The government and industry focus in recent years on the operations and tactics of highline threat actors such as Russian and Chinese APT teams has allowed cybercrime and ransomware groups to have a field day and grow stronger and more technologically advanced in the interim, the former director of the Cybersecurity and Infrastructure Security Agency said.
“We’ve over-fetishized the APT threat. We’ve over-rotated on the SVR and MSS while cybercriminals have been eating our lunch in the meantime. If you’re on the Internet, you’re on the playing field for them. Their opportunistic target sets are much, much greater,” Chris Krebs, the first director of CISA and now a partner at the Krebs Stamos Group, said during a keynote at Black Hat USA Wednesday.
Since Google’s disclosure of the Operation Aurora incident in 2010, a significant portion of the private sector research community, as well as government agencies, have focused their efforts on uncovering the operations of state-sponsored actors, including China’s Ministry of State Security, Russia’s Foreign Intelligence Service (SVR), and teams from Iran, North Korea, and elsewhere. Operation Aurora was a campaign by APT actors in China that targeted Google, Akamai, Adobe, and a number of other technology companies, and was the first widely publicized and detailed APT attack to gain broad media and public attention.
In the months and years following that campaign, many security and technology companies, including Google, Microsoft, Yahoo, Crowdstrike, Kaspersky, and others formed or expanded teams dedicated to identifying and exposing the campaigns and tools of state-backed actors. Those teams regularly publish reports on the activities and malware used by APT groups from around the world, and many of them also sell more detailed information to private customers and government agencies. Despite the scrutiny from and exposure by research teams, the APT threat landscape has expanded significantly in the past decade, both in terms of sheer number of groups in operation and in the targets those groups go after.
“That said, we can’t take our eyes off the top of the threat hierarchy. They understand the dependencies and the trust connections we have and they are working their way up the ladder through the supply chain,” Krebs said, referring to recent attacks against software companies such as Kaseya and SolarWinds that had widespread downstream effects on many of those companies’ customers.
“We have to solve the hard problems that continue to persist.”
Though the high-level research teams at major vendors and inside law enforcement and government agencies do focus significant resources on APT groups, it’s not to the exclusion of research on cybercrime groups. In some countries, cybercrime groups and APT groups have some connections and even overlap, and the major cybercrime operations have learned from the techniques and tactics of state-backed actors. Ransomware groups are prime examples of this learning process, as many of them began by targeting individuals and then moved on to small businesses and now target Fortune 500 enterprises and government agencies around the world.
“Things are getting more complex. We’re generating more data, but we have a maturing industry producing products that are solving problems. Is it happening at the pace we want it to or need it to? No. Bad actors are getting their wins and until we make meaningful consequences and impose cost on them, they will win,” Krebs said.
“The money is there, they’re profiting and it’s not costing them anything. They’re not feeling any pain.”
Imposing consequences on threat actors, whether they’re cybercrime groups or APT teams, usually involves some action from the government, either through the legal system or economic sanctions or some combination of the two. Cooperation between private researchers and law enforcement agencies such as CISA hasn’t always been smooth, and Krebs, who has seen it from both sides, said better collaboration is a must.
“It’s still difficult to work with the government. Who do you work with? It’s still just too hard to work with the government and the value proposition isn’t as clear as it needs to be. The Government needs to clean up its own act,” he said.
“We have to solve the hard problems that continue to persist.”