Assymetric Cyber Warfare
A few years ago, circa 2015, we offered the notion of the existence of four separate theaters of cyber-warfare. If you broke it all down, we were faced with asymmetric attacker/defender dynamics in four theaters: Economics, Information, Education, and Technology
The principal argument of our thesis was that we were being outgunned, outpaced, and outdistanced in each theater and when combined, we were fighting an adversarial enemy of overwhelming strength.
The statement couldn’t be truer today.
We welcomed 2020 with the death of General Soleimani in Iran, a country known for its cyber prowess. There is now talk of cyber revenge targeting the United States. If Iran chooses to take a cyber-threat to the next level, it would likely solicit support from more cyber-active nation states like Russia and China offering them the use of their weapons as a cyber proxy. This strategy would establish plausible deniability and spread the terror threat to more heavily armed actors. Our (the U.S.) position suddenly shifts dramatically as we could find ourselves caught in the escalation of a global war we had no conscious intention of igniting. The stakes couldn’t be higher.
In these challenging times, we have decided to revisit the 4 pillars of cyber warfare to explore the question of whether the conditions in these battlegrounds have changed: either improving or deteriorating our future.
Part 1: Economics
Economic considerations continue to widen the gap between our ability to defend against cyber-attacks and our adversary’s ability to launch them. We’ve seen the following economic trends:
- Increasing cyber investment decisions at the board level.
- Expansive digitization initiatives.
- Securing legacy systems and expanding technical debt.
- Market demand for complex cybersecurity technologies.
We operate in a world where some “random dude” with a laptop, an internet connection and $25 can attack JP Morgan Chase bank (which is spending over a half billion dollars a year on cybersecurity defense).
And the “random dude” often wins.
Worldwide spending on cybersecurity is predicted to top $1 trillion for the five-year period from 2017 to 2021. In early 2017, Lloyd’s of London claimed that cybercrime was costing businesses globally up to $600 billion a year. But the whisper number is more like $1.5 trillion.
To contrast this, if we bought every exploit kit available on the dark web, we would be hard-pressed to spend $100,000. If we went instead to the Russian, German, Chinese, Brazilian, Japanese and Canadian underground markets, we might add another $100,000.
The Dark Web Candy Store includes the following attack vectors, processes, disguises and ruses:
- ATM PIN pad skimmers and bots,
- Credit card clones
- Credit card number generators and Crypters
- Exploit Kits
- Fake websites
- How-to guides/modules
- Malware itself or Malware-as-a-Service
- Social engineering toolkits,
And to bring it all into a monetary perspective, anyone with $50 can purchase a perfectly good and in excellent working order Distributed Denial-of-service (DDoS) attack. The flavors are plentiful: floods, pings of death, fragmented packets, low-and-slows or zero- days, etc.
According to the Behind the Dark Net Black Mirror report published in the Spring of 2019, the last 3 years there has been a 20 percent rise in the number of dark web listings targeting the enterprise.
Malware and DDoS kits now represent almost half of the attack kits for sale. The highly rated Nuke malware is being heavily marketed because of its uniquely destructive signature.
Not only does it allow users to open remote sessions and effectively take over an infected machine, it easily bypasses most flavors of Windows firewall protections used by the typical enterprise customer. You can find many discussion threads in Russian- language forums actively applauding Nuke as the ideal attack tool for use against enterprise networks.
Go where the money is
While all sectors are targeted by hackers, banking and finance were the most popular (based on Sutton’s law), followed by e-commerce, healthcare, education and media platforms. Over 60 percent of sellers are offering access to more than ten business networks and in many cases, the credentials are priced as low as $2 each. These are a cheap entry into the world of cyber crime, effective and readily available to novice hackers who can’t spend a lot of time learning how to use the tools.
This same study found that just under half of dark web sellers were offering services that specifically target FTSE 100 or Fortune 500 companies, and depending on the company involved, these services could be purchased for as little as $150.
Even the most expensive service is only $10,000, a mere .01% of what Jamie Dimon spent last year to defend against these exact same threat vectors at JP Morgan Chase. Yes. Only one tenth of one percent of Chase Bank’s entire Cybersecurity budget in 2019 gets you the most expensive enterprise cyber-attack kit on the entire underground market. The economic imbalance is breathtaking.
Even the most expensive service is only $10,000, a mere .01% of what Jamie Dimon spent last year to defend against these exact same threat vectors at JP Morgan Chase.
A 4th world economy: the nomadic hunter-gather CISO?
The above data makes it seem like we are operating as a fourth world country trying to compete with global economic powers. While the reverse is obviously true, you wouldn’t know it by assessing the results. The fact is that we are watching it happen, we report on it daily now, and we don’t seem to be able to know what to do or how to contain it. By continuing to expand our threat landscape, we not only encourage its growth, but we are actually building the very highway the attackers are using.
