According to Almond’s Threat Landscape, cybercrime continues to develop – in increasingly innovatory fashion – in ransomware and ways of launching attacks that until only a few years belonged to the realm of state intervention or science fiction. Therefore, businesses are having to improve their defences and invest in manpower, procedures and technology.
Almond, a well-renowned French company dealing with cyber-security and the performance of information systems, has published its first Threat Landscape report, which analyses the new ways in which cyber-criminals are operating, the threats they pose to organisations, and the means that these organisations must deploy to defend themselves.
2022: a year of intense activity
In January 2022, a Red Cross subcontractor fell victim to an attack that put the personal data of 515,000 people at risk. In March, l’Assurance-Maladie [the French health insurance authority] was subjected to an attack that breached the medical histories of 510,000 French people. In July, la Poste Mobile [the mobile phone network run by the French Post Office] was attacked by ransomware and obliged to shut down its website temporarily, but the confidentiality of the personal data of 500,000 customers was affected.
RELATED: African lessons in cyber strategy
These few examples show the intensity of cyber-criminals’ activity in 2022. Four “Threat Actors” – Lockbit Gang (2.0 and 3.0), ALPHV, Conti and Hive –account for 50% of the attacks and provide “ransomware as a service” or “malware as a service”. The “Threat Actors” heading up this ransomware “industry” are mostly based in Eastern Europe and Russia, as in the case of Conti.
A threat that does not systematically come from the East…
However, data shows that the users of this ransomware are located throughout the world and are sometimes within reach of the law. The fact that the authorities regularly manage to arrest operators in Europe shows the value of involving the police.
In this respect, Almond details all the reasons for filing a complaint with the police, who have made a considerable effort to simplify procedures, to support the victims in the best way possible, and to identify, locate and arrest the criminals so as to bring them to trial.
The Almond report also explains that, although the ransomware threat comes largely from Russian-speaking countries, it is not exclusively Russian, contrary to what numerous publications would have us believe, intentionally or not. It is the aim of the Almond Cyber Threat Intelligence team to handle cyber-intelligence in a way that is resolutely European and French.
… and does not just come from ransomware.
Almond Cyber Threat Intelligence points out that, whereas ransomware presents a very real threat to all organisations and has contributed hugely to all decision-makers’ having been made all too aware of cyber risks, this should not overshadow the high number of attacks with less blatant objectives: espionage, destabilisation, strategic pre-positioning. The Almond Threat Landscape brings to light some of these latter threats, which have remained in the dark.
The experts at Almond have produced their initial analysis of a year of conflict between Ukraine and Russia, from a cyber standpoint. The predicted and much-feared cyber Armageddon has not happened. Even though there has been a highly intense cyber offensive on both sides, this war has already taught us that, firstly, it is often easier in a highly intense conflict to destroy an infrastructure with a missile or drones than by hacking into it. Secondly, it is possible to back up a country on the cloud so as to put its sensitive assets out of physical reach. Lastly, it is very useful to be skilled in the art of crisis communication.
Almond’s surveillance operations show that a significant number of security incidents, particularly the ones that were the most serious for the victims, were started not by malicious emails but by exploiting some vulnerability, often with regard to security equipment (notably on vulnerable VPN gateways) and gaining access to computer systems. Vulnerability and choosing products that are secure, ideally with a CESIT certificate, are therefore key issues.
Invest in order to adapt
The experts at Almond say that innovation in attacks is continuing to put the pressure on defensive operations. This poses the question of the balance between the cost of this investment and the cost of taking risks. The main determining factor in the choice of defence measures is the need for reactivity, so as to follow the pace of operations that increasingly resemble “go very fast” robberies. The second main determining factor is the need to deal with ever-increasing numbers of alerts: computer systems have got bigger as has the ability to detect and cope with the highest possible number of attack techniques. These two imperatives – reactivity and the volume of data to handle – require different responses from the elements that make up the detection method: manpower, procedures, and technology.
Almond has chosen to respond by innovation, by investing in the expertise of the people at the core of cyber-security operations, and in the procedures and technology that make the most efficient use of DevSecOps and SOAR (Security Orchestration, Automation and Response) concepts, and of automation in general. In fact, the final part of Threat Landscape mentions some of the investment that will be made in 2023 in order to “stay in the race”.
“There is more and more interconnection between computer systems and third parties, now vital for businesses, but this exposes them to cyber-attacks that have become increasingly lucractive sources of revenue for criminal organisations. And this is going to increase because attackers are getting more professional and their attacks more automated. Recent months have shown that attacks are carried out by ever more organised teams with a high level of technology and with tools that have reached an impressive degree of automation. Therefore, those defending must know how the threats are evolving, and must make their responses more professional and more automated,says” Partner, Almond’s SOC/CERT/CTI CWATCH, Julien Steunou.