Aspen Security Forum: Malware Gets Smarter, Faster and More Destructive

As they battle against cyber criminals and hacker groups associated with nation-states, companies and governments are under growing attack from all quarters. But are they prepared to handle what’s headed their way?

To be sure, the same question might have been raised five or 10 years ago. But as security managers struggle to respond to the increase in both the scope and intensity of cyber threats, incidents that once might have triggered apocalyptic headlines are now brushed off as “run-of-the-mill events that we actually pay very little attention to as they come and go,” said Garrett Graff, who moderated a cyber security panel at the recently-concluded Aspen Security Forum.

“We’ve seen two major American cities, Baltimore and Atlanta, effectively crippled for days, weeks, months at a time by ransomware attacks,” said Graff, the executive director of the Aspen Institute Cybersecurity & Technology Program.

What’s more, he added, attacks against major US companies have caused financial damages “that to people on this stage 10 years ago would have been the worst case scenario they could have imagined, really seem like things that we no longer are worried much about.”

No argument that attackers are testing defenders with new technologies and stratagems to catch their victims off guard. Jeff Greene, Symantec’s vice president of global government affairs and policy, pointed to a recent incident where a finance executive at a company received an urgent voice mail from his boss, ordering a wire transfer. Only one problem: It was a fake audio message.

“This is the old landscape in a new iteration,” Greene said. “It is using psychology, melding it with technology and getting people to do things that they not going to if they stop and think about it. But this idea that someone is going to spoof the voice of your CEO or your boss or the president or whoever is pretty frightening and unfortunately, it’s not that complicated. If you Google ‘make deepfake audio, make deepfake video,’ you will find tools online that will help you do that…it’s a variation of an old scam – another iteration of the business email compromise, but it is just one more thing that people need to start thinking about.”

Malicious hackers, who use artificial intelligence technology to create these so-called deepfakes, can create recordings to dupe listeners into believe that someone said something they hadn’t.

“And this particular one was financial theft, but you can imagine the impact it could have in a political atmosphere,” said Greene. “The video doesn’t even have to be that good to dominate the news cycle for a couple of days and create a distraction, perhaps in the last stages of the campaign. It's always a game of trying to stay one step ahead of the attackers but this is a new one. We’ve been told, `Look, your email is suspicious so don’t click on that link.’  But we haven't been told be suspicious about the voicemail you received and we're moving into that world.”

The net effect of new and old attacks is taking its toll to the point where most companies now suffer little incidents almost every day, according to Kelly Bissell, a senior managing director at Accenture, which recently co-published with the Ponemon Institute a study of the cost of cyber crime.

Bissell said that the cost of cyber crime has climbed from last year by about 30%, faulting organizations for failing to more systematically roll out tools and processes to mitigate their vulnerability to attacks. “So many companies will deploy a tool in a pilot environment, if you will, and then stop,” he said. “Then a new shiny tool will pop up and they try to get that installed too. The ones who actually pick someone like a Symantec or some other vendors and then deployed across the Enterprise and at scale - they get breached less than one-half of everyone else.”

He further noted that that virulence of recent malware attacks has dramatically compressed response times, leaving many organizations scrambling when their number comes up.

“There is no way a human can find some malware and make a decision and do anything about to reduce the risk,” he said.

Blocking and Tackling

Greene expressed concern about the “normalization of destructive malware attacks,” which marks a change from the previous focus of cyber criminals on stealing data, IP, and personal information to carry out identity theft.

“What we are seeing now is the widespread and common usage by common criminals of destructive malware; they go on your computer, they wipe it and it’s destroyed. You can never use it again. And the new variants we’ve seen - Shamoon was a big one inn 2012. Back then, the way it worked was if you had good forensics you could pull a lot of data off it. Now, before they brick the computer, they delete the data, so your recovery is further complicated.”

At the same time, Greene said that security experts have had to face a new reality when it comes to defending against destructive attacks.

“We need to reconceptualize what destructive means and think about the flat-out destruction of hardware as a new form of attack,” he said.

In years past, ransomware attackers might have gone after individuals, holding a victim’s pictures or other personal data hostage until they paid up. Now, attackers deploy sophisticated, staged tactics and they wait for the right moment until enough computers are compromised to allow them to take down a company or a municipality.

“And if you don’t pay up,” Greene said, “you’re looking at destroyed devices.”

In the meantime, Greene and others on the panel said the best defense starts by reinforcing basic cyber security hygiene around patching and other best practices. As basic as that sounds, however, he said many organizations still give it short shrift.

“We're still not doing the basic things because I think there's still a sense of ‘It will happen to the other’ and cyber security is still too often considered as the extra,” he said. “When I worked at a bicycle shop after college, we would lock the door every night because we didn’t want anyone to steal our bikes. No one had to incent us or tell us to do that. It still feels that to too many organizations, cyber (security) is something that they’ll do if they get to it, not as a baseline of doing business today and that’s a mindset we need to change.”

See Hugh Thompson, Symantec's CTO, discuss the financial implications of Deepfakes Here.