L’Usine Digitale: If you had to describe the year 2020 in terms of cybersecurity, what would you say?
Eric Antibi: There has been an upsurge in cyber attacks globally. They have been multiplied by four, which is huge! Obviously, there has been a lot of ransomware, attacks that are becoming very lucrative. Between 2019, the average ransom amount was $ 40,000. In 2020, it’s $ 178,000.
In addition, something must be understood: when an attack is declared, it is because in most cases there has been an intrusion into the information systems several months, or even a year in advance. Therefore, the cyberattacks carried out during the first lockdown actually started several months before this period. Hackers therefore carefully prepare their actions.
How hackers took advantage of this health crisis?
They used several methods, the best known of which is phishing, a technique perfectly suited to a period of high news such as the Covid-19 pandemic. Our research teams have thus identified more than 40,000 malicious websites that use the theme of Covid-19 so that Internet users easily want to click on the fraudulent link. In other words, these hot items are used to increase the chances of a successful phishing, beyond impacting the work organization.
Exactly, how remote work has challenged companies in terms of cybersecurity?
With the generalization of teleworking, the attack surface has considerably expanded without this being anticipated. Indeed, by being connected from a home, we ended up with a mixture of the same networks of PCs connected to the company’s network to work, a printer also used by children, why not connected toys… We counted around twenty IP addresses connected to a network which is itself connected to the corporate network, which represents potential attack surfaces.
Just using a VPN is not enough anymore! Worse yet, this little security tunnel is a great way for a hacker to step forward. If nothing changes, the year 2021 will be marked by an upsurge in attacks via teleworking. It is enough for an employee to be tired for him to lack vigilance even if he has been very well trained in these issues.
The end of the year was also marked by SolarWinds, what are the lessons to be drawn from this rather unprecedented cyberattack?
First of all, this attack shows that it’s not just ransomware. This may sound reassuring as there is no ransom note but it is only a facade. Because the victim companies are still trying to find out if their servers have been infected by the malware in question.
There are two salient elements. The first is the use of the software supply chain to penetrate the information systems of “x” thousands of companies. This means that this is an extremely evolved attack. The hackers made the victims unsuspecting. Indeed, when a software is updated, there is a certificate exchange system which proves that this software was indeed developed by the trusted company, in this case SolarWinds. During the attack, the certificate was good while malware was lurking in its distribution. No way for companies to suspect anything.
Second, the goal is not monetary, unlike ransomware. The hackers sought to steal data from the attacked companies. For example, FireEye has had its “pentest” tools stolen, that is to say, penetration tests in systems. It’s a bit like having your guns stolen.
What advice would you give to prevent such an attack from happening again?
Today, SOC teams are a little overwhelmed because large companies continue to accumulate several cybersecurity solutions next to each other. They function correctly but are managed silently, that is to say they are managed separately and by different teams. Therefore, the “logs”, that is to say the events, are sent in different storage spaces or in one but without correlation effort.
In 100% of cases, even if it can take a long time, we always end up detecting a suspicious event, for example a system administrator who has connected to a web server connected to the cloud and who used his login password from admin. That means he always has the information somewhere. We must do like the hackers who do not hesitate to use modern means, machine learning or the scalability of the cloud. There is no reason for human beings to be researching what happened in the logs for days and days. Today we are not fighting on an equal footing with hackers.
We have to manage to implement the technologies that already exist – analytics, big data … – to rationalize things. All the logs can be put in a single data lake and let the machine do whatever it can do: correlate events, enrich the data … Thus, we can reduce events by a factor of 1000 and transform them into real cybersecurity information.
The year 2021 will be marked in particular by the arrival of 5G, what challenges are linked to it?
On the B2B side, either the companies were not connected at all and will take the opportunity to connect remote sites, or they will replace with 5G specialized lines that went up to the headquarters data center before going to the applications of society or on the Internet. In any case, changing the network part means changing security. Consequently, we will have to take measures very early on on several aspects such as securing the next-generation infrastructures that support 5G connection points.