With cyber threats on the rise in Aotearoa and around the world, two senior figures in the world of cybersecurity explain the growing sophistication of online attacks - and what Kiwi businesses can do to avoid falling victim to them | Content partnership
Without quick reflexes, taking on a game of whack-a-mole can be an exercise in frustration.
But Josh Bahlman, Spark’s chief information security officer, and Spark’s cyber defence team, are well-versed in bopping new cyber threats on the head as they pop up.
According to the latest report from New Zealand cyber security agency CERT, Kiwi businesses have suffered over $33m in direct financial losses from cyber attacks in the last two years, with an average of just over 2200 incidents reported to it every quarter.
It’s not just the domestic picture which gives cause for concern, either.
Dan Woods, a former FBI agent and CIA cyber operations officer who serves as the head of intelligence of web application security and delivery company, and Spark partner, F5, tells Newsroom cyber attacks are growing increasingly aggressive in the United States - but the ramifications are being felt globally.
“As we deploy more and more countermeasures to prevent attacks in the United States, we're seeing these attackers move on to ‘softer’ targets, typically throughout the rest of North America, Europe and Asia.
“The attacks we've seen over the last five to 10 years in the United States, as we've mitigated those, we're going to start seeing those attacks spill over to other regions of the world.”
As the volume of cyber attacks has grown, so too has their sophistication.
It’s not just ‘dirty’ black-listed IP addresses previously identified as malicious that are being used by attackers, but thousands of clean IPs are now being harnessed to stay below the radar of network protection thresholds.
“We are seeing increasing effort from attackers to develop and build infrastructure to be able to get past complicated protection thresholds. A key part of how we protect is to understand how the attacker is building and modifying their infrastructure as they evolve their attacks,” Spark’s Bahlman says.
Woods has spent some time looking into the Genesis Market, an online marketplace which sells bots - a collection of not just usernames and passwords, but the unique attributes used to generate so-called “browser fingerprints”.
“When you are at home and log in to your bank, I'm guessing it doesn’t ask you for a second factor - but if you log in from a different browser that says ‘we don't recognise this device’, it triggers two-factor authentication…
“This Genesis marketplace downloads all the attributes of the victim machine that allows them to duplicate the victim’s browser, so the bad actor just downloads a plugin installed on their Chromium-based browser, generates a fingerprint, and now their Chromium-based browser is a nearly exact replica of the victim’s.”
When Woods first discovered the marketplace several years ago, it had about 100,000 bots. Now, that’s up to about half a million - including many from New Zealand.
Attackers are also expanding their efforts beyond the initial target to the providers protecting the target - as Spark found out during the distributed denial-of-service attack on several high-profile New Zealand organisations, when the company itself came under digital bombardment just minutes before the stock exchange.
“The attackers had worked out that we were providing security services to several New Zealand organisations. They would start attacking us 10 minutes prior, to try and make us less effective at being able to protect those customers. While we were able to respond very quickly due to having an extensive and very experienced incident response team - it’s not so easy to respond in the moment,” Bahlman says.
He likens it to a game of whack-a-mole: as each potential vulnerability is knocked on the head, a new one pops up elsewhere.
“We'll deploy a countermeasure then the attacker will, over time, retool to overcome that countermeasure, and they deploy a new countermeasure, and we'll do that back and forth,” Woods says of F5’s work.
“The reason we can win is because the time it takes us to retool and deploy a new countermeasure is minutes to hours, but it takes them days to weeks to overcome that new countermeasure.”
The goal isn’t to make an attack impossible - simply to make it too expensive for the attacker to carry out, meaning they move onto another target in hopes of an easier payday.
Bahlman believes New Zealand is “a step behind” other parts of the world when it comes to the maturity of our cyber defences, but there is still more work to do to ensure we’re protected against escalating threats.
While the top tier of businesses understand the potential problems they face without a sufficiently robust approach, the small and medium enterprises who account for a large chunk of Aotearoa’s business sector may not be as well prepared.
