While we're away at Black Hat USA 2015 in Las Vegas, my latest article over at Forbes highlights the Hacking Team data leak and what exactly it means for businesses trying to improve their security. You can read the full article below, or, if you're attending Black Hat stop by to hear our Senior Security Researcher, Amit Serper, discussing our Cybereason Labs' research on Hacking Team tomorrow, August 5 at 3:15 p.m. PDT or Thursday, August 6 at 1:15 p.m. PDT.
Why The Hacking Team Breach Further Tips The Scales Against Businesses
In light of the recent breaches at the OPM, UCLA, and Ashley Madison, it is easy to become desensitized and lump the Hacking Team breach in with all the other recent, egregious mega-breaches. As easy as it might be to go there…don’t.
The Hacking Team attackers leaked 400 GB worth of emails and other data that included hacking tools, instructions, “cookbooks,” pricing, customer data, and more. Having reviewed quite a bit of the data, it is the equivalent of offering free copies of “nation-state hacking for dummies” to anyone remotely interested in the topic. Now, novice and/or minimally talented hackers have the capacity to pull off extremely sophisticated hacking operations, a shift that is sure to level the cyber crime playing field.
This data dump is akin to the fall of the Soviet Union in a way. When the U.S.S.R. fell, global black markets were overflowing with Soviet weapons and, more importantly, knowledge of WMDs. This put more sophisticated weaponry and nuclear capabilities in the hands of the highest bidder, which was basically the Hacking Team’s business model. Only now, there has been a shift in power as the information is no longer for sale – it’s free, and none of the vendors whose products are exploitable, e.g. Adobe and Microsoft, were notified, amplifying the danger of the leak.
Given that many of the Hacking Team’s customers are government agencies from countries all over the world, it’s not a stretch to presume its “surveillance” products are being used in ways its customers would rather not have to publicly answer to. Now, the information needed to conduct covert cyber operations is not only free, it is packaged in context of the Hacking Team’s internal email communications, making it very easy for laymen to digest and either replicate or, like a good cover song, make their own.
As a cyber security professional, I hate to sensationalize cyber crime, but, because I am one, I find the implications of this data leak frightening. The business world is already swimming against the current when it comes to cyber defense. This is in great part because no matter how you slice it, highly dynamic enterprise networks are hard to secure and monitor. Add to that corporate security teams are still working on shedding the mindset and operational processes of the moat and castle, or perimeter-based approach to IT Security there are cultural hurdles to embracing what I call the “post-breach mindset” that are much more difficult to overcome than one might think.
Many people cite that several high profile breaches were not necessarily “sophisticated,” i.e. Target was breached due to weaknesses in its HVAC provider’s security, and the JPMC hack could have been prevented with two-factor authentication. While security analysts like to argue over the sophistication of any given hack, we are experts judging experts. Even with hacks in which the hackers got lucky and found an easy “in” into a target’s network, the ability to evade detection for months on end while ferreting data out of the organization still requires hacking skills, know-how, and talent.
Now, all these capabilities are out in the wild. Cyber crimes – and cyber criminals – are already innovating at a pace that would make Silicon Valley investors drool. With these tools and know-how in the public domain, the number of people with the ability to conduct a sophisticated hacking operation has skyrocketed. And these are just the obvious implications.
Let me give you an example of a not-so-obvious implication.
According to a recent New York Times story, in late June federal authorities arrested four men in Florida and Israel in connection with a series of fraudulent investment schemes carried out worldwide, from Florida and Israel to Cyprus and Russia, with one suspect still at large. Authorities suspect that some of these men had a hand in the 2014 hack at JP Morgan that compromised the contact information of 83 million of its customers, and that their scams may have leveraged emails addresses stolen in the hack of the JPMorgan Corporate Challenge website – a charitable race organized by the bank.
If the five people indicted for these financial scams really are connected to one or both of the JPMC hacks and are also, in fact, the core group, it is an unusually small number of people carrying out an extremely complex hacking operation. Perhaps there are others involved that have yet to be charged. If not, then pre-Hacking Team leak, this indictments indicate the amount of manpower needed to pull of such feats has already decreased. Now that the Hacking Team’s tools and proprietary knowledge are now out in the public domain we are going to see these and other kinds of innovations and evolutions in cyber crime.
After all…bad actors can innovate just as well as the rest of us.