As Cyber Crime Intensifies, Focus on Critical Exposures
While most industries are trying to weather the tides of political instability, economic constraints, trade volatility, regulatory changes and talent shortages, one industry appears to have rapidly risen above it all: the world of cyber-crime.
Cyber criminals are now pocketing an estimated $1.5 trillion annually — five times the approximate cost of natural disasters in 2017 and $500 billion more than U.S. insurance industry net premiums written in 2017, according to S&P Global Market Intelligence.
Business leaders see cyber-attacks as their single biggest threat — bigger than terrorism, the threat of financial crisis or climate change. That concern is well placed. The Darknet has democratized crime, enabling cyber-crime-as-a-service to thrive. Non-hackers can hire criminal experts almost as easily as choosing a plumber from Angie’s List. For would-be criminals with a DIY mentality, the Darknet has handy kits packed with everything a fledgling criminal needs to embark on a lucrative career.
“There are so many resources out there for cyber criminals,” said Dan Frusciano, senior vice president, IronPro. “You can buy malware kits on the black market for a couple of thousand dollars. There’s a huge market for this.”
And despite the rapid development of security technology and strategies, cyber defenders are still relatively outgunned when measured against the sheer scale of the threat.
The breakneck speed of growth in connected technology certainly hasn’t helped. Organizations are more vulnerable than ever, thanks in part to an ever-expanding attack surface. By 2025, the number of interconnected devices in the world is projected to exceed 75 billion, opening up virtually endless opportunities for criminals to attack.
Worse, more than a few of those devices “are being rushed to market where security is a little bit of an afterthought,” said Garin Pace, cyber product leader – Financial Lines & Property for AIG. “And I think that’s a disturbing trend.”
And the potential rewards make cyber crime an irresistible draw for the opportunistic.
“The financial motivation for cyber criminals to perpetrate a ransomware attack, for example, are exponentially larger than any financial motivations we could have to try to defend against it,” said Kelly Geary, managing principal and U.S. cyber practice leader with EPIC Insurance Brokers & Consultants. In fact, a 2015 report placed the ROI for ransomware operations at an estimated 1,425 percent.
Combined with relatively low risk, these factors make cyber crime the worst kind of perfect storm, said Geary. “It’s essentially an anonymous criminal act. It has no geographic limitations. It has a very strong financial motivation. And on the other side of it, whether you’re talking about law enforcement, about IT professionals, about large or small organizations — they simply don’t have the resources or the skills to respond. We’re so far behind the eight ball. And I think that’s going to be a big issue in the coming year.”
“Unfortunately, businesses are not learning fast enough to cause the criminals to do something different,” said Pace. “They’re still using phishing and malware, and they’re taking advantage of stolen credentials. [Meanwhile] there are businesses still leaving lots of data unsecured.”
New Twists on Old Strategies
With experience and advanced technologies, criminals have found ways to improve upon already effective attack methods such as social engineering and made them increasingly difficult to defend against.
Experts reported a spike in social engineering schemes where attackers insert themselves into legitimate transactions between companies and their clients or vendors.
“We’re seeing that on some of our lines of business, especially real estate, where they’re getting targeted around closing time,” said Frusciano. Attackers might slip into an email thread about a down payment and inform the buyer that the bank set to receive the down payment has changed, and neither party will be the wiser.
“That was a huge 2018 loss, and I think it’s going to continue for a while,” he said.
Even for the astute, spoofed communications are harder than ever to tell from the real thing. AI, machine learning and natural language processing have ushered in a new era where emails can perfectly mimic a target’s writing mannerisms, and even a phone call can be faked well enough to convince a skeptical accounting employee that he or she is taking wire transfer orders from the boss.
“AI and some of the other emerging technologies are creating a risk-reward equation for cyber criminals that is so much more favorable to them than it already was.” — Kelly Geary, managing principal and U.S. cyber practice leader, EPIC
AI-powered technology like deepfake video has the potential to dupe someone into thinking they’re talking to the boss face-to-face. While it hasn’t yet been utilized in a successful social engineering scam, it’s probably only a matter of time.
“AI is definitely a strong capability that allows the attacking organizations to process a lot more data and glean interesting insights from it in a better fashion,” said Ofer Israeli, CEO of Illusive Networks. “I think it’s being utilized quite widely — it’s providing value.”
“AI and some of the other emerging technologies are creating a risk-reward equation for cyber criminals that is so much more favorable to them than it already was,” added Geary.
High confidence in the appearance of authenticity is emboldening criminals to try for ever-higher bounties. Under the guise of completing a foreign acquisition, attackers pocketed $18.6 million this past November from the Indian branch of energy, chemical and engineering research firm Tecnimont S.p.A.
Ransomware attackers are also switching things up to maximize their profitability, analyzing targets and setting ransom amounts based on company characteristics.
“They’re scoping around the network to determine what the proper ransom amount should be,” explained Frusciano. “You know it’s ‘this company doesn’t have good backups. We can tell that they’re doing XYZ revenue a day. We’re going to ask them for $1.2 million’ where maybe it [would have been] $25,000 in the past.”
“We’ve seen the demand go up,” agreed Jeremy Gillespie, area vice president – Midwest cyber team leader with Gallagher, citing the case of a client who’d received a $700,000 ransom demand “and that was after they brought in a specialized firm to negotiate. So the demand was probably even higher at some point. We’ve heard stories of ransom demands over a million dollars.”
As demands rise, so do the stakes. Increased reliance on IoT and automation and industrial control systems has opened new doors on what criminals can accomplish using more or less the same methods.
