As hardware-based cyber attack tools like RubberDucky, Flipper, BashBunny, Ninja, and OMG cables become increasingly accessible and affordable. A new wave of security concerns is on the rise. The National Cyber Security Centre (NCSC) has recently published a report on the threat from commercial cyber attack tools proliferation, which sheds light on the risks associated with their commoditization. This blog will explore the top key findings of the report and their implications for businesses, organizations, and individuals. The report highlights the unique challenges of the hardware security domain.
The Proliferation of Commercial Cyber Tools
Key finding #1 – “Proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally, new report predicts”
Is it that easy to acquire cyber-attack tools? Well, it is! As many of the attack tools are categorized and sold as pen testing (PT) equipment – one can buy them with no actual restrictions. Their ridiculous cost, sometime down to a couple of Euros (i.e., DigiSpark via AliExpress), makes it a non-issue budget wise. These pen testing tools are often supported by a large community (i.e., RubberDucky). Which provides a continuous stream of updated payloads that can bypass existing cybersecurity products.
The Rise of Hackers for Hire
Key finding #2 – “GCHQ’s National Cyber Security Centre warns of “unpredictable targeting or unintentional escalation” as demand for hackers-for-hire set to rise.”
Despite the fact that these hardware attack tools are easy to master, a growing list of freelancers now offer their services for individuals or other entities. You want a Keylogger script that will go undetected? No worries! Ransomware via a charging cable? Hell yes! Do you want it for Ninja or OMG cable? Do you want to grab someone’s WiFi password, just select your tool of choice and wire the money. This ease of operation may lure people into this domain from “classic-legacy” criminal activity into the virtual domain.
The Challenge of Tracing Cyber Attacks
Key finding #3 – “It highlights how over the past decade more than 80 countries have purchased cyber intrusion software“. Some states have likely employed these tools irresponsibly to target journalists, human rights activists, political dissidents, opponents, and foreign government officials.
There is no accountability if there is no traceability. In past cyber incidents, a significant effort has been made during the incident response (IR) or forensic phase to discover who is responsible for a certain attack. Urban legends about specific time zones of files, line codes that presumably revealed the state behind a certain campaign. The commoditization of attack tools provides an additional protection layer for attackers using them. Attackers utilizing widely available tools like RubberDucky or Raspberry Pi Zero can expose their payloads for public access and download. How can one trace it? So if you can not put the specifically blame an adversary – how can you retaliate against him?
The Imperative of Continuous Monitoring Evolving Cyber Threats
Key finding #4 – There’s a need for continuous monitoring and threat intelligence
Attackers (and pen testes) today, are fully aware of the capabilities of existing cybersecurity solutions. In any battle of minds, potential adversaries can engage in a head-to-head struggle to avoid detection by cybersecurity products, identifying their weaknesses or blind spots. The other option, which is gaining popularity is attacking from a completely different surface. Through hardware assets. Yes, it does require the introduction of a physical, local element to the victim’s premises. But due to the scarcity of good cybersecurity solutions to detect these attacks (usually introduced by internal abusers or hardware supply chain attacks), the success rates are looking very promising.
Organizations, must always adapt a proactive approach with regards to threat intelligence. Understanding that what you are not familiar with will come back to bite you. So it’s up to you, to constantly be on the lookout on the “latest trends” in cybersecurity attacks, engage with peers to gain as much insight, as soon as possible, about newly introduced attack methods.
The Future Impact of Proliferating Cyber Tools on State and Non-State Actors
Key finding #5 – “Over the next five years, the proliferation of cyber tools and services will have a profound impact on the threat landscape, as more state and non-state actors obtain capabilities and intelligence not previously available to them.”
The availability of cyber-attack tools helps state actors, target a larger number of victims, without the risk of losing or revealing significant capabilities. Capturing even one of the tools results in a minimal “strategic loss.” This allows states to keep their crown jewels capabilities for their top target and use local “classic criminals” to spread the “commodities” cyber attack tools, in larger numbers.
Proliferation of Commercial Cyber Tools and Sepio Asset Risk Management
First, a shift in mindset is required. Understanding that hardware-based attack tools are no longer solely the “playground” for state sponsored activities. Tools once exclusive to state-sponsored actors are now accessible, learnable, and deployable by nearly anyone. A frustrated ex-employee, a rogue private investigator looking for business intelligence, a suspecting spouse and local crime organizations. Once you understand that you, or your organization could be a potential target, then your halfway there.
The second half is making sure that you have the required physical layer visibility into those attack tools. Emerging threats need an emerging technology. In many cases, cyber attack tools can only be discovered by examining the physical layer which is the only true source. Physics remains truthful; once an asset connects, its presence alters the physical layer parameters of the interface. Sepio’s patented technology makes harnesses this new data source to detect and mitigate those “illusive” assets, that go undetected by legacy technologies.
