Cyber and Information Security - Asymmetric Warfare
Asymmetric warfare is the application of dissimilar strategies, tactics, capabilities and approaches used to circumvent or negate an opponent’s strengths while exploiting his weaknesses.
United States Army Asymmetric Warfare Group
Cybercrime has been an attractive proposition for many years, with the threat constantly evolving in scale and methodology. It was recently reported in the UK that online crime has now overtaken all other forms of criminal activity. An individual or small group can cause significant damage and financial loss using basic tools and techniques against much larger organisations and facilities. Moreover, a single malicious trusted insider has the potential to release hundreds of thousands of sensitive company information and trade secrets to competitors or online groups.
With spending on cybersecurity at record levels and the cost of data breaches worldwide even higher, the constant battle against Cybercrime is truly an asymmetric environment; one that is current heavily favouring cybercriminals.
1. The Human Factor
Whether an intentional or unintentional act, the weakest link in any security program is invariably human. An organisation may have the best technical and physical security measures on the market though a simple error of judgement through opening an email attachment containing malicious software or poor password discipline negates such security. In addition, the threat of social engineering is still a well-used tactic and information provided over the phone or on social media by an unwary staff member can provide a malicious actor with valuable information.
Whilst a system will eventually be attacked and compromised, human error is a fundamental aspect of a cybercriminals tool box.
Without going in to too much detail, it is quite simple and cheap for a would-be cybercriminal to enable an entry-level hacking capability. Baseline resources such as a gaming laptop and internet connection, virtual private network, TOR or I2P browser, email spoofing and other open-source obfuscation software are easily acquired and readily available on the open market. There is also a plethora of open-source of mapping, scanning and exploitation software available in the public domain, the majority of which are free and come with how-to-use guides and detailed manuals.
Most cybercriminals are self-taught, all it takes is a sound knowledge of computers and some time on your hands to become proficient. The Dark Web also offers other valuable information for cybercriminals such as “chans” and message boards, handbooks, and self-help tutorials.
The Dark Web offers a vast array of malicious software to would-be cybercriminals, with ransomware seen as a logical first step for aspiring cybercriminals after a “quick win”. Amplifying this, customisable ransomware can be purchased from a Dark Web seller for as little 50 US dollars. There is also the popular option of malware-as-a-service, where ransomware authors offer their malware for free and take a 10% share of the ransom paid by victims.
When it comes to ransomware, cybercriminals are spoilt for choice - in the first half of 2016 alone, Trend Micro assessed that around fifty new families of ransomware were introduced on to Dark Web marketplaces.
Amongst other things, the Dark Web also contains compromised server, password and bank account information; exploitation kits; known software vulnerabilities, and malicious software developer tools. All available at varying price points and invaluable information for cybercriminals looking to identify targets and conduct attacks. The Dark Web is no different to common economic business models and is a market driven environment.
4. Low Risk, High Reward
Given the advent of the cloud, and the encryption and obfuscation tools available to cybercriminals, the risk of attribution by law enforcement agencies is quite low when compared to other forms of crime. However, as could be imagined, the rewards can be quite high; depending on the target.
Once again using ransomware as an example, there are reports that the creators of CryptoWall raised more than 325 million US dollars in 2015. Each successful ransomware attack demands payment of between 200 to 10,000 US dollars. Even if the ransom is paid, there is no guarantee that the victim will be furnished with decryption keys.
Online scams such as fake shopping, charity and classified websites, and fraudulent business deals charity are also profitable for cybercriminals. “Nigerian” style scams are also still being used to great effect.
It’s Not all Bad
Whilst it may seem that cybercriminals hold the upper hand, just as it is relatively simple to enable cybercrime it is just as simple to take steps to reduce the risk of a successful attack. A security aware culture, staff training and operating procedures are great first steps; however, to seriously reduce the likelihood and effects of successful cyberattack cybersecurity needs to become an integral part of each business’s risk management strategies. Once threats and associated risks and vulnerabilities are identified, specific and timely physical and technical treatment measures can be implemented, providing protection where it is needed and closing security gaps.