In 2017, guests at a luxury hotel in Austria discovered their key cards no longer worked. Hackers had infiltrated the key card system, demanding payment in order to release it. With the hotel at full capacity at the beginning of the ski season, it took only 90 minutes for the hotel to choose to pay their attackers.
A recent attack on the Los Angeles Times, thought to be related to the Ryuk ransomware virus, disrupted the delivery of the Los Angeles Times and Tribune newspapers across the entire U.S.
“Now they’re causing varying impacts,” said Pace. “We used to worry about ‘Oh, they’re going to steal my data or they’re going to ransom my data to make some money.’ Now [criminals are thinking] ‘why go after your data when we can ransom your entire system’ — the system you need to create widgets or to run your hospital.”
Other variations on the ransomware approach appear designed to capitalize on companies’ increasing sensitivities around reputation. A type of attack quirkily named “badness planting” doesn’t require malware or encryption. Instead it involves placing damaging or embarrassing material such as emails, photos or videos somewhere in a company’s PCs and servers and making demands in exchange for the removal of the files. Even if the damaging material is fabricated, victims still face significant risk.
“Even if you could ultimately determine that it was false, has the damage already been done?” said Geary. “Even if the [victim] says ‘well, this isn’t me, you can’t prove that this is me,’ it will certainly look that way. You can fight against it after it’s released, but how will your reputation hold up?
“If you’re looking at it from an insurance or risk analysis standpoint, how do you protect against that?”
Geopolitical Threats on a Growth Arc
While profit remains the primary driver of most attackers, several of the most dramatic incidents in recent years were designed for mayhem.
NotPetya, originally assumed to be a form of ransomware, disrupted everything from banks to shipping companies and nuclear facilities in numerous countries. Russia is believed to be behind the attack even though officials deny it.
The WannaCry ransomware campaign, believed to be the work of North Korea, hit computer systems worldwide, spreading chaos from the UK’s National Health Service to U.S. hospitals and Russian banks.
Russia, China, North Korea and Iran are known to have cyber arsenals that are of increasing threat to the West. But U.S. intelligence officials reported in January 2017 that more than 30 countries are developing offensive cyber attack capabilities, raising the specter of business interruption as well as physical damage across critical infrastructure, including energy, transportation, health care and more.
“Over the next five years, technological change will only accelerate the intersection of cyber and physical devices, creating new risks,” officials wrote.
“We see more actors out there today that we believe have the capability or are developing the capability to really understand some of those cyber-physical interfaces and reach across and cause those kinds of disruptions in the tangible world,” said AIG’s Pace.
“And you see fewer norms restricting them from doing so. There have been some incidents where critical infrastructure was targeted. Power was targeted in the Ukraine. There was an attempted attack [where] the only possible motive to carry out the attack that way was to cause massive destruction at a petrochemical processing facility. It is becoming acceptable for those types of attacks to happen.”
What’s more, it raises the possibility of “leakage” from nation states to cyber criminals, said Illusive Networks’ Israeli.
“Many countries have a cyber command and a whole cyber strategy … which means they’re investing a lot of energy in providing very sophisticated threats of zero-day exploits and things of that nature. Part of the challenge the world has in cyber is that if something is out, it’s out, and it can be utilized by a different threat actor pretty easily. So if I’m a cyber criminal and I get hold of something that Iran has developed, I can weaponize that very quickly and use it.
“There’s definitely spillage to more threat actors, so pretty advanced capabilities are out there in the hands of many different people.”
Focus on What’s Manageable
Carriers have a sharp eye on all of these risks, including the potential for a significant attack on a cloud service provider, and the impact of aggregation risk within their own portfolios.
“From our perspective, the biggest concern is around aggregation,” said Matthew Honea, director of cyber for Guidewire Cyence Risk Analytics. “No one wants to have a cyber hurricane, a cyber earthquake, catch them off guard. It’s a matter of understanding where are the fault lines, where are the hurricane paths? Vulnerabilities are going to be growing every year.
“So they need to identify where the software lies, what service providers they rely on and diversify their risk, because it only takes one vulnerability, one outage, to really cause a lot of damage to an insurer’s portfolio,” said Honea.
“We used to worry about ‘Oh, they’re going to steal my data or they’re going to ransom my data to make some money.’ Now [criminals are thinking] why go after your data when we can ransom your entire system — the system you need to create widgets or to run your hospital.” — Garin Pace, cyber product leader – Financial Lines & Property, AIG
Still, carriers want risk managers to keep a sense of perspective about the growing cyber threat level and focus on the exposures they can impact.
“The majority of incidents are attackers looking to make some money,” said Pace. “They don’t even necessarily go looking for your company name, they go looking for someone who is vulnerable.”
“It’s always going to be a battle between the threat actors and the companies that are trying to ward off the attacks, detect them and stop them,” said Gallagher’s Gillespie. “But a common point that is never going to go away, whether you get the best security available or not, is always going to be the human element. There are always vulnerabilities in the system because of mistakes made, the social engineering attacks, the spearfishing.
“[What’s important] is finding ways to address those weaknesses — by training, by awareness, by two-factor authentication, by doing all of that. That’s the best thing that you can do to stop the attacks.”
“It has to start with what is important for your business,” said Israeli. “What are the critical risk factors for your business specifically? What types of threat actors would be after this type of business data or system, and then how do you measure that risk in a way that’s applicable to those specific threats?
“We see that as a huge gap that many organizations haven’t addressed. They’ve been looking at it in more of a generic kind of fashion, saying, ‘Let’s protect it all, 360 degrees, 365 days a year,’ and frankly that’s not really working.” &