Cybercrime: Today and the Future
Erin Sindelar Hello everyone. My name is Erin Sindelar. Thank you so much for joining us at Perspectives 2021. In the next few minutes, I’m excited to talk with you about the current state of cybercrime. To start, let’s look at the big picture of threats in 2020. Overall Trend Micro blocked 62.6 billion threats last year, which is about 119,000 per minute from all of this threat data, a few highlights to point out 91% of these threats were email born.
We detected 210% more attacks on home networks than in the previous year and 34% more new ransomware families than last year. Additionally, Trend Micro™ Zero Day Initiative™ published 40% more vulnerability advisories than in the past year. Now I know that was a lot of numbers really quickly right off the bat, but I wanted to ground us in an overall snapshot of the threat landscape last year before we dig into one of these areas specifically, which is ransomware.
Ransomware today looks quite a bit different than it did in the past. Yes, there is still encryption and cryptocurrency demands, but that’s just one part of a much larger process. There are three big changes that you should be aware of so that you can know how to best defend against them.
It’s much more targeted today. It takes more time and it uses more and different techniques. Let’s look at each of these. In the past, Ransomware was mostly generic automated attacks with a single click leading immediately to the ransom note. And a single user error could make that happen across all the endpoints in your environment.
But that broad spam approach no longer works. Advanced defense techniques have gotten a lot more common across businesses globally. And we’ve collectively forced criminals to change their approach, which means today, ransomware is a lot more targeted. Instead of the broad, spam tactics, they will know exactly who they’re targeting and what data is most critical to that company so that they can demand the highest ransom possible based on the data and the company’s revenue.
It also means that the really fast single-click and immediately you have a ransom-note approach isn’t how it works anymore. If before you measured a ransomware attack with a stopwatch, now you need an hourglass or even a calendar.
With a criminal manually doing each step in the process and overseeing the whole thing, it can take days or even weeks. However this dwell time in the network is decreasing as criminals get better and refine their process with this new approach. There are also a lot more techniques and tactics involved. Rather than the broad spam and phishing or a single infected website, today criminals will get in, stay hidden, and move laterally throughout your network. That way they can identify what that critical data is and where it is, then they will exfiltrate it.
The first three of these five tactics are what take the most time. These investigative stages and all the prep work are likely slow and very measured in order to effectively stay hidden. One common way that this is done is by using admin or security tools that are less likely to be flagged as malicious by the security teams so they can stay hidden and move around without anyone noticing.
In some cases, the initial attacker might even sell their access to that network rather than further exploiting the company themselves. This trend of access as a service is becoming increasingly common in underground forums and can demand quite a high price. But no matter who was doing it and exactly how that attack progresses with the last two steps, things will move much faster.
Data exfiltration is now a big part of the game with what is called double extortion ransomware. This means that the stolen data is used as leverage in an attempt to make the company feel like they have to pay in order to keep their data from being leaked publicly. However, the criminals know that once they start exfiltrating data, they will no longer be hidden in that network.
Someone in the victim organization is going to notice. So the point from initial exfiltration to the final ransomware being dropped is going to be pretty quick. It might even just take a few hours. Overall, these three areas of change are really critical for having visibility and data correlation across your environment.
That way you can see the threat and stop it before it gets to the really bad parts of the attack and Trend Micro can absolutely help you do that. You’ll hear more about exactly how throughout the day, but first my colleague, Rik Ferguson has some fascinating insights to share about the state of cybercrime in the year 2030.
Rik Ferguson Erin. Hi, and thanks very much for that presentation. I’ve got 10 minutes to go through effectively 10 years, so I’m going to dive right in. We’re going to introduce you hopefully to a very new way of thinking about threat predictions as we talk about Project 2030 scenarios for the future of cybercrime.
This new research aims to give individuals, enterprises, and even nations a rational indication of a possible future to enable them to devise a more nuanced long-term strategic direction. The scenarios that we have devised are wide-ranging and diverse. So much so in fact, that rather than predicting the future of one single real-world nation, we’ve set all the predictions in the fictional, nation-state of New San Joban.
That gives us the scope to bring all of our possible futures together in that one place. So what we describe is a future, that while it’s plausible or even probable in some parts of the world, it’s not inevitable or even possible in all of them. Projecting into the future requires a solid starting point. So we conducted a baseline assessment of current cybercriminal threats and enablers and other key features of the cybersecurity ecosystem.
We reviewed analysis published by international organizations like Europol like Interpol, the United Nations. Of course, COVID-related cyber threats loomed large in their assessments. In addition to the more usual concerns of state sponsored activities, APT, financially motivated, cybercrime and others.
