Hacker Headspace
Although attackers cannot be pigeon-holed as having a single aim and inclination, they are, broadly speaking, driven by one of several things. While many are motivated to reveal weaknesses for the force of good, others seek to attack corporate firms for financial gain, or are government actors hoping to inflict espionage on other nation states. Those attacking large businesses search for customer financial and personal information, and may have commercial interests in acquiring product plans or intellectual property. Financial services firms and retailers with lots of credit card information are also likely targets. In addition, businesses’ critical infrastructure, such as utilities, power generation, and oil and gas are in the firing line.
“Money-motivated cybercriminals usually work for themselves or in small organised gangs,” says Guillaume Lovet, Senior Manager, EMEA FortiGuard Labs, Fortinet. “Most of them buy the tools needed to go after bank accounts – via ransomware and banking Trojans – very few of them make and sell those tools. Hacktivists tend to work alone, in tight gangs, or in loosely organised herds; political activism is their goal. State-sponsored hackers are hired – and sometimes trained – by governments, to perform political and economic espionage, or conduct cyberwar strikes. Freelance vulnerability researchers selling zero-day vulnerabilities to the highest bidder somehow fit in this category – since bidders are states.”
Ghareeb Saad, Senior Security Researcher, Global Research & Analysis Team, Middle East, Turkey and Africa, Kaspersky Lab, is all too aware of the meticulous planning that hackers use to achieve their means. “Cybercriminals can make millions of dollars in their own homes, with a rather low risk of getting caught,” he says. “There are large cyber-gangs with members all over the world. Instead of hiring muscles and guns these gangs are searching for hackers and malware developers. They have very organised structures like large enterprises, they have top managers who form strategies and select targets, and they have technical teams which consist of hackers and developers to create malware, fake websites and find vulnerabilities used for attacks.”
Nicolai Solling, Director, Technology Services, Help AG, sees the Middle East as an attractive prospect for attackers, “Location is very important in determining whether or not you will be attacked,” he says. “Typically the Middle East has seen a very high level of infections which is often attributed to English not being the first language, a lot of money in the region as well as critical installations such as oil and gas, which are often targets of cybercriminals.”
The rise of the Internet of Things serves as a 21st century headache for security, echoing the Greek mythological monster Hydra, who would sprout two more heads every time one was cut off. With 50 billion ‘things’ destined to be connected to the Internet by 2020, IT will have to find a way to secure the explosion of endpoints around the world.
The IoT promises to bring more threats, but in the meantime, there are other more pressing concerns, says Jason Hart, Vice Presdient, Cloud Solutions, SafeNet. “Hackers are quite resourceful and target a host of different frailties including Web vulnerabilities; some specialise in rehashing tried and tested vulnerabilities as part of a modern attack,” he says. “Organisations can easily be vulnerable to a denial of service attack, spear phishing, targeted email attacks, as well as computer network attacks, which can disrupt the integrity or authenticity of data. This is usually done through a malicious code that alters the program’s logic that controls data, leading to errors in output. Some of the other most common vulnerabilities are those found in Web application frameworks, password vulnerabilities, as well as the lack of security in public wireless networks.”
In the age where security firms are constantly doing their utmost to thwart the actions of malicious hackers, one flaw that they perhaps cannot directly prevent is attacks that occur via social engineering techniques. “More and more hackers are using social engineering techniques to manipulate trust,” says Dr. Tamer Aboualy, Chief Technology Officer, Security Services, IBM MEA. “For example, hackers can provide free USBs which contain malicious software, or email attachments that contain malicious content. If it is easier to compromise the CEO, COO, CFO or other executives due to relaxed security on their phones, mobile devices, or computers, then this is much easier than hacking the corporate website.”
Keeping pace with hackers is a never-ending cat and mouse game for security firms and law enforcement agencies, with evidence proving hard-to-come-by and the attackers’ element of surprise always rendering them the reactive parties. This unpredictability means that a variety of victims face the constant menace of the hackers’ technical skill and strategic offense. Getting to the bottom of attacks often poses a huge challenge, with sophisticated malware and obfuscation capabilities leaving incident response and forensics investigations as some of the few procedures of repair, not initial prevention. The UAE’s penalty for cybercrime is a maximum fine of 200,000 AED or even jail time, but if authorities are left chasing shadows this can be difficult to impose.
“When it comes to cyber-attacks, attribution is very difficult, often impossible,” says Mahmoud Samy, Regional Director, Middle East, Russia, CIS, Arbor Networks. “There are many reasons for this, from the sophisticated malware they use with extensive obfuscation capabilities built-in to the very nature of distributed, connected global networks. Understanding how an attacker succeeded can be exceedingly difficult, resulting in lengthy and costly incident response and forensics investigations. Increasingly, organisations are looking to use security analytics to help speed up the IR process.”
Crucially, the ability for attackers to hack into systems from remote locations means authorities are often powerless to act against such individuals. “The threat of prosecution will deter only the least malicious attackers living in the country or the region,” Vanja Svajcer, Principal Researcher, SophosLabs, says. “However, we live in a connected world and the attackers can physically be anywhere and employed by any organisation. The threat of prosecution will certainly not be enough to deter persistent, serious attackers backed by strong organisations and motives.” With few examples of successful prosecution, hackers know that only in the case of high profile financial loss cases will they be brought to justice.
However, before legal action can even begin, security firms first need to find a way to have a proactive, rather than a reactive approach. This is a huge challenge, simply because the side that strikes first – that of the hacker – has the upper hand. This means that as well as knowing that prosecution remains unlikely, they invariably remain on the front foot, allowing for more ambitious – and audacious – moves. “It will always be a catch up game and that is the nature of the attacker, because they will always have the element of surprise as they chose the time for an attack,” says Alaa Abdulnabi, Regional Pre-Sales Manager, Turkey, Emerging Africa & Middle East, RSA. “We need to accept this fact, and establish critical incident response centres and build the capabilities to detect attacks as early as possible, before it is too late. We will not be able to prevent every attack, but we can definitely arm organisations with the best monitoring, detection and response solutions to keep an eye on the environment in real time, looking for suspicious activities. Early detection means minimal damage.”