The Internet is the new frontier for crime, and an increasingly profitable frontier at that.
The average cost to a U.S. organization due to computer hacking is an astonishing $15.4 million annually, among the companies surveyed by the Ponemon Institute for its 2015 Cost of Cyber Crime study. Industry experts believe that many security incidents go unreported and the actual amount may be significantly higher. In a world where computers are used virtually everywhere and a web address is the lingua franca for global business, the mandate to protect our digital realm has never been more important.
As we think about information security within personal, organizational and national dimensions, it is important that we understand who the attackers are and how they operate so successfully in order to create solutions to counteract them.
The hacking ecosystem is breathtaking in its breadth and sophistication. It is no longer limited to rogue actors and the disaffected youth. Organized crime took notice of the opportunities in cybercrime more than 20 years ago and has built a complex, specialized economy. Some groups build the hacking tools and sell them for an exorbitant profit. Others buy the hacking tools and use them to attack organizations to steal valuable assets or blackmail the target to stop attacks and return property. Still others exist to launder stolen assets through a myriad of digital currencies. It is an economy that works very well for the bad guys.
Unfortunately, it gets worse. It isn’t just a matter of criminal organizations. Nation-states are stockpiling cyber weapons capable of disrupting power grids and banking systems, among other targets. Political activists and terrorists are also significant players in efforts to destroy their enemies through digital means.
The cybercrime economy is robust. A company recently paid $1 million for a single remotely exploitable vulnerability for the latest version of iOS. These vulnerabilities are converted into highly advanced malware that may operate in stealth for months or even years, replicating silently, draining its host, or waiting for the perfect time for a massive attack.
When we consider the efforts of the good guys to mitigate the risks of these advanced threats, the task is not hopeless, but it does require information security professionals to completely rethink their strategies. When computer viruses came along at the rate of a few per year and the value of the data was relatively modest, we used to think about focusing on preventative solutions.
In a world where even cars are being attacked by hackers, the sheer number of threats overwhelms this approach. The smart money is going towards making our organizations more nimble and intelligent in responding to attacks. Detecting attacks more quickly, containing the extent of the damage and effecting a rapid recovery have great potential for improving our cybersecurity posture. Advanced organizations are becoming more proactive and are “hunting” for indicators of compromise or particular exposures and are taking action on these before they have an opportunity to manifest.
There are several evolving areas of interest for information security professionals. Detecting incidents more quickly, understanding the end goals of the attacks and finding creative solutions for survivability are gaining attention. Many companies are investing in threat intelligence, which not only provide greater insights into active hacking groups but may even predict which companies they are targeting. We are also seeing an increase in the use of Big Data to perform security analytics on virtually every computer an organization has to find correlated activities that may indicate a compromise.
One of the most promising ways to improve proactive security, and one which merits much greater use, is information sharing of security incidents.
Today, it is quite common for an organization that was hacked to remain quiet about it unless they have a specific mandated reporting requirement. The analogy of information security teams acting as private fire departments, putting out their own fires but watching the neighbor’s house burn down is apt. Sharing of incidents may not be extremely useful to the very first company attacked by a specific instance of advanced malware. However, each successive organization that received the incident information will reap an enormous windfall, as they will be able to prioritize and respond to serious problems. Those that purchase an iPhone bug for $1 million are counting on a significant half-life for that vulnerability and an ability to monetize it over the course of thousands of attacks. Incident sharing disrupts the economics of the bad guys, while providing the good guys with actionable intelligence to catch a hack in progress much sooner in its lifecycle.
We think the concept of incident sharing is powerful, but must be implemented in a structured way. Communities that share must have their participants vetted, and must have their identities protected. Rackspace, where I work, is committed to working through the challenges of incident sharing, and recently agreed to chair an effort to create a Cyber Incident Sharing Center for cloud providers with the Cloud Security Alliance.
We expect to lead efforts to work with our competitors to make information sharing of security incidents a common part of the next generation of information security strategies and a major disruption to the Internet criminal underground. At present, it profits on our inability to collaborate.
Brian Kelly is chief security officer of Rackspace. He participates in the Techonomy 2015 panel “Catch Me If You Can” about hacking and cybersecurity on Mon., Nov. 9, at 11 a.m.