March 2, 2017 by Angela Stelmakowich
The motivation and rationale behind certain cyber attacks seems to be undergoing a transition, with some actors looking to inflict the most disruption possible on a target entity simply for the “fun” of it, it was suggested Thursday during the 2017 International Cyber Risk Management Conference (ICRMC).
In the last year, “I’ve seen a rise in disruptive breaches unlike any other situation or timing that I’ve ever seen before,” Charles Carmakal, vice president of Mandiant, said during the 3rd Annual ICRMC, being held Mar. 2-3 in downtown Toronto.
“Over the past 12 months, we’ve responded to more disruptive breaches than we have as an organization at Mandiant over the past 13 years,” said Carmakal, whose company helps organizations that have been breached, typically by foreign governments or organized criminal groups.
“Previous to these disruptive attacks, we used to see a lot of attacks where criminals and foreign governments were interested in stealing data that might help them, say, build aircraft engines and maybe shave off hundreds of millions or billions of dollar in R&D (research and development),” he told attendees.
Or there were many cases of people stealing credit card data, something that could be quickly monetized, Carmakal (pictured left) said during the conference’s first panel discussion, The Year in Review: Lessons Learned.
“But there was always some very clear purpose, some gain that these criminals or governments were able to obtain by stealing data,” he pointed out.
“Today, we’re seeing threat actors break into organizations for a number of different reasons. Sometimes, they’re doing it just for fun,” Carmakal said.
“They want to create some significant disruption to organizations – to take companies offline, to steal data, to change the way that organizations do business,” he reported.
Previously, these sorts of actors were dismissed, suggested Scott Jones (pictured right), another panel member and assistant deputy minister, Communications Security Establishment for the federal government.
Now, however, these actors are being referred to as “enthusiasts,” Jones told attendees. They “just seem to like to do this for fun, but they can be massively disruptive,” he pointed out.
And, certainly, Canada is not immune to disruptive attacks.
“We’ve seen a rise in disruptive threat actors here in Canada,” noted Carmakal, affecting organizations across various sectors, but particularly entertainment, hospitality, and mining and natural resources.
Panel moderator Ray Boisvert (pictured left), provincial security advisor to the Ontario government, said there has been a lot of discussion around not just the increased volume and sophistication of cyber attacks.
“It seems like their intent and maybe the effect has really been transformed in the last year,” Boisvert noted.
“Being a national security practitioner, I’ve always looked at things in the context of everything else that’s going on,” he told attendees. “Are there coincidences in life? Yes, absolutely. But quite often, this is more around the idea that there are things to consider larger than just your little isolated event,” he added.
Carmakal reported that some things that are now being seen that were not before include board members and executives being taunted by threat actors who have stolen data, threat actors communicating directly with journalists to amplify the visibility and impact of the attacks, and threat actors deliberately shutting down infrastructure to disrupt business operations.
“The level of aggression that we’re seeing today is unlike what we’ve ever really seen at such a scale in the past,” he told attendees.
“There’s a couple things that we’re really facing here,” Jones suggested. “Number one is that the symptoms we’re treating right now – which is the incident response and we’re trying to get behind that – is not treating the actual disease we’ve got,” he argued.
The “disease” relates to the fact that “the cyber platform is fundamentally insecure and it’s not getting better; in fact, it’s getting worse. The Internet of Things is just going to accelerate that,” Jones cautioned.
“Somehow we’re going to have to start changing that conversation, changing that incentive and educating folks to ask the right questions, to ask for security features and value that as much as how many megapixels you get on your next camera or how much more storage you get,” Jones emphasized.
“Everything that we do now is connected,” said Ben Cotton (pictured right), panel member of president and CEO of CyFIR, which has some very real implications for targeted systems and institutions.
“I think you see a definite shift in the targeting of systems, the targeting of institutions,” Cotton said.
“And it’s more of a broader realization by the actors that, essentially, they can use cyber as the poor man’s weapon, for whatever motive they want, whether that is economic, whether that is intelligence collection, whether that is competitive advantage,” he told attendees.
“We are seeing a gained realization on the part of our adversaries that it’s not just about credit cards anymore, it’s not just about state secrets anymore, it’s about competitive, economic advantage,” Cotton reported.
“How they act on that depends on, one, what they can do from a capability standpoint; two, what the vulnerabilities are in that organization; and three, what that desired outcome is,” he suggested.
“We’ve seen more destructive attacks this year than we’ve ever seen in the past,” Cotton pointed. Citing incidents where actors actually inserted code and destroyed operating systems, “that is something we hadn’t seen as a trend before other than in very tactical utilization by nation states in support of war,” he added.
Suggested Jones: “We’re going to have to work on is how are we going to change the relationship between governments, private sector and across other governments, too, to actually start addressing this in a more holistic way.”
Having had some recent discussions with people on the national security side in the U.S., “there certainly is a lot of hope that that momentum, not just the policy piece but, of course, some of the actions, will continue to evolve,” Boisvert said.
“Continentally, because Canada will have to certainly follow suit, there will be a far larger and better contextualized set of rules around engagement and, perhaps even standards, around cyber security to ensure that we do continue to be able to deal with all of these incredibly important gaps around the true state of cyber security and the reality of it,” he argued.