The ENISA Cybersecurity Threat Landscape
CyberCrime & Doing Time 2020-11-19
ENISA, the European Union Agency for CyberSecurity, met on October 6, 2020 to review their current recommendations and get any last minute changes. On October 20, 2020, they released a huge batch of reports that many folks seem to have not seen. We wanted to take a moment to give you the guided tour and strongly recommend the consumption of these report. Each publication is available "flip book" style on the ENISA website, and also as a downloadable PDF.
Let's get started!
https://www.enisa.europa.eu/publications/year-in-reviewThis is the 8th Year In Review for ENISA and their reporting just keeps getting better! This year the main components of the report break down into topics like this:
- The Year In Review
- Cyber Threat Intelligence Overview
- Sectoral and Thematic Threat Analysis
- Main Incidents in the EU and WorldWide
- Research Topics
- Emerging Trends
- List of Top 15 Threats
The Year In Review
- Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation
- There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
- The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
- Finely targeted and persistent attacks on high-value data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors
- Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft
- The motivation behind the majority of cyberattacks is still financial
- Ransomware remains widespread with costly consequences to many organisations
- Still many cybersecurity incidents go unnoticed or take a long time to be detected
- With more security automation, organizations will invest more in preparedness using Cyber Threat Intelligence as its main capability
- The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.
Another key section in this area was the "What To Expect" which broke the topic into three areas -- Nation States, Cyber Offenders, and Cyber Criminals. The reader is invited to view the full report, but I did want to mention that with regards to Nation States, ENISA describes the coming year as an "Uncontrolled cyber-arms race" with a free-for-all of nation states trying to buy up and acquire the best attack tools for the "cyberspace warfare domain" possibly through sponsored agents who may not present as the purchasing nation.
In the area of What to Expect From Cyber Criminals ... BEC - Business Email Compromise, and BPC - Business PROCESS Compromise are expected to continue, along with malware targeting Managed Service Providers. They predict that "Deep Fakes Used for Fraud" may be a rising trend. I'm not sold on this concept as being a 2021 reality, but it is certainly something to watch for.
I also wanted to call attention to the prediction that Cyberbullying is likely to greatly increase as a growing number of adolescents are spending a much greater time online, possibly with limited parental oversight of their activities, as Mom and Dad are busy working from home as well!
Cyber Threat Intelligence Overview
https://www.enisa.europa.eu/publications/cyberthreat-intelligence-overview/at_download/fullReport <= PDF
In this area, training resource links are offered, however the report begins by calling attention to the great gap between higher performing CTI practices and the training and tools available to the average user. While praising existing frameworks, such as MITRE: ATT&CK, they also point out the short-comings in addressing specialized sector-specific systems, emerging systems, and cloud-computing and managed service threats.
The call is made to spend more emphasis on PREVENTION, DETECTION, and MITIGATION rather than the current near-total obsession with IOCs and APT-naming. Some sectors are especially trailing in the CTI area due to the specialty nature of their equipment and practices. ALL SECTORS need to be greatly improving their capabilities in PDR (to use the more common Prevent, Detect, Respond term that I still prefer.) The report calls attention to the fact that trailing sectors are often dealing with limited trust between organizations. The more isolated your organization is from its peers, the more likely that your sector is struggling in this way. Improved information sharing is a key. To quote the report: "one should note that the deficiencies described are not due to a lack of CTI knowledge per se but rather to the lengthy cross- and intra-sector communication and coordination cycles for exchanging CTI knowledge." A related quote => "Existing offerings concentrate on operational and tactical CTI, while strategic CTI is mostly offered independently."
Results are shared of a "Comprehensive CTI Survey" conducted by ENISA. Some key findings include:
- CTI is still primarily a MANUAL PROCESS in most organizations.
- Much CTI data is still primarily being passed through spreadsheets and email.
- CTI Requirements are becoming more defined and beginning to take significant guidance from business needs and executive input.
