The Threat Landscape as Seen Through FireEye's Eyes
FireEye gave its annual overview of the threat landscape for the summit. His big conclusion, shared by many, but with some interesting consequences, is that there are few risk or repercussions for cyber attacks, and the threat actors are increasingly aware of this. This is true of both criminal and state-sponsored attacks. Many countries afford criminals a safe harbor, and the criminals are emboldened by this.
Attackers continue to exploit human trust, Mandia said, and there activities will continue to reflect geopolitical conditions. He noted that the Syrian Electronic Army became active after the US declared a redline over the Assad regime's anticipated use of chemical weapons. He doesn't regard this as an accident.
Looking at the two biggest competitors of the US in cyberspace, Mandia saw more capability in China, but more hacking from Russia. He thought that Chinese hacking has actually declined. But "Russia's dialed it up a notch." Beginning in 2014 Mandia saw a dip in Russian OPSEC as hacking tools were increasingly shared by government and criminals. He also saw less attention being paid to manual deletion of hackers' tracks from victim systems. He concludes from this that "the Russians know what they're looking for, and they're operating at a scale where they don't have manual resources available." The large scale and high operational tempo of Russian hacking has led them to build capability at the cost of stealth and evasiveness.
Turning to the cybercriminal underworld, he notes the rise in extortion. He sees this as in part a response to enhanced credit card security. As card security got better, criminals realized they had more lucrative options. It's also not particularly risky, he said—it's proving difficult to penetrate the anonymity of those who hold data for ransom. The attackers' methods are indiscriminate: most attacks are what Mandia called "spray and pray" operations, not targeted work. A great deal of ransomware is being spread with automated spearphishing.
He closed with observations on attribution. Attribution can be valuable to the private sector if the Government confirms it. As in the case of the Sony hack, Government attribution of an attack to a nation-state can reduce the reputational damage a company sustains for having fallen victim to a cyber attack.