Attacker’s behaviour shaped by systemic factors, not COVID

Charl van der Walt, head of security research at Orange Cyberdefense.
Charl van der Walt, head of security research at Orange Cyberdefense.

What the world has been dealing with at the moment with the COVID-19 pandemic is not just a pandemic of health, but also a pandemic from an IT point of view.

Like the virus, the IT security space is equally contagious. Contagion is a term we use when we talk about disease transmission, but it’s really a general term that can be applied to a number of things. Like when you have a high level of Internet activity, and where something can spread easily from one node to another because of interconnectivity. We are interconnected because we all use the same technologies, in the same ways.

So said Charl van der Walt, head of security research at Orange Cyberdefense, during his opening keynote this morning at the ITWeb Security Summit 2020.

He said according to research, about onethird of the world's population was under some form of enforced lockdown and was experiencing the same thing at the same time, where they were being forced to work from home. “For example, globally, the demand for VPN services of some sort increased by 41% during the second half of March, and is still globally 20% higher than it was before.”

Moreover, some countries were impacted more than others. South Africa stands out as, according to Top 10 VPN, we experienced a105% increase in demand for VPN access. What this means is that managers and security people had to deal with this unprecedented acceleration in digital transformation.

In many cases, Van der Walt added, it had to happen in a matter of weeks. “This had to include having to deal with remote work, having to facilitate remote collaboration, suddenly having to protect users that were no longer sitting behind your firewall, having to respond to what we expected would be an elevated level of threat. And they had to do all of this while they themselves were working from home, meaning IT resources were impacted too.”

Before the pandemic, Van der Walt continued, his team highlighted a number of security changes that they thought they were likely to see, such as increased strain on Internet infrastructure, an accelerated move to ecommerce and cloud, decreased visibility and similar.

“In addition, we anticipated more geopolitical tensions, perhaps manifesting in cyber attacks, more attacks targeting healthcare, attacks against remote access technologies as businesses rushed to get these technologies on line. We also anticipated that there would be much more malware and phishing using COVID as a pretext and a lot of general misinformation.”

And they did see all of those things. But Van der Walt stressed: “In some respects, we may be seeing what’s easy to believe, and missing some of what is really significant in terms of what happened.”

Speaking of what he learned about attackers and how they behaved, he said a real ‘golden nugget’ came from Microsoft, about attack patterns during COVID. “There was a general blip during March, but only in the region of 2%. It also pointed out that where bad actors are pivoting to adopt themes like COVID, it’s very quick and follows contemporarty events. It’s also very localised, and different attacks will focus on different themes in their specific region.”

Systemic factors

The bottom line: COVID as a theme for attackers has passed.

The elements that drive ransomware, especially targeted ransomware, are systemic in nature; they have to do with the vulnerability of perimeter technologies, the value of cryptocurrencies, and then the fundamental seller/buyer dynamic that is created when an attacker gets access to your data, he said.

“In terms of state-backed actors, there was once again a nominal peak over this time, but, generally, this trend is flat, and the reason for that is because state actors operate within constraints within their targeting authorities, constraints in terms of budgets, so if they take energy away to focus on healthcare, for example, that energy is being taken away from somewhere else.”

In terms of attacks against security technologies, he said once again there was a COVID blip, but there are always problems that emerge when we add more technology into a system, including security technologies, and this trend is consistently and independently upwards. Again, this is because it’s a systemic factor and although t perhaps shifted a little during COVID, its behaviour has nothing to do with COVID, Van der Walt added.

Pivoting rapidly

“Now when we examine the behaviour of attackers and what we can learn, they do pivot very rapidly and are able to adjust to contemporary events, but actually their behaviour is much more fundamentally shaped by systemic factors. These are bigger, fundamental attributes of our space that shape our behaviour.”

These factors overwhelm the acute technical factors, and it’s these forces we need to keep an eye on, he said. “We won’t stop cyber attacks unless we can deal with the underlying systemic factors such as the role that cryocurrencies and brokers play, in terms of allowing bad actors to cleanly get away with the ransom in a safe and anonymous space.”

COVID-19 is a systemic factor, and what we need to do is zoom out a little bit, from the specific, acute symptoms that we observe, such as the use of COVID as a lure, and understand its systemic impact, such as the accelerated move to e-commerce, and the move to the cloud as a way to deal with the work from home issue.

“Our CTO at Orange said the impact of a new technology is always overestimated in the short term and underestimated in the long term, and this is very true. The question we should be asking, for example, is what it means like now, when we have accelerated adoption of e-commerce from a six-year timeline to a three-month timeline; that’s the kind of systemic change that is going to have an impact on us.

“What is interesting about the pandemic, apart from the fact that it is systemic in nature, is that it illustrates to us in a very visceral way what the reality of a contagious environment is, and we live and operate as IT security people in a contagious environment, which means the decisions, choices and risk trade-offs we make don’t just impact us as businesses; they impact everyone else in this environment. Just like our decision as individuals to wear a mask doesn’t just impact us as individuals, but also impacts the people we love, the people we work with and meet every day.”