- CTI from Public Sources combined with observations from internal network and system monitoring is a popular model
- Open-source information, enriched by threat feeds from CTI vendors is a "clear upwards trend" indicating more focus on internal CTI production.
- Threat Detection is described as the main use for CTI, with IOCs being a base, but more interest in TTPs in the area of threat behavior and adversary tactics.
- Only 4% of respondents felt they could measure the effectiveness of their CTI programs! OUCH! Machine learning was ranked especially low, with most saying the skill of the analysts was the best predictor of success!
Several areas of interest in the "Next Steps" section to me included:
- an emphasis on coordinating CTI requirements. While the report called for this at the EU-member state level, I would say that SECTORS should be working together to determine appropriate CTI requirements and encouraging a sector-wide improvement through collaboration.
- development of a CTI Maturity model and Threat Hierarchies model.
- ensuring that CTI is taking into account the geopolitical world state and not just the state of bits and bytes.
Please refer to the full report for more details!
Sectoral and Thematic Threat Analysis
https://www.enisa.europa.eu/publications/sectoral-thematic-threat-analysis/at_download/fullReport <= PDF
This report begins by describing the difficulty of measuring and categorizing differences by sector. I must confess to being disappointed by the lack of insights in this particular report. As sectors shifted to the cloud during the COVID-19 Pandemic, much of the "targeting" became less sector-targeting and more "target of opportunity" focused.
While most attack trends were "stable" there were some "cross-sector" attack types described as "Increasing" ... specifically Web Application Attacks, Phishing, and Malware.
The only sector actually that was called out as being at significantly greater risk than others based on incident trends was "Health/Medical" where increases in Malware, Insider Threat, and Web Application Attacks were all marked as Increasing.
After a lack-luster "trends" report, all of two pages long, the remainder of the report focuses on Threats to Emerging Technologies, where there are some interesting observations regarding 5G Mobile communications, Internet-of-Things (IoT), and Smart Cars.
The reader is invited to visit the report for more details.
Main Incidents in the EU and WorldWide
Unfortunately, with the official timeline of this report being January 2019 through April 2020, many of the "main incidents" here are quite dated. Good to cover them for historical documentation, but not really worth re-hashing them at this time. Significant data breaches included the 770 million email addresses stolen from MEGA (the cloud data storage service in New Zealand run by "Kim Dot Com".) They also mention breaches such as ElasticSearch, Canva, Dream Market, Verifications.io, and a couple big MongoDB breaches.
The most targeted services, according to this report, are Digital Services, Government Administration, Tech Industry, Financial Institutions, and Healthcare entitites. In the area of Digital Services, we know that the primary use is to take the email address/password pairs and use them to attempt password replay attacks attempting to use the same pair against many additional online properties. ENISA refers to those as "credential stuffing" attacks and indicates that "companies experience an average of 12 credential-stuffing attacks each month!"
The report indicates that 84% of cyber attacks "rely on social engineering" and that 71% of the organizations with malware activity have seen the malware spread from one employee to another.
Groups that are depicted in the report as "Most active actors" don't really align with what we've seen from other sources, but are listed as:
- TURLA - attacking Microsoft Exchange serveres
- APT27 - mentions attacks against government SharePoint servers in the Middle East
- Vicious Panda - targeting Mongolian government entities
- Gamaredon - spear-phished the Ministry of Defence in Ukraine in December 2019
The Top Five motivations for attackers are: Financial, Espionage, Disruption, Political, and Retaliation.
The Top Five "Most Desired Assets" by Cyber Criminals are listed as:
- Industrial property and Trade secrets
- State/Military classified information
- Server infrastructure
- Authentication Data
- Financial Data
I won't detail is here, but the report also has advice on "What changed in the landscape with the COVID-19 Pandemic?" and refers to several previous publications from ENISA for that topic.
