Researchers. Analysts. Threat intelligence professionals. Cybersecurity practitioners.
Know what they all have in common?
The nature of their (our) work enables us to easily see patterns which develop over time.
We are all capable of seeing patterns in our day-to-day lives – traffic patterns, fashion patterns (skinny jeans, anyone?), and even relational patterns.
What those of us in the cybersecurity industry see time and time again is that a significant amount of cyber activity is predictable, and we don’t need a predictive AI algorithm to tell us what will be attacked next.
Let’s take a look at an example from recent news, which NTT Security researchers analyzed and included in the June 2018 GTIC Monthly Threat Report.
North Korea – here’s what we know, or rather, what patterns tell us.
For nearly every large event – nuclear missile test, international announcement, etc. – North Korea increases their cyber attack activity, coinciding with the event.
North Korea sponsored threat actors are driven by a combination of three motives: financial gain, information gathering, and retribution for perceived injustices. Many researchers are also of the opinion that North Korea increases cyber activity as a tactic of distraction, in an attempt to deflect global attention from other activities.
Want to take a guess at what North Korea did around the time of the recent U.S.-North Korea meeting in Singapore?
If you guessed, “Increased their cyber activity”, you’d be right!
Even a cursory glance at open source intelligence indicates an uptick in North Korean cyber activity around the time of this event.
Let’s take a look at another example, also from the most recent GTIC Monthly Threat Report.
Cisco released a security advisory, detailing a denial-of-service (DoS) vulnerability in the Cisco Adaptive Security Appliance (ASA). According to the advisory, this vulnerability “could allow an unauthenticated, remote attack to cause an affected device to reload unexpectedly, resulting in a DoS condition.”
Since this is a new vulnerability, threat actors are just now starting to get exploits written and into their respective toolkits, but if there is a patch available (and there is), are threat actors wasting their time by crafting exploits targeting this vulnerability?
Unfortunately, no, they are not wasting their time. In fact, creating exploits for vulnerabilities which have already been patched is a common activity for attackers
History tells us that while most organizations will apply patches for new vulnerabilities within 30-45 days, some with never patch the vulnerability. This means that the Cisco ASA remote code execution vulnerability can realistically be expected to impact organizations around the globe for the foreseeable future.
Researchers continue to see exploit attempts targeting old vulnerabilities such as Heartbleed. What we expect to see concerning the Cisco ASA vulnerability is that over the next few months, threat actors will likely attempt to exploit this vulnerability more, with a significant drop in attack activity as more organizations patch the vulnerability. After this, we expect to see a steady stream of a few attacks targeting this vulnerability, with attackers probing network environments to see if they have stumbled across one of those organizations which have not yet patched.
If you’d like to read more about the Cisco ASA vulnerability, recent North Korean attack activity, or even researchers’ findings on continued Trickbot campaign activity, check out the latest GTIC Monthly Threat Report.