In addition to those international organizations, we also focused on synthesizing the short term predictions of our industry, the cybersecurity industry to get an idea of where the current weight of industry agreement lays. So we took all of those 12-month predictions that you usually see around December, January, from all of the cybersecurity vendors and kind of boiled them down. Much of these focus on the importance of rapid changes to working practices that were in engendered by the global pandemic, the mainstreaming of emerging techniques, probably rather more rapidly than would otherwise have occurred, and the acceleration of effort, in some cases, cooperation between organized criminal and nation-state cyber operations.
So, having completed that we then conducted extensive horizon scanning of open source media, academic research papers, technology patents, setting ourselves the task of determining which of these technologies would be mainstream or still emerging in 2030.
Mapping all of these developments into a single world allowed us to identify linkages and interdependencies between the barriers to adoption and possible points of acceleration. And already at this stage, several key drivers and impacts of technological change became evident, including some of those that you can see on the slide right here.
So, of course, this is scenario-based. So how does development, how does this future play out for the individual in our vision of 2030? Well, in our scenarios, our individual is a woman called Resila, who lives with her kids in the fictional city-state of new San Joban.
And these are just a few of the features of her scenario narrative, which you can read in full in the white paper. Resila works from home and she plays in the center of the city in what used to be office space. Wearables identify her nutritional and medical needs. And this data is aggregated with other datasets held by her healthcare, fitness, and retail providers among others. Alerts, prompt investigations, or drug administration, but also measures aimed at behavioral change, like making fatty foods or alcohol invisible in an online grocery store.
Additive manufacturing, which is already in a heavy-growth phase is present in the home of 2030 in the form of 3D printed food. Immersive technology is used at work, at home, and in school. And even more so than today in 2020, instant access to the world’s knowledge means that children no longer actually need to learn anything.
So education is now focused primarily on processing rather than acquiring knowledge. Neural implants first used for medical applications progressed to recreational usage and one development that you may consider spooky, digital selves that outlive the death of the physical person are more prevalent. We in the paper have called these infini-mes.
While the first generation of these beings tended to repeat a restricted set of interactions based on data hey had been fed in physical human’s lifetime, the latest versions are self-learning and they’re able to engage in new experiences based on physical humans in their closest peer and interest groups. Effectively, digital immortality.
Increasingly these digital humans have agency, particularly as the physical and digital worlds come ever closer. They can engage in inappropriate and even criminal behaviors. Grieving relatives may be looking for legal remedies to prevent loved ones from being switched off or perhaps to ensure that they are.
Resila works for KorLo, Konsolidated Rubber and Logistics, which is a heavy manufacturer with a 200-year pedigree. I’m sure you can think of equivalence in today’s world of 2020. When they had to retool their production during the great pandemic, that brought the organization firmly into the healthcare supply chain. And their work on self-healing polymers sees them operating in environments ranging from the bottom of the ocean with undersea telecoms to the edges of the atmosphere in satellite communications. And as such, they fall into a recently enlarged and ever-evolving classification of critical national infrastructure, because there are key supply manufacturers.
When we talk about supply-chain monitoring of both this supply chain and in-house enterprise operational technology environments, it’s now entirely digital and it’s enabled through private 5G networks where real-time asset condition maintenance, and hazard monitoring, and associated operational intelligence is constantly delivered to digital twin infrastructure. And that streamlines production, but it also enables accurate preventative maintenance but at the same time, hugely expands, obviously, the attack surface.
In addition to the tens of thousands of connected devices, services, sensors, and actuators, KorLo also have to manage the dynamic authentication and secure provisioning of M2M and IIoT devices in highly-sensitive environments, where little or no human interaction is possible.
Additive manufacturing and 4D printing technology means that KoeLo now designs and produces various products from heart stents to flat packed items for near space transit that are programmed to change state or to change shape, depending on external stimulates such as GPS.
And this has led to the merging of its traditional DevOps processes with the more industrial and physical processes involved in manufacture. KorLo calls this hybrid converge process DesOps, or MakeOps. And we can already see the seeds of that today. Of course, intellectual property theft remains a traditional concern for manufacturers in 2030, but as well as the thriving market, the stolen IP, the possibilities of competitive sabotage by less scrupulous competitors or even nation states means that data manipulation attacks have become a rapidly growing issue with so much of the design process now automated, poisoning of data lakes or of algorithms directly leads at best to suboptimal functioning and at worst, to real physical harm.
