‘There are now three certainties in life – there’s death, there’s taxes and there’s a foreign intelligence service on your system’ – Head of Cyber at MI5 (2013)
Over the last two decades, the scale and severity of cyber attacks has been very variable. It is probably safe to suggest that the secret sabotage of a nuclear facility by the Stuxnet worm is in a slightly different league to the theft of payment card data held by a commercial brand like Chipotle. Nonetheless, there are several underlying attributes that provide a common framework to compare unconnected incidents. The Diamond Model of Intrusion Analysis indicates that for every incident, there is:
- An Adversary
- The Capabilities of the Adversary
- A Victim
- Infrastructure over which the attack occurs
For much of the time, cybersecurity researchers can find themselves limited to informed speculation and assessment about the sort of activity that cybercriminals perform, prior to launching a large cyber-theft operation. We believe that they will be performing reconnaissance on employees at the bank, particularly those in privileged positions linked to the payment and IT platforms, but some of the more precise details are limited. However, every now and again, information will be leaked which can provide some unique insight into the activities of cybercriminal groups and what they look for in a victim.
As of the time of writing, the three bitcoin wallets associated with the WannaCry ransomware have received a combined total of about 53.8 BTC – just shy of USD 500,000 at current conversion rates . This is despite the “kill switch” and other implementation flaws that impeded its early propagation. It also flies in the face of the numerous articles circulating in the security community that cast doubt on whether it is even possible for WannaCry victims to consistently get their files back.
On 7th December 1941, a surprise raid was launched by the Imperial Japanese naval air force against the United States Pacific fleet while at anchor in Pearl Harbor, Hawaii. This devastating attack formally precipitated the entry of the United States into World War Two, shaping the course of history. A cataclysmic event of comparable magnitude has been anticipated within the cyber domain for more than two decades, encapsulated by the analogy: “Cyber Pearl Harbor”.
On the 23rd October 2015, it became public knowledge that 156,959 TalkTalk customers had their personal data exposed due to the insecure retention of customer records.
The breach dealt a major reputational blow to the telecommunications provider, and for many, the company has joined a growing list of brands that are now synonymous with a major breach of personal data.
Threat actors do not exist in a cyber vacuum. Hackers, organised criminal gangs, and nation states all operate within the same cyberspace and have access to the same systems and vulnerabilities. Whilst the tactics, techniques and procedures (TTPs) vary between different threat actor categories (in terms of method, capability and sophistication), the infection vectors they target remain the same.
On Wednesday 5th October, the Security Alliance team will be exhibiting at “Law Firms and Cyber-attack Conference 2016: Prevent Detect Defend” at Senate House London.