The Computer Emergency Response Team (CERT-UK) was launched in March 2014 to collaborate with industry, government and academia as part of the government’s holistic plan to enhance cyber resilience. After just one year in operation, the organisation has become a central hub for the sharing of threat information (enabled by the Cyber Security Information Sharing Partnership (CiSP)) and their first annual report, published in May (covering April 2014 – March 2015), highlights the panoply of cyber intelligence that is now gathered and distributed in order to protect the UK economy and grow the cybersecurity industry.
CERT’s weekly alerts, regularly detailed as part of Datonomy’s weekly cyber updates, have become an excellent source of bite-size information about the most recent and dangerous cyber threats and the availability of the industry’s most up to date software patches. However, the annual report affords the opportunity for the organisation to really show off the breadth and depth of the intelligence it has collated.
The report features a number of fascinating analyses (of which I highlight three) that provide a wealth of technical information businesses of all shapes and sizes would do well to understand. The three topics covered are: incident types, malware and predictions for 2015-2016.
Everyone has become aware of cyber threats and it is becoming easier to convince boards and individuals to take action on cybersecurity. But behind the concern, there is a dearth of communication about what various technical means are used to perpetrate such attacks. CERT’s analysis of the most prevalent incident types is a valuable tool in improving the quality of conversations between the CIO and all levels of the organisation.
The data clearly shows that three incident types are most common:
- Malware – any software used to disrupt a computer operation, gather sensitive information, or gain access to private computer systems;
- Abuse – attacker infrastructure – an ‘abuse event’ in which a collective network of infected machines, known as zombies, are used to saturate a target with external communications requests, so much so that it prevents response to legitimate traffic;
- Vulnerability – poorly written software code that allows someone to exploit an error.
Knowing that malware, abuse using attacker infrastructure and software vulnerabilities are the three most prevalent forms of attack allows businesses to achieve greater cost efficiency in their cybersecurity efforts. The data is further enriched by a sector break down, revealing the public sector to be the most at risk, followed by the financial services sector.
The identification of trends, such as spearphishing being more prevalent in the government/public sector (most likely due to foreign states’ attempts to steal intellectual property or conduct espionage), informs and reinforces the need for businesses to consider bespoke cybersecurity packages that address their unique threat profile.
Malware in the UK
CERT has been working with Codenomicon, a Finnish cyber vulnerabilities testing company, to uncover the most observed malware types affecting businesses and individuals. Despite constituting 30% of all cyber threats (as detailed above), surprisingly little is known about the various malware agents operating in the UK. This is primarily due to the fact not enough is done to report incidents in the first place. However, the problem is heightened by the fact that the best malware is able to avoid detection. Even for those malware that are detected, the criminal groups and nation states that are unleashing these threats are quickly able to create a new evolution of the agent.
Here we can see a graph published by CERT demonstrating the daily reports of the top five malware types in the UK:
The downward trend indicates that the cyber community has identified and is addressing these threats. For example, the “Zeus” malware (a Trojan horse computer worm that steals banking information by logging keyboard strokes and grabbing screen shots – observed over 2.6 million times last year in the UK) was the subject of “Operation Tovar”, conducted by the National Crime Agency, during which the servers hosting Zeus were tracked and taken down.
What the above does not demonstrate is that for every strain of malware quarantined, more are ready to be repackaged or altered to avoid that takedown method, and the overall number of agents and abuse incidents in the market is rising. Now that Zeus has been taken down, CERT-UK has begun to detect that malware such as “Dridex” and “Dyre” (primarily targeting the financial sector) are taking its place.
The research indicates that combatting malware is a constantly evolving fight and that CERT’s information is only as good as the intelligence provided by the information sharing community.
Predictions for 2015/2016
Perhaps the most interesting part of the report for businesses are CERT’s bold (and some not so bold) predictions for next year:
- The supply chain will be hit hard – the most high-profile hacks in recent history are frequently referred to by reference to the ultimate data controller; for example, the JP Morgan, Home Depot and Target hacks. Yet, in each of those attacks the vulnerability that led to the breach was found within the supply chain. Noting that 7% of reported incidents last year came from the supply chain, CERT are predicting that this trend will cross the Atlantic and become much more prevalent in the UK.
- Mobile devices will be a single point of failure for business and consumers – the increased use of mobile devices in our personal and professional lives isn’t news to anyone. What may be less obvious is that these mobile devices increasingly share operating system code with desktop computers. Consequently, once a vulnerability is discovered, CERT predicts that the effect could be greatly widened as mobile devices contain increasingly personal data.
- We will see another Shellshock or Heartbleed – (Shellshock and Heartbleed being security bugs in popular operating systems/security protocols (UNIX and OpenSSL, respectively)). These bugs are referred to as CVEs (Common Vulnerabilities and Exposures) which software producers then have to work very quickly to produce a patch for. CERT’s prediction that we will witness the exploitation of several major security bugs in 2015 seems inevitable given the evidence that last year saw a record 7,945 CVEs being reported, and there are over 8,000 already reported in 2015 (according to the public CVE register as at 30 June 2015).
- We will see the largest data breach ever – again, another troubling yet safe assumption. With increased media attention, the rewards for pulling off such data heists are increasing all the time. Since the end of this publication’s reporting period (31 March 2015) we’ve yet to see a truly mammoth data breach (the largest being the June 2015 breach of the US Office of Personnel Management, exposing 4 million employees’ records). Yet I don’t think anyone would be surprised if the prediction came true. CERT fails to clarify how it determines what is meant by “largest” – the number of people affected, data entries stolen, cost of remediation? See here for an unverified list of the largest data breaches of all time.
- The Cyber Criminal Marketplace will become more accessible – perhaps most worryingly, CERT predicts that cyber crime will become accessible to the less technical via outsourcing. Hacking groups such as Lizard Squad have set a troubling precedent by selling their services by the minute, driving down the cost of such an attack and encouraging a mercenary and politically indifferent culture.
- Consumers will expect better security – this last prediction is perhaps the safest of them all. Greater media attention and an unceasing march towards living our lives and paying for our goods and services online via multiple connected devices all but ensures the realisation of this prediction. Consumers and shareholders alike will demand security and businesses that fail to heed the call will pay the price.
Overall, CERT’s first annual report not only highlights the ever-increasing importance of cybersecurity to the economy, and to private life, but also the crucial role a centralised organisation has in collecting and disseminating technical threat information to drive business and legal solutions.