So what can Kiwi businesses do to better protect themselves from cyber threats? The answer is “boring”, he says almost apologetically.
“For organisations, it’s really about keeping up some of the basic online hygiene. While we have been talking about this for a long time, the protections for end users have become easier to use and very effective. These key things are - keep your applications and operating systems for all of your devices up to date; always use unique passwords, to make it easier use a password manager, and put a good endpoint protection product on your servers, on your laptops and other devices where possible.
“In addition, many organisations lack a mature, well-documented and tested incident response process and this can lead to a lot of uncertainty – especially if a major incident occurs. Hackers are always one step ahead of the game, so it’s important that organisations have experienced IT professionals or can work with a managed security service provider with a certified incident response team that are across emerging trends and security vulnerabilities.”
Woods suggests companies offer up some sort of incentive for customers to use a password manager, such as a 10 percent discount, given the benefits of improved security.
Bahlman says accounting for an individual’s internet ‘hygiene’ - or lack thereof - is a critical part of cyber security, with user experience a factor which needs to be taken into account before forging ahead with overly rigid controls.
That is why companies like Spark are prioritising zero-trust frameworks, which assumes that no one inside or outside the network should be trusted until their identification has been thoroughly checked. Instead of a traditional approach in which users who have already accessed the network are assumed to be trusted, zero trust requires strict identity verification for every individual or device that accesses any application within the network.
With no single ‘silver bullet’ able to prevent a malicious actor, companies need to take a holistic security-focused approach throughout their infrastructure.
“You’re not solving all of your issues by putting the latest artificial intelligence and machine learning detection capabilities if you’re still only using single factor authentication gateways for your admin users. This is where a holistic approach to understanding your critical online assets and access to these is essential.”
While many of Spark and F5’s security offerings are implemented by larger New Zealand businesses, SMEs can benefit from the same “enterprise-grade” solutions.
Bahlman says, “This comes down to how critical your online assets are to the success of your business as well as how a service provider like Spark can help you implement these to the right scale for your specific needs. We can also offer maturity assessments and other reviews of a business’s cyber capability, identifying the biggest risks and putting protections in place around its critical assets.”
Financial pain isn’t the only downside to bear in mind when thinking about the level of cyber protection to put in place, Woods adds.
“There's a lot of businesses there, they've made the decision that this [certain] level of fraud is acceptable and anything below that, they're not going to chase…but they haven't considered the loss of privacy or PII [personal identifiable information] and how it impacts their customers.
“What happens when that customer tweets about it or posts on Facebook about the negative experience they've had with the brand?”
With the stakes - both financial and reputational - so high, there is plenty of incentive to act.
Spark is a Newsroom foundation partner.
As New Zealand's largest telecommunications and digital services company, Spark’s purpose is to help all of New Zealand win big in a digital world. Spark provides mobile, broadband, and digital services to millions of New Zealanders and thousands of New Zealand businesses. Spark’s cyber defence team comprises more than 180 highly skilled IT and cyber security experts dedicated to protecting Spark’s vast network infrastructure, which keeps millions of Kiwis connected, and Spark business customers, which span small to medium businesses, enterprise, and government departments.
Eight years ago, Spark was the first New Zealand organisation to join FIRST (the global Forum of Incident Response and Security Teams) where membership is based on referral and on meeting strict criteria. Currently, FIRST has more than 600 members across Africa, the Americas, Asia, Europe, and Oceania. To this day, only two New Zealand organisations are FIRST members (Spark and CERT NZ).
F5 is a multi-cloud application services and security company committed to bringing a better digital world to life. F5 partners with the world’s largest, most advanced organizations to optimize and secure every app and API anywhere, including on-premises, in the cloud, or at the edge. F5 enables organizations to provide exceptional, secure digital experiences for their customers and continuously stay ahead of threats.