Each day, you see in the headlines some new data breaches or investments in cybersecurity. Let’s face it: The scale of the problem is incredible. Business executives, as well as the general public, now operate with a heightened awareness and sense of urgency over cyberthreats. The reasons are clear, as nearly every part of our society has either embraced or been forced to deal with the reality of pervasive digitalization.
For instance, historically offline industries like banking and transportation now have gone fully digital, and important technologies such as machine learning are now part of everything from how business decisions are informed to those “helpful” consumer devices picking our music for us. Now add in the inexorable force of “connected things” known as IoT, and it’s nearly impossible to escape digitalization.
With a digital world comes the undeniable increase in cybersecurity threats, as well as more automated, fast and highly targeted attacks. The potential impact will be dramatically greater.
It’s time for a new way to look at the problem.
A Lesson from Financial Risk Management
To illustrate the cyber threat landscape, let’s take a lesson from financial risk management. In financial services, the concept of “tail risk” (also sometimes called “black swan”) is used to explain a highly unlikely, yet potentially high-impact, event. The concept of tail risk entails the notion that some risks could bring down organizations, or in extremely rare circumstances, entire industries. Think about the collapse of Lehman Brothers in September 2008 and the nearly catastrophic collapse of global financial markets around that time.
We can use the same concept for cyberthreats and use a graph to illustrate how to evaluate threats using the frequency of occurrence or count of victims. If we used such a graph to plot the threat landscape a few years ago, it would have shown as a “fat tail” representation (see illustration below), since there were only a few unique threat types which likely impacted us.
The threats at the left would have included things like ILOVEYOUVIRUSE and Conficker, and the threats at the right would have been the more customized or targeted malware which had only a few victims.
Translating this depiction of tail risk into the realm of cybersecurity would assume that such unique threats could be considered as unknown, and therefore will not be detected. An attacker leveraging such threats and having appropriate motivation could easily bring down an environment or cause severe damage to the organization. Consequently, tail risk would be something which most CISOs—and their C-suite and board colleagues—would not be willing to accept.
Things are changing, however—and not for the better. Today, such a risk graph is flattening out due to high diversification of threats. And the tail is much longer, as you can see in the graph below. There are multiple reasons for this, such as:
- Digitalization of all industries and our global societies, leading to a broader attack surface.
- More hackers finding bugs, building exploits and deploying malware.
- Free, open source, ease-to-use and automated exploit and malware builders, which enable even non-security experts to compromise computers. For a few examples, see Metasploit or Empire.
- Expanding and increasingly sophisticated cybercriminal ecosystems, introducing threat construction and operations kits for both customization and automation of specific campaigns.
As a result, the tail risk graph is evolving into a “long tail” graph, with a much larger tail risk for organizations. Let’s call it the “long tail of unknown cyberthreats.” Of course, our security controls are constantly improving, allowing us better opportunity to cover the unknown threats. However, as someone who’s been in this industry for decades, my perspective is that security controls have not been able to keep up with the customization of threats. Think of your own organization: Have you felt more cyber secure in the last few years?
And the tail risk might become even longer, if we anticipate the advantages of machine learning being introduced already by cybercriminals and which will undoubtedly be utilized even more widely in the coming years.
Think about it: Software programmed to automatically profile your environment for vulnerabilities and potential exploits. And that software will decide if it wants to build a custom exploit to compromise your server through a server vulnerability or instead write a custom malware to gain a foothold in your environment by spear-phishing one of your employees. And, just for good measure, that software will automatically distribute implants in all weak points of your organization and make cold, calculated demands for ransomware payments.
Will we see soon fully automated, mission-driven, custom attacks, with almost unique footprints tailored to your organizations?
Great questions, right? We’ll address them in the second article of this two-part series on the long tail of cyberthreats.
Sergej Epp is chief information security officer for the Central European region at Palo Alto Networks.