Carbon Black released its Quarterly Incident Response Threat Report this week, which represents an analysis of the latest attack trends seen by the world's top incident response (IR) firms. The specific goal of the report is to analyze how the upcoming US midterm elections might be impacted by malicious individuals and groups. The report examines trends across nation-state attacks, election-related markets on the dark web, and how attackers attempt to remain undetected.
Quarterly Incident Response Threat Report: Key findings
- China and Russia are responsible for nearly half of all cyberattacks. Of 113 investigations conducted by IR partners in the third quarter, 47 stemmed from those two countries alone, while Iran, North Korea, and Brazil were also the origin of a considerable amount of recent attacks.
- Cyberattacks from these countries are politically motivated and "tailored to specific targets, cause system outages, and destroy data in ways designed to paralyze an organization's operations."
- Nearly two-thirds of IR professionals believe cyberattacks will influence the upcoming US elections.
- Elections are further threatened by marketplaces on the dark web where multiple types of election-related items are for sale such as voter databases, social-media-based influence campaigns, and hackers for hire to engage in campaigns intended to commit anti-government espionage endeavors.
- More than half of IR firms encountered instances of attempted counter-incident response.
- Half of today's attacks leverage "island hopping," whereby attackers target organizations with the intention of accessing an affiliate's network.
- A growing number of attacks are now taking advantage of Internet of Things (IoT) vulnerabilities — and not just consumer devices. An alarming 38% of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organizations' primary networks, allowing island hopping.
- Destructive attacks are on the rise. IR firms said that 32% of victims experienced destructive attacks.
- The industry most frequently targeted by cyberattacks was the financial sector, followed by healthcare, retail, and manufacturing.
- Concerns about cyberattacks have shaken confidence in the voting system.
The voter information available on the dark web involves significant data from "swing states" with an undecided majority of voters. This includes "voter IDs, full names, current and previous physical addresses, gender, phone number, and citizenship status, which researchers say can be used by entities to send targeted campaign materials to a desired audience and influence election results."
However, this threat may not be as formidable as it seems. Craig Young, computer security researcher for Tripwire's Vulnerability and Exposure Research Team (VERT), provided the following comments: "Most if not all of this data is available from a variety of public sources. In many states, this data can be obtained by simply filing a request with the state election board and possibly paying a small administrative fee. While it is interesting to see criminals aggregate and resell public data, I don't believe this has any meaningful impact on risk toward voters."
Cyberattacks are growing more elaborate. An active counter-incident response was observed approximately half the time, and destruction of log data (intended to cover up tracks left behind by hackers) is becoming a more common element. Powershell, WMI, process hollowing, and malicious script hosts were cited as the most popular tools leveraged by attackers.
Furthermore, Internet of Things (IoT) devices both in the consumer and enterprise realms are also being targeted thanks to vulnerabilities which cannot be remotely patched. "In 2016, for instance, a Russian botnet called Mirai gained access to a veritable army of closed-circuit TV cameras, which led to a denial of service attack that left huge swaths of the internet inaccessible to many on the East Coast of the U.S."
How cyberattacks undermine democracy
I spoke with Tom Kellermann Carbon Black's Chief Cybersecurity Officer and a former Commissioner on President Obama's Cybersecurity Commission about the upcoming elections and cyberattacks.
Scott Matteson: Is there any sign of one or the other American political party being involved with (or potentially benefiting from) these efforts?
Tom Kellermann: Direct involvement may be tough to determine right now. It's clear that entities like Russia, China, and North Korea are looking to undermine the West by doing whatever they can to usurp the establishment and seed doubt in democracy.
We saw that in the 2016 elections, where the Republican party ostensibly benefited from cyber meddling. That's not to say, however, that any of these nation-states will rest because they got the candidate they wanted in power. Cyberattacks undermining democracy will continue regardless of which party is in power. Remember, the ultimate goal for these nation states is to weaken the United States, not merely make a single political play. Blue or red, the attack cycle will continue.
Scott Matteson: Is this part of Russia's ongoing objective to destabilize American faith in the political system?
Tom Kellermann: Absolutely. The Achilles heels for America is its dependence on technology and the nature of public opinion. With its continued cyberattacks, Russia is manifesting the Gerasimov Doctrine, which stresses the importance of information warfare and undermining the integrity of American institutions via information manipulation and influence campaigns.
Scott Matteson: What recommendations do you have for better user awareness / better cybersecurity practices?
Tom Kellermann: Users should verify the integrity of all provocative news they receive via multiple news outlets, including social media. Corporations and governments must see cybersecurity as a function of conducting business rather than an expense and should invest in establishing hunt teams to identify if they already have a compromise within their infrastructure.
Scott Matteson: What should I tell my readers to help instill better faith in them to get out and vote next Tuesday?
Tom Kellermann: I will be casting my ballot on Election Day and the entire American public should do the same. A democracy is strongest when its citizens have a voice. Our collective voices can help quell the fear, uncertainty, and doubt that nation-states have attempted to cast on our electoral process. Regardless of your party, exercise your patriotic right and make that voice heard. You can find the full cybersecurity report here.