Strap in and get ready for a recap of the things that I think have been most interesting rather than highest profile, in 2020. (I have deliberately steered clear of vulnerabilities: there have been plenty, including ‘perfect 10s,’ and generally, patches have been released quickly).
I’ve also thrown in four things I’d recommend reading, and some thoughts on what 2021 has in store to-boot.
January
The year started with a shift in privacy regulation in the United States: The California Consumer Privacy Act (CCPA) - the strongest of America’s patchwork of privacy legislation - heralded as being ‘GDPR-like’ came into force. Whilst it affords some of the same rights, there are plenty of areas where it diverges from European legislation. For example, while it gives Californian resident’s the right to request copies of their data, request its deletion, it also mandates the option to send ‘do not sell’ instructions to businesses.
Travelex’s systems were offline for a large part of January after the REvil ransomware gang successfully attacked the foreign exchange business on New Year’s Eve. Eventually, Travelex would pay the group $2.3M as part of restoring their files. Insurance covered the majority of costs from the cyber incident, and the firm announced a restructuring in May due to the Coronavirus (COVID-19) pandemic and hugely reduced international travel market before finally entering administration in August.
Equifax settled a class-action lawsuit for $380.5M over their 2017 data breach affecting 147 million customers. The settlement netted the attorneys over $77M in fees.
February
The gleefully simple story of a man creating a traffic jam on Google Maps using a cart full of mobile phones captured a lot of imaginations. Breaches of integrity don’t receive the same coverage as those of confidentiality and availability. However, as we place more and more trust in automation, machine learning and artificial intelligence, we have an ever-increasing need to understand the edge cases and unintended consequences of the technology we are developing. A survey from Accenture finds that, on average, 10.9% of IT budgets are spent on cyber security programmes. Meanwhile, a Nominet survey finds 48% of Chief Information Security Officer’s admit that job-stress has affected their mental health and that 23% are relying on medication or alcohol as a coping mechanism
Posturing over 5G and the (eventual) ban on Huawei and other Chinese firms participation in these U.S. network upgrades was rife. Concerns that China may be back-mooring telecoms gear was juxtaposed with a Washington Post expose about how the U.S. Central Intelligence Agency had been secretly running a little-known Swiss company called Crypto AG for over 50 years. The company manufactured diplomatic encryption devices giving U.S. and German intelligence access to sensitive cables and communications. I wrote that ”the conclusion from it all, of course, is that no side is clean in this: all the nations are doing all the cybers. Intelligence agencies will always look for ways to advance their agendas, collect information, or build an advantage.” (More on that later.)
The Emotet malware family gained the ability to brute-force wireless network passwords to help it spread from network to network. The folks at Digital Shadows showed that you can buy a tutorial and the tools needed to mount a phishing campaign for less than $50 in their look into the phishing sector of the cybercrime economy.
March
The industry RSA Conference went ahead against a rise in Coronavirus cases giving us Dr Jessica Barker’s guide to security awareness without fear and a reminder that your mum might make an excellent social engineer.
The output of the Cyberspace Solarium Commission gave us a glimpse into future U.S. cyber strategy. U.S. military doctrine is to ‘defend forward’ — to get into adversaries networks and plant capabilities to disrupt and degrade — in case they are needed in the future. That makes sense if you are, for example, expecting to wage a war in cyberspace against an enemy with a ‘sovereign internet’ that they can disconnect from the World Wide Web. Though that makes less sense when trying to establish strategic deterrence or cyber norms. A Lawfare Blog post titled ‘Digital Strangelove’ compared the strategic deterrence of nuclear vs cyber: “Nuclear capabilities must be revealed to be useful for deterrence. Nuclear deterrence works because nuclear weapons states can deliberately reveal their nuclear capabilities and thus signal the potential consequences for crossing red lines. By contrast, offensive cyber operations against sensitive targets cannot be revealed if they are to be useful at all.”
Sticking with military doctrine, threat intelligence analysts at Booz Allen Hamilton published some interesting research mapping 200 known Russian cyber-attacks to 23 military risks and threats of “The Military Doctrine of the Russian Federation”. In each case, the attack followed a ‘provocation’ in the eyes of the Russian Federation against one of these risks. If your agenda crosses one of these in a way the Kremlin may find objectionable then you can expect Fancy Bear to come knocking.
