The Evolution of Cyber-Attacks in Sri Lanka

As you are already aware, cyber-attacks reported within the country has become more common in the recent past. Reflecting on these attacks, we noticed three trends that have been explained below:

  1. Drastic increase in threats – Over the past two-to-three years, we have noticed that the number of cyber-attacks targeting Sri Lankan-based enterprises has been drastically increasing. We hear more stories about successful attacks compared to attacks that were detected and mitigated at their early stages.
  2. Increase in the complexity of attacks – We aren’t talking about isolated, annoying viruses anymore that make our life a little difficult, for example folder.exe., rather attacks that go through multiple stages spanning over a period of time. Attackers improvise and adapt to the environment and leverage stealth mechanisms to remain undetected until the very last stage is executed.
  3. Exponential increase in the impact of attacks – The impact of modern attacks is increasing rapidly. We have come across many instances where large organizations have been brought to their knees and took days to recover. In addition to the financial loss due to the abrupt stop of business, money and resources been spent on the recovery process, many organizations suffer significant reputational damage. News travels fast and bad news travels faster. Some attackers even go as far as releasing samples of stolen data to persuade companies to pay ransom.

In order to understand the current cyber attack trends within the country, let’s analyze what has changed over time from an attacker’s point of view and from a defender’s point of view.

The Evolution of Cyber Attacks in Sri Lanka – From an Attacker’s Point of View

Looking at how the attacks have evolved from an attacker’s point of view, there are a few key points that we have observed.

Sri Lanka is no longer a hidden target – For some time, we had the luxury of reading about attacks only in news or tech blogs. It was very rare for us to be at the receiving end of a cyber-attack. But that isn’t true anymore. Attackers have their eyes set on enterprises in Sri Lanka. With acceleration in digital transformation happening and changing work dynamics due to the prevailing pandemic, Sri Lanka is more visible to attackers who now view it as a viable target.

Attackers collaborate – Just like we collaborate to defend our organizations, attackers too have started to collaborate in order to be more efficient when running attacks. It is no longer required for a single attacker to run all the stages of an attack by themselves, instead they collaborate and function as a tag-team. For example, one attacker group may have expertise in stealing credentials, while another has expertise in stealing data or running ransomware attack campaigns. In such an instance, the former would tend to sell the credentials they stole to the latter, so they can run a ransomware attack. This enables the attackers to focus on what they are good at.

Everything is available at the right price – I believe most of us are familiar with the term XaaS (X-as-a-Service). Customers prefer to consume functions in the form of “as-a-Service” since you can get what you want without having to worry about the underlying technologies and maintenance overheads. This is true with attackers as well. Attackers rent out their infrastructure or services to interested parties to run attacks expecting a percentage of earnings in return. For example, Ransomware-as-a-Service (RaaS) is a very common thing these days.

Easy way to earn money – If you have been following the news and have been monitoring professional social networking sites such as LinkedIn, you will notice that there are a lot of professionals who are seeking work due to the effects of the pandemic. Attackers seek to lure such individuals by showcasing the potential of earning a quick buck.

The Evolution of Cyber Attacks in Sri Lanka – From a Defender’s Point of View

Cyber-attacks are no longer a smash and grab operation – In the past, it was very rare to experience an attack that had multiple stages and most attacks rarely spanned over a couple of hours. But now we experience attacks that have many stages, such as initial compromise, credential theft, privilege escalation, lateral movement, detonation, and these span over a period of time which could range from a couple of days, weeks, to even months. This makes it incredibly difficult to detect if you do not know where to look.

Attackers actively participate – Attackers have become more involved during the period the execution takes place. They no longer release viruses or worms and expect them to do the job on their own. Instead attackers are focused on creating and maintaining communication channels to the victim networks and dictating how the attack is executed. This enables them to be more devastating since they could quickly adopt and circumvent any changes the defenders place in order to thwart such attacks.

No more bringing your own tools – In the past, most attacks were done using tools created by attackers for that particular purpose. This made it easy for security solutions to detect such tools and prevent them from executing. But this is no longer the case. Attackers prefer to improvise, hence whenever possible, they would leverage legitimate tools used by administrators to carry out the attack. This is also known as “living off the land.” This makes it very difficult to detect since we would always have to consider the context of an event before deducing if it is malicious or not. One example would be an attacker compromising your software distribution tool to deliver a malicious payload within your network. Without knowing if the payload is malicious or not, you cannot accurately say if this activity is malicious or not.

Multiple entry points to exploit – In the past, an enterprise had an easier job protecting their networks since the perimeter was clearly defined. Anything within the organization’s premises was considered to be trustworthy and anything coming from outside was scrutinized before allowing access. But with the “New Normal” everything has changed. It is no longer about who is inside your premises and not since many or even all employees are working from home, connecting via secure links and have direct access to the heart of the organization, which are essentially the critical business applications. These devices that are allowed to connect are rarely scrutinized, hence act as easy entry points for attackers. This has made the defender’s lives much harder since now they must focus on multiple entry points (in some instance even unknown) rather than the few well-defined entry points they used to have.

In summary, the attack landscape has drastically changed and keeps changing, and attackers are becoming increasingly effective with time. We have a fare doubt in our minds whether we are putting enough effort to protect ourselves against these attacks. The time has come for us to up our game as defenders and work towards advancing our techniques in order to defend against the attackers who will never rest.

Rukmal Fernando
Associate Director – Cyber Security
MillenniumIT ESP