Attackers Increasingly Focus On Business Disruption
Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals.
Attackers Increasingly Focus on Business Disruption
Today, Microsoft is releasing a new annual report, called the Microsoft Digital Defense Report, covering cybersecurity trends from the past year. This report makes it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets. For example, nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware.
Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.
As a technical measure, for example, we are investing in sophisticated campaign clustering intelligence in Microsoft 365 to enable security operations center (SOC) teams to piece together these increasingly complex campaigns from their fragments. We also try to make it more difficult for criminals to operate by disrupting their activities through legal action. By taking proactive action to seize their malicious infrastructure, the bad actors lose visibility, capability and access across a range of assets previously under their control, forcing them to rebuild. Since 2010, our Digital Crimes Unit has collaborated with law enforcement and other partners on 22 malware disruptions, resulting in over 500 million devices rescued from cybercriminals.
Zero-trust architecture (ZTA). Across industrial nations, approximately 25 percent of all workers now work remotely three to five days a week. 8 8. Global surveys of consumer sentiment during the coronavirus crisis, McKinsey. Hybrid and remote work, increased cloud access, and Internet of Things (IoT) integration create potential vulnerabilities. A ZTA shifts the focus of cyberdefense away from the static perimeters around physical networks and toward users, assets, and resources, thus mitigating the risk from decentralized data. Access is more granularly enforced by policies:even if users have access to the data environment, they may not have access to sensitive data. Organizations should tailor the adoption of zero-trust capabilities to the threat and risk landscape they actually face and to their business objectives. They should also consider standing up red-team testing to validate the effectiveness and coverage of their zero-trust capabilities.
This increasingly complex landscape will make it even harder for states, businesses and society to understand the risks they face and how they can and should protect themselves. Increased dependency on third party suppliers of managed services, which often have privileged access to the IT systems of thousands of clients, is creating new risks that need to be addressed. Devices and networks will increasingly be connected to the internet as standard, extending cyberspace to our homes, vehicles, built environment and industrial infrastructure. Sensors, wearables, medical devices and biometrics will further blur the boundary between offline and online activity. Cyber risks will become pervasive, increasing the volume of personal and sensitive data generated and the potential impact if systems are breached.
This will be exacerbated by competition for control of a rapidly evolving technological landscape. As digital technology is integrated into our everyday lives, businesses and infrastructure, some technologies are becoming genuinely critical to the functioning of society. Power will increasingly be held by countries that have a strategic advantage in science and technology and access to the data that drives innovation, enabling them to exert influence over others and to shape global standards in ways that best fit their own economic and political interests.
CyberFish took part in a government cyber accelerator programme. Our mission is to help businesses and government teams prepare to better handle business disruptions, like cyber incidents. We do this by running incident simulation exercises with them, observing their team dynamics under stress, and coaching them on how to make improvements. Many advisors are good at either the technical side of incident response, or the behavioural side of leadership and decision-making. We do both, together, with expert knowledge from both sides. Our exercises have helped almost 500 industry leaders working in mission-critical teams across the globe to shift perspectives, improve their teamwork, leading to improved crisis response and decision-making.
We will focus first on steps to secure the digital environment for all UK internet users, prevent attacks, build basic security in products and services, and help individuals and small businesses and organisations with basic actions to improve cyber security. As we move through to those with greater responsibility and capability to put in place additional layers of security and resilience proportionate to the risk, this will culminate in the highest level of protection expected for the key public and essential services our people and economy rely on.
Government has reduced harm to the UK at scale and reduced the burden on UK citizens. We will increasingly act upstream on behalf of all internet users in the UK, expanding our Active Cyber Defence measures to support a wider range of sectors, including charities, academia and small-to-medium sized businesses and citizens. And we will strengthen protections to online services through increased engagement and information sharing with industry.
In support of these aims, we will increasingly work with market influencers (procurers, financial institutions, investors, auditors and insurers) to incentivise good cyber security practices across the economy. We will propose improvements to corporate reporting of resilience to risks, including cyber risks. This will give investors and shareholders better insight into how companies are managing and mitigating material risks to their business. And we will continue to promote take-up of accreditations and standards such as the Cyber Essentials certification scheme and promote board level engagement in cyber risk management.
The Hut Group is an e-commerce business focused on fast moving consumer goods. We have over 200 websites running on a common platform with up to 3000 orders per minute to process so the security of our platform and our customers is a top priority. We invest huge amounts of effort to ensure that any cyber attack can be contained and that is why we are so excited by the possibility of using Digital Security by Design (DSbD) tech in our systems. Running our systems on these new microprocessors, developed in a 180 million government-industry partnership, would make our systems more resilient but managing that transition is complex as we cannot adopt new tech unless it meets our performance requirements. It has been a privilege to be the first demonstrator project for the DSbD programme and we hope to benefit from this new security across all our systems in the near future.
But the threats have also grown in sophistication, complexity and severity; and our efforts have not yet fundamentally altered the risk calculus of attackers who continue to successfully target the UK and its interests. Cyber attacks against the UK are motivated by espionage, criminal, commercial, financial and political gain, sabotage and disinformation. Attackers develop capabilities that evade mitigations; increasingly sophisticated cyber tools and related enablers have been commoditised in a growing industry, lowering the barriers to entry for all types of malicious actors. And rewards are increasing as the ability of actors to steal and encrypt valuable data and extort ransomware payments continues to grow, disrupting businesses and key public services. The result has seen attackers increasingly benefit financially, exploit privacy and freedom of speech, and attempt to manipulate events through disinformation.
Information and data on the threat is routinely shared at scale and pace and those who receive it are more able to take action. The NCSC has trialled a range of initiatives to build up more effective communities of network defenders, across a wide variety of sectors, who not only receive and are able to share threat information, but are increasingly capable at using it for collective benefit. We will expand this work, with an initial focus on helping government defend itself better, supported by the Government Cyber Coordination Centre (described in the Resilience chapter). The Financial Sector Cyber Collaboration Centre is already leading the way in the private sector.[footnote 35]
Not only are ransomware operators expanding whom they can target, but the group of cyber-attackers able to execute attacks is expanding. The rise of Ransomware-as-a-Service (RaaS) gives low-skilled threat actors access to sophisticated malware strains, lowering the barrier to entry for attackers. RaaS has expanded the criminal ecosystem to include lower-level threat actors who find and attack the targets before installing the malicious software. Threat actors are increasingly using bots to automate the initial attack that gets them a foothold in the system.