Cyber security report predicts new ‘destruction of service’ attacks

Healthcare needs to improve security posture as information technology and operational technology converge

The WannaCry incident highlighted flaws with IT security within the health sector

A concerning new cyber security report forecasts potential ‘destruction of service’ attacks unless more is done to improve IT security within the health sector.

The Cisco 2017 Midyear Cybersecurity Report (MCR) uncovers the rapid evolution of threats and the increasing magnitude of attacks which could eliminate organisations’ back-ups and safety nets, requiring them to restore systems and data after an attack.

Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the internet itself

And, with the advent of the Internet of Things (IoT), key industries – including healthcare - are bringing more operations online, increasing attack surfaces and the potential scale and impact of these threats.

Recent cyber incidents, such as the NHS WannaCry incident, show the rapid spread and wide impact of attacks that look like traditional ransomware, but are much more destructive.

These events foreshadow what Cisco is calling ‘destruction of service’ attacks, which can be far more damaging, leaving organisations with no way to recover.

“The Internet of Things continues to offer new opportunities for cybercriminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact,” said Steve Martino, vice president and chief information security officer at Cisco.

“Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the internet itself.”

Measuring effectiveness of security practices in the face of these attacks is, therefore, critical.

The Internet of Things continues to offer new opportunities for cybercriminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact

Cisco security researchers watched the evolution of malware during the first half of 2017 and identified shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques.

Specifically, it saw that they increasingly require victims to activate threats by clicking on links or opening files.

Martino said: “They are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts.

“Adversaries are also relying on anonymised and decentralised infrastructure, such as a Tor proxy service, to obscure command and control activities.”

While Cisco has seen a striking decline in exploit kits, other traditional attacks are experiencing a resurgence:

Spam volumes are significantly increasing, as adversaries turn to other tried-and-true methods, like email, to distribute malware and generate revenue.

Cisco threat researchers anticipate that the volume of spam with malicious attachments will continue to rise while the exploit kit landscape remains in flux.

In addition, spyware and adware, often dismissed by security professionals as more nuisance than harm, are forms of malware that persist and bring risks to the enterprise.

Cisco research sampled 300 companies over a four-month period and found that three prevalent spyware families infected 20% of the sample.

Spyware can steal user and company information, including patient details, weaken the security posture of devices and increase malware infections.

Evolutions in ransomware, such as the growth of Ransomware-as-a-Service, make it easier for criminals, regardless of skill set, to carry out these attacks.

To limit the impact of an attack, the industry must move to a more-integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps

Martino said: “As criminals continue to increase the sophistication and intensity of attacks, industries are challenged to keep up with even foundational cybersecurity requirements.

“As information technology and operational technology converge in the Internet of Things, organisations struggle with visibility and complexity.”

As part of its Security Capabilities Benchmark Study, Cisco surveyed close to 3,000 security leaders across 13 countries and found that across industries, security teams are increasingly overwhelmed by the volume of attacks. This leads many to become more reactive in their protection efforts.

No more than two-thirds of organisations are investigating security alerts. In certain industries, including healthcare, this number is closer to 50%.

Even in the most-responsive industries, such as healthcare, businesses are mitigating less than 50% of attacks they know are legitimate.

Among healthcare organisations 37% said targeted attacks were high-security risks.

To combat today’s increasingly-sophisticated attackers, Cisco advises organisations to take a pro-active stance in their protection efforts.

This includes:

  • Keeping infrastructure and applications up to date so that attackers can’t exploit publicly-known weaknesses.
  • Battle complexity through an integrated defense. Limit siloed investments
  • Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints
  • Establish clear metrics. Use them to validate and improve security practice
  • Examine employee security training with role-based training versus one-size-fits-all
  • Balance defense with an active response. Don’t “’et and forget’security controls or processes

Martino said: “As recent incidents like WannaCry illustrate, our adversaries are becoming more and more creative in how they architect their attacks.

“While the majority of organisations took steps to improve security following a breach, businesses across industries are in a constant race against the attackers.

“Security effectiveness starts with closing the obvious gaps and making security a business priority.”

It’s obvious that the years of investing in point products that can’t integrate is creating huge opportunities for attackers who can easily identify overlooked vulnerabilities or gaps in security efforts

David Ulevitch, Cisco’s senior vice president and general manager, added: “Complexity continues to hinder many orgainsations’ security efforts.

“It’s obvious that the years of investing in point products that can’t integrate is creating huge opportunities for attackers who can easily identify overlooked vulnerabilities or gaps in security efforts.

“To effectively reduce Time to Detection and limit the impact of an attack, the industry must move to a more-integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps.”

Commenting on the findings of the report, Dan Sloshberg, a cyber resilience expert at Mimecast, told BBH: “It’s clear from this report that cybercriminals will stop at no end to shut down organisations.

“Ransomware will move from the desktop to the cloud. SaaS services themselves will come under attack and it may be more subtle and it may not be encryption. It could destroy your ability to access your application.

People are both a strength and weakness; they can help us to detect and contain threats quickly, but they can also be the cause of problems with sophisticated social engineering attacks becoming more common

“Whether it’s Salesforce or Office 365, ransomware is sophisticated enough to manipulate data and the files at rest in those environments, as well as write code that infects the data to lock companies out. And the vast majority of it is spread by email.

“While organisations have long deployed back-up and recovery systems in conjunction with on-premises mail servers, Office 365 offers no independent copy of email data. This means businesses will struggle to recover data or keep on running when an attack occurs without a suitable third-party cloud service safeguarding their data and providing rapid access and recovery.

“These destruction of service attacks reinforce the need for effective cyber resilience, which should include independent data storage and alternative access routes to key systems like email, for when the worst does happen.”

And Darren Anstee, chief technology officer at Arbor Networks, warned: “Cisco's security researchers have exposed the reality of the threats organisations face.

“Cybercriminals are becoming increasingly sophisticated in their methods, with recent IoT botnet activity suggesting some attackers may be in the planning phase for a wide-reaching, high-impact cyber-threat event.

These destruction of service attacks reinforce the need for effective cyber resilience, which should include independent data storage and alternative access routes to key systems like email, for when the worst does happen

“Organisations must, therefore, invest appropriately to protect themselves and their customers. /p>

“The majority of attackers are looking for financial gain, and they will continue to come up with new ways of stealing from, conning and extorting organisations.

“People are both a strength and weakness; they can help us to detect and contain threats quickly, but they can also be the cause of problems with sophisticated social engineering attacks becoming more common.

“Organisations need to strengthen their visibility and threat detection capabilities across internal networks so they have broad and deep visibility of network traffic, threats and user behaviour to catch and contain threats as quickly as possible.”

Companies