If you think teenagers sitting around a campfire in the wee hours of the morning spin the scariest stories, then take a listen to cybersecurity pros whose nightmarish tales are not as improbable as a zombie traveler with a brow as cold as clay or a murderer's call coming to a lone babysitter coming from inside the house.
As DDoS attacks grow stronger, ransomware attacks become more frequent, and modern warfare moves into the cyber arena, the potential for cyberattacks of nightmare proportions seem even more likely.
Data poisoning, distributed volumetric attacks capable of shutting down critical networks, and insider threats have always been serious issues, but some researchers fear these kinds of attacks may be used to shut down critical infrastructure and wreak havoc on their victims outside of the cyber realm that have lasting impacts.
When it comes to the ultimate cyberattack, though, the attack itself may not be as dramatic as one might expect and could take place over a period of time instead of one sudden event, Rubicon Labs Vice President Rod Schultz told SC Media.
“I would split this into two categories: attacks with catastrophic intent, versus passive, below the radar attacks,” Schultz says. “The attacks most people discuss are the catastrophic ones.”
While large scale attacks that knock out critical infrastructure are high on list, less obvious attacks such as data poisoning could inflict just as much damage, Schultz says. “Passive attacks are less sensational, but last much longer,” he says. “These attacks are designed to gain information and never be found.”
The impact of catastrophic attacks, on the other hand, is directly proportional to the amount of energy they unleash – such as intentionally putting nuclear reactors into unsafe states, disrupting critical services, or shutting down the power grid or telecommunications networks, Schultz says.
Schultz believes the ultimate cyberattack would combine both passive and catastrophic elements and would focus on the western world's reliance on data. The majority of the value crated by Fortune 500 companies today is through the manipulation of data and the ultimate cyberattack would be a combination of catastrophic destruction coupled with passive manipulation of information to destroy the integrity and usability of data, Schultz said.
This could be a combination of ransomware attacks that seize valuable databases such as medical records, bank account information, etc., in conjunction with selective subtle manipulation of data with the attacker's goal being to undermine the implicit trust that exists with respect to digital records and to bring business and innovation to a halt.
“Once this trust is destroyed it will take years to rebuild,” Schultz says. “When compared to a kinetic attack that is a one and done type of event, this type of attack could be felt for decades.”
Successful attacks against credit card data, personally identifiable information, and other valuable information, gradually increase the cost of doing business online and reduce the adoption of new and innovative technology and businesses, Imperva Chief Technology Officer Amichai Shulman told SC Media.
“While it's true that doomsday scenarios exist, most of them are at the nation state level and should be handled at the nation-state level,” Shulman says. “I'm more concerned about the constant, seemingly undisturbed growth in the number of small attacks against every individual and organization on the internet.”
Attacks that create scenarios like this would most likely be carried out by hacktivists who might dislike an organization for a number of reasons or by nation state hackers looking to disrupt business operations, RSA Chief Technology Officer (CTO) Zulfikar Ramzan told SC Media.
As technology becomes more user friendly, it may also be possible that everyday cybercriminals may have the abilities to carry out major attacks with little repercussion, Ramzan says.
“The key way forward is comprehensive monitoring capabilities, which comprises visibility coupled with analytics,” Ramzan says. “Visibility involves being able to gather relevant data about what is happening across all of the information technology assets in your organizations, from the edge to the core to the cloud.”
The analytics allows firms to glean insights from that visibility and allow organizations to effectively detect, scope, and ultimately find the root cause of any malicious activity, Ramzan says.
Some researchers warn catastrophic attacks could come in the form of distributed volumetric attacks. Recently, the source code for a botnet, Mirai, which caused a historically large denial-of-service (DoS) attack, was released to the public leaving many researchers are expecting even more powerful attacks in the near future.
The last time the botnet was used, it only targeted the website of a security researchers but it may be only a matter of time before Mirai or an even more powerful botnet is used to create systematic outages on critical systems, Prevoty Chief Technology Officer (CTO) Kunal Anand told SC Media.
Anand said that distributed volumetric attacks against numerous targets on the web that are either consistent enough to render a critical system unreliable or take it completely offline could have serious consequences.
“Whether attackers are running a massive C&C or commandeer a large CDN, they would have the ability to create an unprecedented number of cyber blackouts,” Anand says. “These blackouts could have serious repercussions in the realm of government, financial services and healthcare with the goals ranging from destabilizing an economy to exfiltrating a large data set.”
These kinds of attacks would also be effective in targeting entities such as banks or the stock exchange, government programs such food stamps, welfare, or unemployment, air traffic control systems, or any other system that consolidates into one “choke point,” Anand says.
To prevent these attacks, Anand contends that it may boil down to a game of cat and mouse and one could only hope that the entity being targeted has the firepower and resources to withstand and outlast the competition.
In order to carry out an attack like this, an attacker would need access to a lot of systems and capacity, access to a lot of computing recourses such as cloud providers and giant botnets, and would most likely be carried a nation state or state sponsored group.
Anand says it is unlikely for an attack like this to affect major infrastructure such as the electric grid or missiles systems because these systems are air gapped and would require physical and or cyber tampering to enable, but with the help of an insider and social engineering tactics they are possible.
If an insider were to gain a foothold at a secure government entity or major firm such as Google, Akamai, Apple, or Cloudflare in order to plant a weakness in its systems, an attacker could exfiltrate sensitive data, jump air gaps to infect protected systems, shut down critical infrastructure and potentially seize the computing power necessary to launch powerful physical and cyberattacks, Anand said.
To defend against insider threats, Anand said the best thing organizations can do is to put in place monitoring capabilities within applications to review for any weaknesses as well as understand the weaknesses of these monitoring systems.
A company would also have to ensure that they have backups of all of their products and data that are kept both offsite and offline, SecureMac President Nicholas Raba told SC Media.
“That way, you could check the integrity of those backups separately from the products and data that employees are handling,” Raba says. “Secondly, you would want to put a plan in place to help inform, secure, and repair the vulnerability in the best way possible.”
This could include a peer code review to look for back doors and access-control mechanisms that could be used to shut down employee accounts if needed, he says.
“If you discover that an employee is guilty of in-house tampering, firing that person wouldn't be enough; you would need to eliminate any chances for them to access your products or data in the future, and you would want to do that in the quickest way possible,” Raba says.
Organizations, he says, should always have practices in place to secure systems, prevent attacks, and manage appropriately even when under attack and that firms should always focus on security on all levels. Another often over looked fact is the need to train employees in best practices to help thwart threats as well.