Ransomware topped the list of profit-motivated attacks in 2017, but geopolitical conflicts also spilled into cyber space, with activists and jihadists exploiting the internet, according to Flashpoint.
“Cyber criminals in 2017 proved inventive, developing clever new schemes to evade the latest in fraud detection and network and device protections. Cyber crime continues to be a global problem, and one that is persistent and growing,” the company’s latest business risk intelligence decision report said.
In the light of the 2017 trends, the report said organisations need a strategic view of risk, and recommends that decision makers inside the enterprise should incorporate business risk intelligence (BRI) into their risk assessments and strategies.
The threat of kinetic attacks on the Korean peninsula loom, the report said, as does the possibility they could be accompanied by cyber attacks, while hacktivists and jihadists continue to use the internet as a platform for influence and potentially physical violence.
“Having a robust BRI program puts these threats into context for an organisation and its risk management efforts,” the report said.
According to Flashpoint, cyber crime, fraud, insider threats, physical security, mergers and acquisitions (M&A) security assessments and third-party risk can all be assessed, managed and minimised with an adequate grasp on threat intelligence.
Cyber threat ‘flashpoints’
The report highlights eight potential “flashpoints” that organisations should monitor as part of their cyber threat intellingence gathering processes.
These include the adoption by countries such as China, Iran and North Korea of the “Russian model” of engaging in “cyber influence operations” by proxies, resulting in exposure from such a campaign.
The report also notes that Kinetic attacks on the Korean peninsula loom, as does the possibility that this could be accompanied by cyber attacks, and that Russia is battling election interference accusations while tightening info control within its borders to the extent of building a separate Domain Name System (DNS) model that can also be used by other restrictive powers.
Flashpoint’s 2018 threat matrix shows that China, Russia and the “Five Eyes” countries have highest level of technical sophistication [tier 6], with state and non-state actors capable of engaging in full-spectrum operations, utilising the breadth of capabilities available in cyber operations in concert with other elements of state power, including conventional military force and foreign intelligence services with global reach.
Sectors under threat from China and Russia are financial services, legal, energy, technology, entertainment, telcos, government, military and non-governmental organisations (NGOs), but China also has a focus on the healthcare sector.
There are no countries listed as having a tier 5 capability, while North Korea, Iran and cyber criminals are ranked as having tier 4 capability. This means attackers tend to be part of a larger and well-resourced syndicate, with a moderate-to-high level of technical sophistication.
Tier 4 actors are capable of writing custom tools and malware and can conduct targeted reconnaissance and staging prior to conducting attack campaigns. Tier 4 attackers and above will attempt to make use of publicly available tools prior to deploying more sophisticated and valuable toolkits, the report said.
The potential impact of of cyber attacks by tier 6 actors is described as “catastrophic”. The potential impact of cyber attacks by tier 4 actors is describe as “severe” for North Korea and cyber criminals, and “moderate to severe” for Iran.
The report notes that cyber crime efforts continue to evolve at pace, including insider recruitment – particularly in financial and legal sectors.
Although North Korea is said to have tier 4 capability, the report notes that it is a unique case because the state is able to marshal state resources as necessary, which may enable capabilities that are generally ascribed to higher-tier actors.
According to Flashpoint, North Korea is likely capable of using destructive and highly disruptive attacks in kinetic conflict scenarios to support military objectives, which is a key differentiator of tier 6 actors.
Researchers at security firm Recorded Future have linked North Korea’s Lazarus Group to a phishing campaign targeting South Korean cryptocurrency exchanges and users in late 2017, but they warn that the group may soon go after exchanges and users in other countries.
Tier 4 actors are most likely to target broadly the same sectors as tier 6 actors, although cyber criminals are unlikely to target the government, military and NGO sectors, and more likely to select retail and healthcare sectors.
Disruption, attention-seeking actors and hacktivists are classified as tier 3 actors, who maintain a moderate degree of technical sophistication and can carry out moderately damaging attacks on target systems using a combination of custom and publicly available resources. Tier 3 actors may be capable of authoring rudimentary custom malware. The impact of tier 3 actors is described as “moderate”.
Most sectors are likely to be targeted by hacktivists, however the legal and healthcare sectors are unlikely to be targeted, according to the report.
Jihadi hackers are shown to be most likely to target the financial services, technology, entertainment, government and military sectors, but are ranked only as tier 2 actors, who can develop rudimentary tools and scripts to achieve desired ends in combination with the use of publicly available resources. Tier 2 actors may make use of known vulnerabilities and exploits. The potential impact of these actors is described as “negligible”.