It seems like the next flavor of cyberattack is always making the news, a constant reminder of how vigilant businesses need to be to try and keep themselves, their customers and their suppliers safe. Almost every organization of any size will have some sort of vulnerability assessment and management program, security hardening framework and basic training for employees to recognize malicious emails and phishing attacks.
These are still some of the best front-line defenses businesses can use to keep themselves, their data and their customers safe. However, there are some new and fascinating attacks out there, including some new versions of attacks we’ve seen before in the wild.
Ransomware and the Evolution of Old Favorites
By now, everyone is probably familiar with the concept of ransomware, where a bad actor uses a method like phishing to get someone to run a malicious program, encrypting all the data it can access and holding the decryption keys for ransom. The interesting thing about this type of attack is that it’s in the attacker’s best interest to do exactly as they say and decrypt the data when their demands are met. Otherwise, after a few attacks, word will spread that the data is irreparably lost and no one would consider paying up.
However, there is a ransomware group known as Alphv (aka BlackCat) who threw in a twist! They set up a publicly-available website where they leaked some of the information they stole so anyone could access it. The information exposed was primarily data about employees and customers that could be useful vectors for other phishing attacks to appear legitimate.
And with that, it changed the risk calculus for ransomware. Having good backups that are tested regularly is no longer sufficient to take care of the bulk of ransomware attack damage. Organizations need to revisit how they accept, mitigate or transfer this possible risk to their data.
Speculative Execution Attacks
Back in 2018, a new class of attacks came to the attention of cybersecurity researchers and practitioners: Speculative Execution Attacks. Speculative execution itself is a powerful tool used by modern computer processors to take an educated guess at what it will be asked to execute next and start executing that code before it’s asked to. This can greatly increase performance if done well and is at the heart of much of the improvement seen from the last few generations of processors.
However, it can also be a powerful tool in cyber attacks. At a (very) high level, a speculative execution attack involves inferring private data by watching the results returned when a processor mispredicts what code it will be asked to execute next. The actual mechanisms by which they do this are deeply complicated and leverage the internal architecture of the processor to execute the attack.
Perhaps the scariest and most amazing thing about attacks of this type is that they can be performed with something as simple as Javascript embedded in a web page. And before you know it, your data is publically shared on the internet.
How To Mitigate an Attack on the CPU Design Itself
It’s not all bad news. There are ways to mitigate these types of attacks such as turning off some advanced features of a processor or adding extra steps to execution, such as flushing out buffers. But, as you might imagine, turning off features or purposely adding in more steps slows things down. Which is why organizations must take a risk-first approach to mitigations. What is the risk of implementing these mitigations? And what is the risk if we don’t?
Some mitigations can completely defeat a particular class of attack, such as disabling hyperthreading or simultaneous multithreading (SMT) to prevent Spectre-type attacks. However, the performance penalty is very substantial and not acceptable to many. When you assess this in the context of your organization’s desire to keep its data safe, you can find the right balance between impact and value.
This also allows you to identify a “plan b”. When the risk is too high but the mitigation is unacceptable, you look for a third option. Google developed a technique called “retpoline” (short for return trampoline) that mitigates Spectre-type attacks without disabling SMT and incurring a much smaller performance penalty. Essentially you’re able to lower the risk AND maintain acceptable performance AND protect your data.
A New Challenger Appears
Just a few weeks ago, in mid-July, security researchers revealed a new type of speculative execution attack that completely defeats retpoline as a mitigation method. For this reason, it was termed “retbleed,” a portmanteau of Heartbleed (a previous attack type) and retpoline. Retbleed is capable of leaking private data with high accuracy on processors and as of the time I’m writing this, mitigations aren’t widely available.
Researchers hypothesize a performance penalty of between 12 and 28% when mitigations do become available. If the mitigations will be turned on by default, or if the performance predictions come to pass, remains to be seen.
What This Actually Means For You
For a risk management program, something like retbleed poses a particular challenge. There is no current mitigation strategy. There will presumably be in the future, but:
- Will it be acceptable to implement across the entire organization’s IT infrastructure?
- Do the mitigation strategies need to be enabled for each and every asset, or is there a strategy for protecting the most vulnerable or valuable assets?
- Can we transfer some of this risk with cybersecurity insurance?
- If an employee is browsing the web and comes across a malicious site, what do they have access to?
- How could a bad actor use information like passwords from their PC to get a foothold in the company’s network?
This is where the ZenGRC comes in. We’ve already split out many different types of risk, such as business interruption, risk to reputation, diminished competitiveness, etc. Each of these can be evaluated and scored individually, taking into account the impact on the business and the likelihood of the risk being realized.
With this, you can tailor your treatment plan, determine residual risk and get a holistic view of your risk posture. Why not give it a try? Sign up for our FREE trial of ZenGRC. No credit card required, unlimited time to explore. Or register for a FREE live demo to see ZenGRC in action.
Check out our latest infographic, “Security Threats are Evolving – So Why Isn’t Your Security Program?” to continue your learning journey.