March was also when, along with the rest of the world, cyber became all about COVID-19. Remote working, phishing lures and privacy concerns all started swirling. Zoom exploded. And the FIN7 group started posting USB drives full of malware to targets.
April
Zoom has exploded on to the scene and the world of cyber security has gone nuts about its security. Largely because it was all new and unknown, and also because everyone is on edge because of the global pandemic. Most of the coverage is covering hypothetical situations, though Zoom has a crash course in why secure defaults are a good idea as ‘Zoom-bombing’ becomes a thing.
It is oft-quoted that organisations face an asymmetric threat (attackers need only succeed once; defenders need to get it right every time.) With such language, it is easy to extend that to a belief that cyber threat actors themselves are somehow infinitely scalable, too. Amidst a frenzy of vendor marketing the ‘COVID cyber threat’ was an unstoppable juggernaut of news, remote working risk and indicators of compromise. You could be forgiven for thinking that, overnight, cyberspace had become a dodgy neighbourhood where you were only two steps from putting a foot wrong. The cybercrime economy is finite though, and overall it was attackers switching tactics, rather than a marked increase in overall threat. Some were even offering discounts as the global economy stuttered.
What was increasing was cloud usage, with Microsoft’s seeing a 775% increase that led to the scaling back some features and functionality to cope with the sudden surge in demand. The cloud is finite, too!
U.K. Supermarket chain Morrisons was cleared of any wrong-doing after an employee posted unauthorised copies of payroll information to three newspapers and dumped it on Tor. It means that the supermarket was not liable for any damages caused by the release of its employees’ data and setting the precedent for ‘insider threat’ cases in years to come.
May
May brought news of a novel attack that proliferated across 75% of an organisation’s Android device fleet after gaining access to the mobile device management (MDM) console. MDM solutions have significant privileges over both company and personal Bring Your Own (BYOD) devices used for company business and may not have the same level of diligence as, say, Domain Administrator accounts. I’m expecting to see more MDM solutions targeted for this type of activity: ransomware groups have been simplifying their malware and removing auto-propagation features in favour of using enterprise IT administration tools (such as MDM). Not to mention that if, as an attacker, you’ve got access to an organisation’s mobile devices, you’ll likely be able to access ‘soft’ authenticator app or SMS tokens. You’ll then be able to try re-used credentials from other breaches to gain access to corporate systems.
Sticking with viruses it was the twentieth anniversary of a different type of pandemic. The ILOVEYOU worm infected over 50 million devices (approximately 10% of the Internet) and caused estimated damages of $5.5-8.7 The BBC tracked down Love Bug’s author, Onel de Guzman, to a repair shop in the Philippines.
Both physical security biz ADT and computer games company Roblox taught us the importance of monitoring customer service agents for suspicious behaviour. In ADT’s case, a CCTV installer had been surreptitiously adding himself onto the home camera systems of their customers.
A new malware variant dubbed Octopus Scanner was found in 26 GitHub repositories. It stood out because of the way it propagates: slipping itself into the code of other software projects that it finds on infected machines. It’s not the first time malware has been snuck into other software projects (I covered software supply chain in 2019’s round-up) and it wouldn’t be the last time we see this kind of thing in 2020.
A paper from the University of Cambridge highlighted that cybercrime is often boring: ”we find that as cybercrime has developed into industrialised illicit economies, so too have a range of tedious supportive forms of labour proliferated, much as in mainstream industrialised economies.” This is a good read to understand more about the cybercrime economy and, for all the high-profile paydays, typical payouts and cash values involved.
June
Ransomware is top of most 2020 cyber roundups and attacks have continued to proliferate. Tactics evolved, with less reliance on self-propagating malware, and more precision strikes on targeted organisations. Latterly groups started stealing information before encrypting it, compromising the availability and the integrity of data. June saw REvil launching auction site for ransomware files as they attempted to increase leverage over victims to pay.
Indian outfit BellTroX Infotech, aka Snowstorm or Dark Basin, was thrust into the spotlight following a Citizen Labs investigation into hackers-for-hire and how corporate investigators may not always appreciate the methods by which intelligence is being gathered. Petra Vukmirovic and Phil Huggins and I present the Open Information Security Risk Universe at the Open Security Summit. You can check out a recap of the talk in this Twitter thread.
