The first question is obvious, why are the number of attacks increasing?
FZ: Basically, because it pays. A mix of political, social and environmental challenges and changes in technology are playing into this.
MB: It is important to understand who the attackers are. They are first and foremost entrepreneurs. Don't imagine young lads in hoodies sitting in a basement somewhere. In short, these are mostly people trying to make a quick buck, often in conditions where it is otherwise not easy - which is why so many risks are associated with countries such as the current Ukraine. Today's young people who have stayed behind there will have a very hard time in a country destroyed by war, with no infrastructure and a lack of job opportunities, which creates a breeding ground for problems.
In general, think of a young person who is trying to make more money, has few job opportunities and high expectations. It is people like this who may be drawn to faster, albeit illegal, ways of making money. And this is where what many people don't realise comes into play. If an attacker like this discovers that the masses are susceptible to some issue that divides society, from Covid or the war in Ukraine to the presidential election, that attacker feeds on that fear and negative emotion just to catch people out and make money off of them. To get them to click on something, open something, send their data somewhere, or simply collaborate.
FZ: Time pressure plays a big role in this; users are asked to download or click something quickly, otherwise supposedly important information will disappear. But this is artificial pressure, to reduce the time people have to think about whether it's even valid information.
Are you saying that when someone pulls the social issues card in a cyber fight, it's not because they're fighting for any of those causes?
MB: I don't want to dehumanize the groups that are really fighting for a cause because it is something they feel very strongly about, but I think they really are the minority.
FZ: There are groups like Anonymous, for example, who were very involved in the first weeks of the conflict in Ukraine, fighting against human rights violations, censorship, corruption and various ideologies.
MB: Anonymous is essentially a philosophical movement that launched its first attack against a site that was strongly anti-gay. It has grown to massive proportions, but today the Anonymous name is also being abused a lot.
However, it is not easy to give a general answer your question, as it also depends on the topic. In the context of the Russia-Ukraine conflict, we know that before the Russians physically attacked, the number of cyber-attacks on Ukrainian infrastructure increased and a disinformation campaign was launched. This is asymmetric warfare; as an aggressor you need to instil fear in the population, destabilise the structure and the political situation. Within this conflict, I'm sure most of the incidents are politically motivated, but otherwise I think attacks made in support of a particular opinion really are in the minority. In the past, several groups of spammers who made a living by sending unsolicited mail, mostly to promote counterfeit goods, have been broken up. After the successful take-down of one such group, email traffic on the Internet dropped by tens of percent! And we're talking about the recent past. No one can measure what proportion of the total traffic is made up of spam today. There is talk of Internet noise, which is generated to a large extent by mass campaigns and the scanning of publicly accessible systems precisely to identify and exploit vulnerabilities.
Let's go back to the beginning, what should I actually imagine the word "attack” to mean?
FZ: They can be DDoS attacks that are used to overwhelm or shut down websites or services, and yes, sometimes they can be associated with a government or political party and therefore an opinion. Phishing and other attacks using social engineering to obtain access credentials to any accounts, extract information that would help the attacker, and ultimately force the victim to download and install malware, most commonly ransomware. Furthermore, it can be a direct network attack, aimed at getting access to the network and causing a breach without user interaction, running ransomware and obtaining sensitive data. These attacks then lead to data leaks, which are not attacks in themselves, but the tangible result of a previous intrusion into the system. Moreover, all this can happen through emails, social networks, SMS and phone calls.
MB: What we're dealing with most often with clients now is ransomware, where an attacker encrypts your data so you as the owner can't access it. This is a form of extortion; the attacker either wants you to pay up with the promise that they will release your data, which usually doesn't happen, or they threaten to release your data. Alternatively, the attackers go so far as to threaten to contact the authorities under threat of a huge fine. But these are primitive techniques; no hacker is going to check your books to see if you are accidentally skimping on your tax payments. Another option is to launch a DDoS, as mentioned earlier, and shut down your business, for example your e-shop. We have also experienced this with a number of customers. When you consider that such an attack costs the perpetrator an average of 100 euros per day, the cost is extremely low compared to the potential profit, and attackers are seeking a means of coercion that could increase the likelihood of getting a ransom.
This is an interesting topic, given how not only Czechs have learned to do so much of their shopping online. Is keeping these services secure a big issue now?
MB: Yes, it is. And in general, we will see a huge increase in the inflection and importance of the term cyber resilience in the future. This is because you’ll no longer just think about whether you're going to come under attack. It’ll happen, that's for sure. Every company has to prepare for being attacked. It must be able to resume its activities within a few hours, otherwise millions of crowns are lost in the case of the biggest companies. It compares nicely to the story of the well. Imagine you’ve got a well in your village as your only source of drinking water, but some jerk takes fertilizer and poisons it. You have to have a mechanism set up to find out it happened in the first place, or a lot of people are going to die. In our case, this means having effective detection technologies in place. If you know about it, then you also have to effectively inform citizens not to drink the water. You also need to ensure that a tanker truck with fresh water will turn up within a few hours or have a back-up water source that you can tap into. Or imagine someone blackmailing you because they already have a bomb ready in the well and will detonate it if you don't pay. Alternatively, if you make excuses and wait, they’ll post about your inaction in the newspaper as a threat to public health. You’re only resistant to attack if you know what to do and are prepared for the situation. Not that you believe you're of no interest to an attacker.
As experts, you know about risks that the average person has no idea about. Doesn't this sometimes make you anxious?
FZ: I can say from my own experience that before I became a security specialist, I used to happily click on links on the Internet without thinking about security. That was also a different time and malware was much less complex back then. When I started getting involved in IT security, I was wary, even paranoid, of any links and attachments. But now I know that there are different solutions and I can click on everything as long as I use the right technological security measures. That's one view. The second is that for a sophisticated attack, you have to interest the attacker, there has to be a reason why they’d try it on you. People are already largely aware of attempts like "You've won an iPhone, click here".
MB: I'm worried about something else. Consider that we are the first generation of people who spend most of our time on the Internet, but we were not raised to do so. We didn't have parents to tell us how to do it; the time back then threw us in the water and forced us to learn how to swim. The majority of people today live in a naive world and feel that nothing can happen to them on the Internet. When in reality, it's the Wild West and you can take a bullet at any time. Now it is our role to raise the next generation, but I fear we are still not doing enough. Social responsibility is very low and the community of people who possess information is small and more likely to use it for business. Parents pay attention to where their children go to school, who they hang out with, who is involved in their upbringing outside the safe circle of the family. Yet they can be sitting next to you and there and then struggling with cyberbullying, blackmail, influences on their opinions, being active in extremist online groups, but you won't even notice. And we have very few experts for all this. As a society, we are producing increasingly vulnerable individuals, which is even more of a problem in politically unstable and economically less developed countries where life situations encourage enterprising individuals to pursue dubious career paths.