In the past 20 years, the nature of corporate asset value has changed significantly. More than 85% of the value of Fortune 500 companies consists today of intellectual property (IP) and other intangibles. With this rapidly expanding digitization of assets comes a corresponding digitization of corporate risk.
Corporations worldwide are losing hundreds of billions of dollars annually from the loss of IP, trading algorithms, destroyed or altered financial and consumer data, diminished reputations, and heightened risk exposure through increased regulatory and legal liabilities.
The risk increases with each newly passed regulation and data privacy law.
Constant internal pressure to leverage new paths to digitization, exploding attack vectors and the shift in both professional and now personal liability for C-level executives and Board members creates additional layers of economic risk unprecedented in the history of business.
Legacy enterprise systems which remain the backbone of most corporate operations were designed without any security in mind and are becoming even more insecure.
Wells Fargo and most major banks still rely on ancient Check Processing and Customer Management systems that were developed well before the turn of the century and the life of those systems is being extended through new technologies designed for exactly that purpose.
Instead of ripping and replacing, most companies are opting for legacy life-line extension, hoping to get even more mileage out of these old enterprise systems as a whole category of new software companies offering front-ends or analytic tools requiring only large lakes of data have emerged to pump new oxygen and even more layers onto these ancient piles of code.
Multiple studies including the 2017 Escaping Legacy report by Accenture have found that 50% of all banking IT assets are in critical need of modernization and an incredible 43% of all banking systems are still running on 220 billion lines of COBOL code.
The resistance to change is enormous as the economics to do so are prohibitive.
In addition to the availability of new life extenders, we have repeatedly patched these systems throughout the years, layering newer technologies over old ones, and rendering them almost impossible for new software engineers to deconstruct decades’ worth of complex workarounds.
Today’s COBOL programmers are in their 70’s, so the future doesn’t look real bright.
Delaying the inevitable creates enormous technical debt. When companies take shortcuts, over time these quick fixes accumulate and almost always manifest into system failures and vulnerabilities that hackers can easily exploit.
To further exacerbate the risk, cloud computing is seen as an economically desirable alternative to native hosting, and these applications are increasingly used in a hybrid role where they can be connected to older systems that are then treated as reliable plumbing.
The downside to this strategy is that we increase system vulnerabilities by placing critical assets in what are fundamentally insecure cloud environments.
Companies like Microsoft, Yahoo, Apple, DropBox and LinkedIn have all suffered cloud security breaches. Cloud computing relies entirely upon the Internet and by definition is difficult to secure. While there are many ways to mitigate these threats, the IT community for a variety of reasons has proven that we are not very good at it and the effect of moving data and computing to the cloud is an expanded threat landscape.
Refactoring in the cloud
Yet, JPMorgan Chase for one, is doubling down on this strategy and plans on ‘refactoring’ most of its applications in the coming months to the cloud. While the economic attacker/defender dynamic, as played out in corporate boardrooms and within IT organizations works increasingly in favor of attackers, the corollary technologies used for attack are cheaper than they ever have been.
While it is always very difficult to present an ROI on cyber-attacks that have been prevented, we are also not very good when it comes to communicating with decision makers about risk.
Since we cannot or choose not to quantify risk in terms that C-level executives can understand, we are always asking for budget increases based on expressing risk in terms of “high” or “very high” instead of $ millions.
We are unable to map threats directly to quantified asset values at risk, so the investment decision makers continue to reject our requests for increases in people, process or technology spending.
This resistance to fund necessary tools and human resources shouldn’t be surprising.
Since we are unable to defend our thesis about the risks we are trying to mitigate in quantitative arguments with decision makers who speak and think in economic terms, we should not be surprised when our requests are denied.
Compounding economic pressure
The economic pressures on the growth side are compelling, yet they create difficult Cybersecurity management challenges:
1. The push to embrace technologies like cloud computing without proper controls,
2. The expansion of connectivity driving uncontrolled and networked IoT,
3. An enthusiasm for broad BYOD and BYOC programs,
4. The digitization of everything,
5. An increased reliance upon third parties for provision and supply-chain components,
6. Our refusal to replace and our insistence upon extending our dangerous legacy systems,
7. The enormous supply and demand gap for competent information security resources,
8. Our negligence with proper hygiene, training, education, and process,
9. Our inability to shift our strategy to managing risk vs. managing cybersecurity,
Conclusion and outlook
These challenges are driven largely by economic considerations and combine to expand the gap between our ability to defend and our attackers’ capacity to strike.
The rational conclusion is that the economic dynamics have grown more complex and have worsened the outlook.
If we continue with this narrow historical approach to cybersecurity defense, it is likely that we will compound the problem space even further.
What looks like a widening gap today could well become an uncrossable chasm tomorrow.
Elements of Cyber War is part of a four part series by Steve King. Subscribe to our mailing list to get a sneak peak at part 2.