Twitter’s handling of an incident affecting business customers got me thinking about the role of minimising consequences in incident response. They delayed notifying customers for over 30 days so data in browser caches were more likely to have been purged.
July
An international law enforcement operation against mobile telecoms Encrochat proved how evolving law enforcement tactics may be more effective than encryption backdoors as they wholesale compromised the encrypted mobile network and devices popular with criminals.
An essay from Bruce Schneier examined how efficiency is the opposite of resilience: “This drive for efficiency leads to brittle systems that function properly when everything is normal but break under stress.” The benefits of automation and other technology are not without consequence and while improvements can still be made, this, I think, is an important point to consider when aiming for a resilient business.
as the US-EU Privacy Shield was struck down in the Schrems II ruling. At its core, the EU Court of Justice found a fundamental disconnect between the EU citizen’s rights and US federal rights, and therefore there was little legal recourse to enforce rights granted to EU citizens under GDPR.
The ‘great Twitter hack’ was another reminder about internal and customer service tools. Over 22% of Twitter’s workforce essentially had ‘admin access’ over user accounts.
Digital Shadows found that user credentials were changing hands for an average price of £12, with domain admin accounts fetching £2,487 on average as an industry of ‘network access brokers’ has popped up within the cybercrime economy. This is quite a development in the cyber threat landscape, I think, as this means there is sufficient incentive for actors to try and compromise any organisation, because that is the commodity they trade in, without considering what the ultimate consequence or harm may be.
August
The EU dips into the ‘cyber diplomacy toolbox’ imposes its first-ever cyber sanctions, bringing travel bans and freezing the assets of six individuals and three Russian, Chinese and North Korean entities. The sanctions target those behind attacks on the OPCW (Organisation for the Prohibition of Chemical Weapons) and behind WannaCry, NotPetya, and Operation Cloud Hopper.
Joseph Sullivan, ex-CISO of Uber, is charged for their role in 2016 data breach cover-up. US Prosecutors say they broke the law by paying attackers that stole the personal data of 57 million people $100,000 in crypto-currency and hiding it from regulators as a legitimate ‘bug bounty’ case.
A ransomware gang allegedly offered $1 million to a Tesla employee to install malware. Fortunately for Tesla, the employee demonstrated substantial integrity, refusing the offer and co-operating with the FBI to gather evidence and catch the perpetrator. Cybercrime is often attributed to distant faceless entities, however, modern ransomware attacks can be extremely targeted and, from a ‘business development’ perspective, spending $1M on potential ransom payments of $4M+ seems like a sensible return on investment for well-funded cybercriminals.
September
The consequences of banning Huawei from U.S. 5G networks was quantified by the Federal Communications Commission (FCC). It will cost $1.8BN to replace Huawei and ZTE equipment used within US mobile networks. 88% will be funded by taxpayers which is just over $11 per person. Meanwhile, China announced its ‘global initiative on data security’ setting out their stall on cyber-norms and trying to ease tensions over Chinese tech companies like Huawei, ZTE, TikTok and WeChat.
More than 4/10 cyber-insurance claims relate to ransomware, though one insurance company reduced this by 65% after they started scanning and reporting on exposed RDP servers to their customers.
Kelly Shortridge’s post On YOLOsec and FOMOsec got me thinking, in combo with some previous writing by Phil Huggins and Phil Venables, on how ‘nailing the basics’ should be core to sustaining current value generation. Practising core competencies until they become second nature should throw up plenty of ways that security controls can be improved thereby improving current value generation.
October
Ransomware attacks increased by 50% in Q3 and the U.S. Treasury issued an advisory on the payment of ransom demands to individuals, groups or regions that are subject to US sanctions. It follows Garmin’s ransomware pavement from the EvilCorp group and increased scrutiny of companies paying up to avoid their data being released in ‘breach-and-leak’ ransomware campaigns. Being personally liable for breaking U.S. sanctions will dissuade many, however, the advisory was pointedly clear that those offering support to firms that have been victims of ransomware, and that enable or facilitate payments, are also on the hook. Squarely aiming at cyber insurance companies (see September!).
The U.K. Information Commissioner fined British Airways £20M after 400,000 customer’s card details were stolen in a card skimming attack in 2018. The penalty shocked many by being substantially less than the original ‘intention to fine’ notice of £183M. £6M was knocked off due to the economic impact of COVID-19 on the airline industry, and BA’s lawyers must have earned their fees for the £150M reduction attributed to the representations made by the airline.