Now, if we’re thinking about the concerns of the state in this world, you can perhaps already guess that some of the preoccupations of the government of new San Jovan given citizens’ apparent, willingness to aggregate data from different sources to benefit their health and wellbeing, governments all over the world continue to grapple with popular concerns over surveillance, privacy, the notion of a single digital identity. In the government’s scenario narrative, we highlight a positive example of big data analysis, incentivizing good behavior in a smart city, but also the potential for unfair treatment as a result of cross-profiling.
New San Joban is an entirely cashless society with a digital currency that doesn’t offer anonymity. And we trace the impact of that on criminal markets within that jurisdiction as well. The preoccupation with infrastructure supply chains and techno-nationalism has played out differently in different countries. Again, we see the seeds of that today. Thinking about 5G component manufacturer. For example, some countries are able to benefit from homegrown 5G and now 6G component components and others are restricted to buying from, “approved” countries. When we talk about foreign influence operations, measures aimed at curbing that influence by detecting faked or altered video are actually at odds with a growing public acceptance of AI generated content and synthetic influences.
Influence operations are now fully-fledged conversations. Which are all the more persuasive when you think about it in an immersive, a fully immersive AR type or VR type environment when data appears before one’s eyes, rather than on a screen at arm’s length.
So, what does criminal activity look like in the scenarios that we described? They fall into some very familiar general categories when you think about it today: Unauthorized access or intrusion, unlawful interception, authorized data exposure, manipulation of data, denial of service or disruption of service, misuse of processing, power, extortion, influence ops. All concepts that I’m sure you’re already very familiar with.
And as is the case in 2020, a single cyber threat business model might engage in a number of these activities in sequence or simultaneously in fact. As you heard from Erin, just as ransomware with double extortion requires unauthorized access to data and denial of service as leverage, and also secondary leverage in the form of the threat to publish that stolen data.
So how do these play out in that decade of 2030? It promises to be one in which repetitive operations are automated more than ever before and machine learning advances, to the extent that all organizations and all sectors of society will make use of artificial intelligence tools. This inevitably will include threat actors.
In particular, it’s reasonable to assume that highly-automated reconnaissance, target selection, penetration testing and delivery will be attractive to cyber criminals and that they will seek to maximize the effectiveness and efficiency of their efforts by using tools that are capable of unsupervised learning.
AI powered attacks will inevitably be supported by more advanced obfuscation techniques, also perhaps boosted by AI, so self-learning fast flux tools for evading data capture and attribution are the logical evolution of existing anonymizing services for cybercriminals. But as in the current debate around AI-powered cyber defense, hands-off cybercrime may provide, or is likely to provide in fact, unintended opportunities for its disruption and for law enforcement if its operations are not entirely understood by its operators.
In a world in which information is delivered in a citizens’ immediate line of sight by means of immersive technologies, heads-up displays, data manipulation could be harnessed in the service of influence operations and disinformation. Subsequent iterations of algorithmic optimization, which is, I guess, the logical successor to SEO, be they benevolent or malicious, may have greater power to alter belief systems. Social engineering as a threat vector may likewise be harder to resist in environments in which the immediacy of experience will prompt quicker reactions and a reduction in critical distance.
Moving on to IoT. In a truly MIoT, massive IOT environment, successful cyberattacks will result in disruption, not only to manufacturing and logistics, but also to transportation, to healthcare, to education, to retail, and to the home environment. In the context of additive manufacturing, specifically 4D printing, disruption or denial of service to sensors could result in products, not changing shape or changing state as intended or as required.
And I think I mentioned earlier on about KorLo making heart stents, you can imagine if a heart stent that’s delivered intravenously fails to change shape or the required moment, that’s actually a pretty serious problem. The 2030 that we envisage in this scenario, narratives is one in which edge processing and analytics and empower everything, to be, or empower many things to be self-rooting and self-altering.
So in this future, which is also one of increased self-learning and autonomy for algorithms, our appreciation of insider threats will need to evolve. Currently understood to refer to a human’s risk to an organization, the insider threat of 2030 could just as easily be an object or an algorithms.
Of course the future isn’t quite as dystopian as I may have led you to believe, that the white paper describes an awful lot of very positive uses cases and it goes into a lot of detail about the potential for use and abuse of those, hopefully enabling you to look further into the future and devise a longer term, like I said, right at the beginning, more nuanced long-term strategy.
Thank you very much for listening. Please enjoy the rest of the day. I’ve been Rik Ferguson.
Read More HERE