Research Topics
ENISA says that "apart from basic cybersecurity hygiene and training, investing in research and innovation is the most viable option for defenders." Some of the key areas that they are encouraging research to be performed are:
- Better understanding of the human dimension of security - (I know so many great researchers in this space, from UAB's own Nitesh Saxena, to UAB's Ragib Hasan and his current survey on "User Preferences in Authentication" to Carnegie Mellon's Lorrie Cranor and the IIIT Delhi PreCog lab run by Ponnurangam "PK" Kumaraguru.)
- Cybersecurity research and innovation - with a special focus on building "test labs and cyber ranges" that better reflect real world deployments.
- 5G Security
- EU Research and Innovation Projects on Cybersecurity
- Rapid dissemination of CTI methods and content
Emerging Trends
This report begins by pointing out that COVID-19 has initiated "new and profound changes in the physical world and in cyberspace" and pointing out that "cybersecurity risks will become harder to assess and interpret due to the growing complexity of the threat landscape, adversarial ecosystem and expansion of the attack surface."
The Emerging Trends are given as three trend lists -- Ten Cybersecurity Challenges; Five Trends with cyber threats; and Ten emerging trends in attack vectors. As I've said a few times, go check out the report for the full details, but a few really caught my eye, which I'll comment on below:
Cybersecurity Challenge 1 - Dealing with systemic and complex risks. The interconnectedness of our systems and networks means that a risk introduced in one part of the environment can quickly spread throughout our organizations. The demands of reducing complexity and increasing ease of management has unfortunately caused many organizations to create flat network structures where a single Active Directory domain may touch every resource in the environment and where network segmentation has become almost non-existent.
Unfortunately many of the other "emerging trends" in the cybersecurity challenges are seem more like wishful thinking than an emerging trend. Reducing unintentional errors, automation of CTI ingestion, Reducing alarm fatigue and false positives, and cloud migration protections are all things we would love to see, but calling them an "emerging trend" strikes me as premature. A few that I definitely agree with however include the role of CTI and the lack of a skilled workforce.
Cyber Threat Intelligence (CTI) is needed to help with the WHY, the HOW, and the WHAT questions. The report points out "the value proposition of any CTI capability or program is to improve the preparedness of the organization to protect its critical assets from unknown threats." Anticipating the unknown requires a deeper understanding of both threat and adversary - not just in the form of specific Indicators of Compromise (IOCs) but in the form of TTPs - based on the Tactics, Techniques and Procedures - as evidenced by observations made both from open source intelligence (OSINT) but also through same sector and cross-sector intelligence sharing is going to be a key to hardening and preparing the organization to address forth-coming attacks instead of constantly reacting to known attacks.
Just as we see in the US, a shortage in cybersecurity skills is hitting the EU hard. 70% of firms say that lack of skills is hampering investment in new technologies, and 46% of firms report difficulty filling vacancies in cybersecurity due to a lack of skilled applicants. In the US, I constantly refer students to the Cybersecurity Supply/Demand Heatmap maintained by Cyberseek.org. Currently they are showing 521,617 cybersecurity vacancies just in the United States!
The final "Emerging Trends" area - Ten Emerging Trends in Attack Vectors - has a few that I wanted to call attention to as well. I'll share the list and comment on a few:
- Attacks will be massively distributed with a short duration and a wider impact
- Finely targeted and persistent attacks will be meticulously planned with well-defined and long-term objectives
- Malicious actors will use digital platforms in targeted attacks
- The exploitation of business processes will increase
- The attack surface will continue expanding
- Teleworking will be exploited through home devices
- Attackers will come better prepared
- Obfuscation techniques will sophisticate
- The automated exploitation of unpatched systems and discontinued applications will increase
- Cyber threats are moving to the edge
A key thread that flows through many of these trends is that attacks will move to new less defended "soft spots." The report mentions banking trojans being downloaded from the Google Play store, attacks against routers, switches and firewalls rather than servers, and attacks being presented through apps that are skating on the edge between personal and business apps, such as SMS, WhatsApp, SnapChat and various messaging platforms, as well as gaming and streaming apps that may be present on devices being used to "work from home."
List of Top 15 Threats
The next post will address the ENISA "Top 15 Threats"