This post in our VC-series comes from Alberto Yépez and Don Dixon, managing directors of Trident Capital Cybersecurity.
It’s a new year, and we are poised again for another round of malicious, often successful cyberattacks, many of which will draw upon ever more sophisticated technology. And some of which will be surprisingly deceptive.
Take, for example, so-called “onion-layered” security incidents, which IBM security researchers recently identified as one of the top cybersecurity trends they saw in the final quarter of 2015. We believe those will get worse in 2016. In these situations, while teams address a primary, more-visible attack, a secondary attack, often significantly more damaging, is uncovered. This classic subterfuge—resurrected for high-level criminal use in the 21st century cyber-realm—is particularly time-intensive and expensive to address.
Onion-layered attacks are just one of a number of challenges we see unfolding this year in the cybersecurity arena. As early stage venture capitalists specializing in cybersecurity investing, it is our business to know the biggest and potentially costliest cyber-trends on the horizon and to painstakingly scrutinize, vet and then invest in select startups to remedy the problem. We certainly don’t want to become backers of a member of the so-called “Game of Clones”—the name attached to the proliferation of vendors who, according to investment banking firm BTIG, all address, lemming-like, an “alphabet soup” of security problems and have relatively minimal annual revenue, if any.
Here are seven additional trends we see evolving or unfolding this year:
1. Targeted spear phishing. The easiest way for a cybercriminal to access valuable data is often by tricking persons into divulging their user names and passwords. This is easier than writing sophisticated computer code. What is new about phishing attacks is the targeting of high-level executives and others with a high security clearance. Educating targets is insufficient. What is also needed is real-time monitoring and scanning systems with blocking capabilities.
2. More ransomware. This is malware that steals something from the computer user and demands a ransom to return it. One piece of ransomware, the recent CyrptoWall v3, which often exploits social engineering techniques, has cost hundreds of thousands of users globally more than $325 million so far, according to the Cyber Threat Alliance.
There are essentially two types of ransomware. One locks a computer system and tricks the user into believing that a ransom payment is required to unlock it. Generally, no harm is done to the system and no information is stolen. The other, more serious type of ransomware encrypts files on a system’s hard drive and requires a ransom payment to get the keys to decrypt the files. It is very difficult, if not impossible, to break the encryption, and information is sometimes lost during these attacks. One variant of this ransomware encrypts not only hard drive files, but also the network-shared data, potentially targeting more users.
3. Continuation of porous defense against malicious insiders. Surprisingly, many attacks have an insider component, even if it is just some sort of mistake. Among other things, insiders erase router configurations and make unauthorized rule changes to firewalls. Because it is sometimes difficult to distinguish these malicious steps from normal service outages, some situations persist for weeks before the start of a formal investigation.
Remedying the problem in this particular case is usually more a matter of accountability than technology. Bad password policies, for example, continue to compromise employee termination procedures. When a system or network administrator leaves an organization, disabling their personal accounts doesn’t always limit their ability to cause damage. Sometimes former ill-willed employees can still access shared company accounts.
4. Sophisticated hackers target geopolitical conflicts as cyberskills become more democratic. In the recent past, cyberattackers focused on entities on both sides of the Russia-Ukraine conflict. Other attacks targeted Hong Kong protests, territorial disputes in the South China Sea, and Israeli military operations in Gaza. This is certain to increase as a tool of foreign policy objectives. As it does, industrial control systems supporting national infrasture also become targets.
5. Poor security basics undermine corporate risk management. When a corporation or other organization is the target of a cyberattack, it must work hard to learn from the episode. Among other things, it must profile the culprits, learn their modus operandi, and adopt strong countermeasures. Even so, entities must also do something simpler and more important—master and rigorously implement security basics.
Far too many organizations have yet to do so. They still don’t manage passwords properly and do not require two-factor authentication. In addition, most corporations still have too many unpatched vulnerabilities that will be exploited and accept too many web security flaws.
6. Hacker expertise continues to grow. Hackers have become extremely skilled, highly specialized and increasingly global, and this trend will keep growing. Predictably, many hackers concentrate on finding exploits in software. When successful, they think big, not small. Rather than use the knowledge they have acquired, they often sell their work to others who specialize in packaging exploits and running them through botnets. Making matters worse, many rent their botnets to still other hackers.
In many ways, the ecosystem that has been created resembles a sophisticated industry as much as a criminal enterprise, and it has the revenue to prove it. Consider, as an example, Russia, which has emerged as a global epicenter for criminal hackers. According to software security group Kaspersky Lab, a group of roughly 20 Russian hackers has stolen more than $1 billon from global bank accounts in the past three years, heavily impacting Europe and the United States, among other places.
7. Cyber information sharing and collaboration will increase. (But more progress necessary.) Rapid information sharing between the government and the private sector helps block cyberthreats before significant damage occurs. Fortunately, The Department of Homeland Security is on the case via its Cyber Information Sharing and Collaboration Program (CISCP). Information shared via CISCP allows participants to better secure their networks and helps support the shared security of CISWCP partners. There is room for improvement, of course, because the government and private sector need to build more trust in each other. One example of insufficient trust is the apparent stalemate between the government and Silicon Valley regarding adoption of a “back door” encryption key.
Will there be meaningful progress in 2016, given this list of challenges? Yes. It will be gradual, however. Cybersecurity didn’t become such a huge threat overnight and it won’t be remedied overnight.
What counts is progress.