST malware. The full impact of this Cyber-attack is so enormous and widespread that the impact of it will never be fully known.
For more information on this breach, see SolarWinds Cyber Attack
17th December 2020 – Vietnamese Government Security Authority
Vietnamese Government Certification Authority (VGCA) used to validate supply chain software was compromised and the agency’s digital signature toolkit was modified to install a security ‘backdoor’ vulnerability to users of the supply-chain software.
The exploit called “SignSight” involved the modification of software installers hosted on the Certificate Authorities website (“ca.gov.vn”) to insert a spyware tool called PhantomNet or Smanager to unsuspecting end users.
For more information on this breach, see: Software Supply-Chain Attack Hits Vietnam Government Certification Authority
So what is the future for a Cyber Security industry that is failing it’s clients?
It is clear that deploying any of the leading edge products recommended by Gartner and other security analysts is insufficient protection for determined and experienced Cyber-criminals. Even when these expensive security products are combined together and deployed in unison by an organisation, determined Cyber-criminals can bypass them – as with SUNBURST and other exploits referred to earlier.
The Flaw with existing Cyber-security products
The only conclusion is that all the major security platforms have a single flaw that is repeatedly exploited by cyber-criminals – that is they are all reactive products waiting and monitor networks and platforms and in the best case scenario, detect when an attack has already occurred and perhaps help prevent it. So these expensive security products are really offering a reactive solution that may be able to identify if malware has been installed into your organisation, possibly after data has already been compromised, but with the possibility that in some scenarios it can be prevented. This is a very weak security stance for any organisation to accept, but it is all that the current major security platforms offer. It also explains why deploying them together still does not prevent major Cybersecurity attacks from occurring.
The security posture of any organisation will be vastly improved by implementing a proactive/offensive security posture in conjunction with a reactive one. This involves addressing the Cybersecurity Blind-Spot found in existing products, by implementing an offensive, anti-surveillance Cybersecurity capability into a full SEIM and EDR product. I have advocated this position in a Cybersecurity book I wrote in 2014 (Penetration Testing with BackBox) and have now implemented that vision in our ACSIA product, created by my company 4Securitas (www.4securitas.com). This is the first-time companies can implement a full 360 degree security solution that actively prevents Cyber-criminals performing surveillance and planning attacks on IT platforms.
If you consider any other major criminal activity such as robbing a Bank, it always requires surveillance and planning first. What time does the Bank open or close, when is it full of money, how do the employees enter or exit the bank etc…. Similarly, a successful Cyber-criminal will want to know information such as network ports being used, protocols deployed, hardware and software products deployed, versions of products implemented …. it is only with these pieces of information can a cyber-attack be planned.
ACSIA was designed and built to aggressively disrupt the planning stages of a cyber-attack, implementing a multi-layered security solution that uses algorithms developed by 4Securitas and uniquely deployed in our ACSIA product.
A few quotes and extra reading:
Tripwire VP of strategy, Tim Erlin, argues that every organization today needs to be prepared for a ransomware attack and adds, “while we tend to focus on the response to ransomware, prevention is still the best way to deal with the threat,”.
“Ransomware doesn’t magically appear on systems, and the methods by which it’s introduced into an environment are generally well understood: phishing, vulnerability exploits and misconfigurations. Identifying and addressing the weak points in your security posture can help prevent ransomware, as well as other attacks, from being successful.”
While Erlin focuses only on ransomware, he is correct in his argument that the entire design of the current cybersecurity vendor ecosystem is wrong.
In this brilliantly written article, Lockheed Martin talks about the cyber blind-spots. It refers to the process before an attack occurs, the pre-attack phase. It therefore talks about the proactive approach and it resolves as the ultimate way of challenging cyber attacks. Or at least to keep the pace with cyber attacks as opposed to staying one step behind.
The Cybersecurity vendors must stop developing security solutions designed and architected by Data Scientists and Software Engineers. A Cybersecurity product needs to be designed by Cybersecurity Architects and built with the assistance of Data Scientists and Software Engineers.
About the author: Stefan Umit Uygur CEO and Co-Founder 4Securitas Ltd
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Cyber-defence)