Source: The Cipher Brief
The Cipher Brief’s Luke Penn-Hall sat down with Steve Grobman, Intel Fellow and Chief Technology Officer for Intel Security, at the annual Black Hat cybersecurity conference, which took place in early August. Steve discussed how he views the threat from ransomware evolving.
The Cipher Brief: How do you see ransomware changing the threat landscape and the risk calculus for businesses?
Steve Grobman: It’s going to be huge for a number of reasons. One is that ransomware is a much more effective method for cyber criminals than traditional data theft in many cases. The challenge with data theft is, after you’ve stolen data, you then need to monetize it, and depending on the type of data that’s stolen, sometimes it’s very short-lived in its value. If you are stealing credit cards, as soon as the bank figures out that the credit cards have been stolen, it cancels them, and you don’t have any way to monetize them.
Similarly, when you fence stolen data, everybody in the pipeline wants to take a cut. So you end up not receiving the maximum value from what you’ve stolen.
Ransomware is a very clean transaction from the cyber criminals’ perspective because they essentially get paid directly by the victim, and once they get paid, they’re done with that act.
Now part of what we see as great concern is ransomware matriculating from just being about data and environments being held for hostage. That can either be from an access perspective or it can be from a damage perspective. If you think about this in a business world, preventing the ability to use networks, to use equipment, to use a factory, is clearly bad. Having the threat of permanently damaged equipment is far worse.
Looking at ransomware in the Internet of Things (IoT) of business is a huge problem. But then also in the home, having ransomware being able to hold essentially any smart or connected device for hostage is a big risk. Although it is theoretically possible for consumers to have devices repaired, the nature of devices in homes today is typically that they are much less repairable, they’re sealed, they’re not the types of things that would typically be serviced, and they’re generally at price points where it’s going to be easier to replace them than to repair them. So from a cyber crime perspective, finding a ransomware price point that creates a better outcome for the user to simply pay the ransom than have to buy a new device could open up many opportunities.
The one other point that I would make here is the economics of many of the devices in the home today do not lend themselves to creating strong incentives for manufacturers to put a high level of security, integrity, or maintenance into the product. If you buy a TV in a big box store for $300, the big box store might make $10, $20, or $30. How much incentive do they have to update the firmware they have on that TV three years later when a vulnerability is found? Potentially not a lot. So it’s a big issue.
TCB: How do you see ransomware affecting the development and propagation of the IoT? It is a very specific and potentially highly damaging threat vector that seems especially bad for IoT devices.
SG: It is going to vary by the vertical of IoT. One of the problems with IoT as a term is IoT means so many different things – it means everything from connected toys to a nuclear plant and everything in between. When we talk about IoT, we need to look at the full spectrum. For industrial and critical systems, there is a very heightened level of awareness and at least those industries are attempting to address the problem, although they are working through some practical challenges.
On the consumer side, part of the challenge will be that, until there is a better awareness and until consumers start becoming impacted, they might not recognize that the security integrity of a product should be part of their buying criteria. Just as physical quality is something consumers think about when they buy various products, in the future, they’ll have to start taking into account what is the security quality and integrity of the devices that they buy, not only for the device itself, but the risk that that device can potentially impose on other devices that are connected to it on a similar network or the same network.
TCB: It seems that ransomware is primarily utilized by cyber criminals. Is their any indication that it might be weaponized in any way, like something a nation-state actor might use to paralyze key systems or infrastructure in the event of a state-to-state conflict?
SG: Sure. In state-to-state conflicts, inflicting damage to the civilian population can sometimes be part of the objective, whether it’s damaging the economy – you can think of a situation where a nation state causes mass traffic congestion or denied access to automobiles by focusing on automotive attacks – or by inflicting lack of information awareness to the civilian population by taking out both internet access within homes and media type devices like television.
It’s a very reasonable assumption that in an active state-to-state engagement that we could see the civilian population, along with their smart, connected devices impacted, both from the nuance perspective all the way up to, in a terrorist incident, an attack on critical infrastructure where the intent is more to do bodily harm or cause death.
TCB: What can people do to mitigate the threat of ransomware besides backing things up?
SG: There are a few things. Number one, backing up data in a way that if you’re impacted by databased ransomware – and we almost need to move to a point where we are qualifying ransomware as not assuming its about holding data for hostage but possibly holding access to systems hostage – definitely having critical data backed up in a way that it’s not connected, so it’s offline, is key.
The other thing is to start recognizing good cyber hygiene. Think about what is connected to networks in your home. Do you trust the vendors that are creating those devices? Are you using good, strong passwords for devices that require passwords, and are they unique? Given that these devices could become compromised, having passwords stolen from devices to be then used in other attacks is a very real scenario.
Unfortunately, having general consumers understand the risk as well as the reward when they start moving to smart, connected devices is going to be of immense importance.
TCB: How does that need for better awareness and hygiene pertain to things such as the “bring your own device culture” in hi-tech workspaces? How does the human or cultural aspect interact with this?
SG: There will need to be better separation of systems and data. Whether that’s at a software level, by continued evolution of sandboxes within things like mobile operating systems, or whether it’s through physical separation of networks between different devices.
It’s not only about the business networks themselves, but really understanding how business networks communicate with other critical systems that are necessary to make a corporate environment successful in their business goals, whether it’s manufacturing or other elements where they’re using physical devices and IoT devices as the critical element of running a business.
TCB: How do you see this threat changing in the future? It seems as though it has emerged very rapidly, and responses to it are also emerging rapidly. How do you see this changing in the next 3-5 years?
SG: A few things will happen. The typical pattern of cybersecurity threats is that it takes some level of active exploitation for users and consumers to understand that there is a risk. Once that happens, we’ll need to come together as an industry to really look at what are the underlying changes that we need to make in the way we design these devices, the way we connect these devices, and the way that users think about deploying these devices into their homes as well as their businesses.