Search

"Nowadays, countries use ransomware to achieve state goals"

Updated: Feb 24

Assaf Dahan, Sr. Director and Head of Threat Research at Cybereason, gives peek into some cyber trends expected to stick with us in 2022


"Today, some attacks last only two hours". Photo illustration: Unsplash
"Today, some attacks last only two hours". Photo illustration: Unsplash

Assaf Dahan, Sr. Director and Head of Threat Research at Cybereason, gives us a peek into some cyber trends that are expected to stick with us in 2022. “In 2021, cyber attacks became more aggressive,” says Dahan in a special interview ahead of the Cybertech Global TLV conference.


Attackers are quick on their feet


“One of the disturbing trends we’ve noticed is shorter dwell time – the amount of time the attacker is online, from the moment they enter the organization’s network until they are discovered, or leave on their own. In the past, dwell time was approximately 4-6 weeks, but today some attacks last only two hours. Go in and out quickly, and make a huge profit.

“What this means, is that cyber defense methods have less time to track, identify and classify the attackers. In order to try and tackle this, we developed a technology that can identify a process that is attempting to perform an encryption process. We have managed to stop file encryption in many of the attacks on our clients.


“However, one should remember that today’s ransomware attack consists of two to four dimensions. The attacker leaks information before encrypting the files. Then, they threaten to sell or disclose the data, sometimes going to the press and at other times – directly to the victim’s clients. The intention is to pressure the victim, get the money and vanish. We’re talking about criminal groups that get away with tens or hundreds of millions of dollars annually.

Assaf Dahan. Photo courtesy Cybereason
Assaf Dahan. Photo courtesy Cybereason

One of the changes that the US and Europe have done is going after the criminals. High-profile arrests, seizing digital wallets, sanctions, blacklists and more. “This isn’t something we’ve seen in the past,” explains Dahan, adding that “this is the main reason there are ransomware groups that don’t go after critical infrastructure or hospitals. They want to avoid law enforcement. You can also see more forum admins trying to shake off selling data due to US sanctions and fear from the FBI and Europol.”


State sponsored


Another trend Dahan believes will continue in 2022 is nation-state support of cyber criminal groups. Russian media recently reported on the arrests of REvil group members, one of the largest attack groups in existence. “As long as they didn’t go after Russian destinations or interests, the Kremlin looked the other way. All of a sudden, they started arresting. We need to see how this will play out,” says Dahan.


What about state actors? “In the past, we would see criminal groups looking to exploit state actors’ tools. Nowadays, we see countries that use ransomware in order to achieve state goals. Such groups don’t demand any ransomware payment,” explains Dahan. “You can tell when nation-states use the MOs of criminals. This reality allows nations to remain in ambiguity.”


Patching

Whereas, in the past, the focus was on zero-day vulnerabilities, now the emphasis is put on known ones. Tens of thousands of new vulnerabilities were reported in 2021 alone, and it is doubtful how many organizations worldwide actually updated their systems.


“ In almost all largescale attacks, even if zero-day was involved, you can detect the exploitation of known vulnerabilities. Sometimes we find vulnerabilities that weren’t patched even months or years after the manufacturer provided the patch,” says Dahan. “And this is where the Defense in Depth approach comes into play. There is no silver bullet. We provide solutions to what happens the second after an attacker enters a network. What are the next phases? Is the attacker now searching for privileges? Scanning open ports? This is when we catch them.”


*****

Cybereason will attend the upcoming Cybertech Global TLV, to be held in Tel Aviv (in person!) between March 1st-3rd, 2022. For additional information, please visit the event’s official website.


Translated and adapted from Hebrew by Mandi Kogosowski. The original article appeared on Israel Defense.

47 views0 comments