Microsoft used trademark law to take down a botnet and seize the domain used by TrickBot for command and control of infected devices.
November
Hot on the heels of British Airways, the ICO fined Marriott £18.4M for the 2018 breach of their Starwood Preferred Guest loyalty programme. I looked at the penalty in the context of pre-, and post-COVID revenues, as well as a premium on the price Marriott paid in the acquisition of Starwood.
It is estimated that ransomware gang REvil made $100 million in the last year.
The U.S. elections came and went free from cyber-attack. In part because the economics are such that it is far easier and cost-effective to attempt to influence the public using social media accounts and groups to spread misinformation than it is to conduct a cyber-attack.
The U.K’s National Cyber Force was announced formally bringing together intelligence agencies and military personnel engaged in offensive operations that target “terrorism, organised crime and hostile state activity”.
Adam Shostack’s lecture to the Cyber Security in the Age of Large-Scale Adversaries group at Ruhr University Bochum makes some excellent points on the need for cyber ‘public health’ programmes to help tackle systemic cyber security issues. A lot is made of ‘intelligence sharing’ however “we often assume that the right information is being gathered and shared. But again the information is too often about indicators, and less often about problems or mechanisms. The information which is shared rarely enables further research or results in new discoveries.”.
December
TrickBot malware gains firmware tampering capabilities previously only seen in nation-state affiliated malware. Presumably the capabilities are to improve persistence on infected devices, though the destructive capabilities got folks worried.
FireEye disclosed a security breach that ultimately is believed to tie into some blockbuster pre-Christmas news: Software vendor SolarWinds has been breached and malware included in their ‘Orion’ network management product. Ultimately ’Solorigate’ is bad news for the U.S. federal government, but isn’t anything new, and may just be the consequences of ‘defending forward’.
Almost half of CrowdStrike’s incident response engagements originate from outside legal counsel rather than directly from end clients signalling a shift to conducting IR under legal privilege. You need to be careful on how that information is used though, according to a federal ruling earlier in 2020.
Recommended reading
I’ve pulled something from each season that helped me to evolve me own thinking throughout the year and that I’d recommend if you’re looking for something insightful to read (or watch) over the festive period:
- Spring: Digital Strangelove: The Cyber Dangers of Nuclear Weapons lawfareblog.com
- Summer: Cybercrime is (often) boring cam.ac.uk (PDF)
- Autumn: The security value of inefficiency schneier.com
- Winter: We Need A Discipline of Cyber Public Health youtube.com
Honourable mentions also go to Kelly Shortridge, Phil Huggins and Phil Venables: swagitda.com, blackswansecurity.com and philvenables.com respectively.
What about 2021?
There were four themes to my 2019 retrospective: the digital divide, or Balkanisation of tech, the rise of trust and transparency, importance of software supply chains, and ransomware. Twelve months on, in my 2020 retrospective, they seem as relevant as ever.
The fallout from Solorigate brings some aspects of the digital divide, and consequences of defending forwards, together with supply chain security. It will undoubtedly receive attention from the incoming Biden administration. It’s taking a long time to address basic IT security hygiene and software supply chain security is, in many ways, about development basics and code quality.
The ’crypto wars’ and public policy debates over end-to-end encryption and need for legal, backdoor access will also continue, though this year has shown some more innovative thinking can yield far greater results than replicating wiretapping capabilities in cyberspace.
Looking at things more relevant to organisations day-to-day…
Thoroughly unsexy, however, changes made to the maximum age of SSL certs will no doubt cause outages, as folks forget to renew them, and as older Android devices no longer have current root certificates on them. Consider your certification revocation and renewal process as a candidate for something worth exercising before you need to do it.
The rise of multi-factor authentication will focus threat actors attention on mobile device management solutions as they targeted for access to corporate resources. As a bonus, they can also use those devices in ransom attacks or to steal personal data and intellectual property.
Azure blobs will become the new S3 buckets. Get familiar with the Azure Security Centre.
And that, after well-over 200 hours (or a working month!) or writing, editing and publishing, brings us to the end of Robin’s Newsletter Volume 3.
Thank you so much for subscribing, and feedback and, if I may ask a favour, please consider sharing this with someone else you think would find it interesting.
Happy New Year, and I’ll see you next week.