There is a scene in the movie Jurassic Park where we witness just how smart the velociraptors are. In order to find a way out of their enclosure, the carnivorous dinosaurs are systematically testing the electric fences for weaknesses, making note of where the fences are weakest and where they are strongest. Once a vulnerability is found in the system (in this case a disgruntled employee turning off the fences), and the raptors easily escape, tragedy ensues. The concept of testing the fences for weaknesses is paralleled in the real world with cybercriminals – only instead of the predators trying to get out, these real-life predators are searching for a way in.
The recent WannaCry and Petya ransomware attacks culminated in hundreds of hospitals, retail outlets and critical infrastructure being breached. They impacted commerce as well as patient care and innovation. On the surface, the attackers were looking to make a quick buck – asking for money in exchange for encryption keys and data. However, the fact that the attackers did not collect contact information, or even provide encryption keys, suggests to me that money was not the primary objective.
Ransomware is an effective way to extort money from organizations, especially in healthcare organizations where lives literally hang in the balance. But there are other, quieter and more lucrative ways to make money in cybercrime. Steeling personal data like credit card information or insurance info and selling it on the dark web is just one way a cybercriminal can make tens of thousands of dollars.
So why initiate a massive ransomware attack if you aren’t trying to get rich quick? The answer most obvious to me is that these hackers are testing the fences of our security systems. They want to know how long it takes for us to detect an attack, how we respond and how hard it is to penetrate an organization in the first place. It is like when an arsonist sets a fire on the outskirts of town to test the response time of the fire department. These criminals are conducting reconnaissance in preparation for a larger, perhaps more coordinated, attack.
We can only speculate (with some level of certainty) on where these attacks originated and who the primary target is. But as we rapidly move to a world where terrorism and acts of war/sabotage will increasingly use viruses and software vulnerabilities rather than bombs and guns, it is likely that groups who wish to do harm to private citizens or governments will spend time testing for weaknesses in preparation of their real attack.
We live in a time where our economy is tied to software, meaning a digital attack will have implications in the physical world. Even if these attacks were carried out with the sole objective of getting some companies to pay the ransom, these attacks demonstrate the deficiency in the way we produce software and hardware, not just to us, but to the real bad guys as well.
We can no longer hide our head in the sand on this issue. Software security is national security and we need to rethink the role of security in software. Detection is not a strategy on which we can depend because, by its very nature, it means we have to be breached before we act. And detection can take a woefully long time, let alone the time it takes to respond. By the time we notice, the attack could be carried out. And I think we will notice the electric grid is down without the use of detection software. The only true solution to this problem is proper security hygiene and making security a reflexive part of software development – the same way developers look for functional bugs.
This time the attackers asked for a relatively small amount of money. How long will it be before nation-state or terrorist attackers move from testing the fences to carrying out a massive attack on infrastructure? I, for one, don’t want to be around when the raptors escape.