How Can Companies Protect Themselves Against Unrecognizable Threats?

Almost two thousand years ago, a Roman writer named Juvenal penned the phrase “rara avis in terris nigroque simillima cygno.” Roughly translated, this phrase means “a rare bird, like a black swan.” Juvenal was a satirist – and he was making a joke. Black swans weren’t just rare, they were impossible.

That joke remained funny from 82 CE until 1697 CE, when a Dutch explorer in Australia observed what was thought to be impossible – a black swan. Since that discovery, black swans have become a stand-in for outside context problems —situations that cannot be prepared for because you do not believe that they can arise. Some examples might include Native Americans meeting European explorers for the first time, or the explosion of Reactor 4 at Chernobyl.

Outside of major world news, black swan events can also happen to your network. Every so often, attackers will come up with a cyberattack that is so audacious that no one thinks that it’s even possible. Total compromise of your company and systems – plus major damage to your finances and reputation – will almost certainly be the result. How can companies harden themselves against black swan events in an information security context?

What is a Black Swan Event in Information Security?

Black swan events might be a little harder to characterize in an information security context because everyone expects hackers to hack things, and everyone expects them to use novel methods. By this metric, there’s a black swan event every time an attacker figures out a new zero-day vulnerability.

That being said, not all new vulnerabilities lead to impactful results. Here are three information security scenarios that fit the criteria for black swans.

1. The Stuxnet Attacks

What was it?

In the early 2000s, a joint team of US and Israeli intelligence agencies went to work designing and implementing malware that would infiltrate Iran’s then-burgeoning nuclear program. They successfully introduced malicious programs that infected the programmable logic controllers (PLCs) used in uranium enrichment centrifuges, causing them to spin too fast and break.

Why was it a black swan?

Before that date, no one had successfully created a malware program that could jump an air gap – that is, a program that could infect computers which weren’t directly connected to the internet. In addition, no one had imagined designing malware that could infect and damage critical infrastructure directly.

What were the ramifications?

Although Stuxnet did delay the Iranian nuclear program, tensions in the Middle East worsened when the malware was revealed. Hackers from other countries have attempted several critical infrastructure attacks against the US and others, and a worrying number have begun to succeed. Meanwhile, Stuxnet is literally everywhere – even the International Space Station.

2. The 2013 Target Breach

What was it?

In 2013, hackers were able to penetrate Target’s information security defenses and steal credit card information from 41 million Americans.

Why was it a black swan?

Big companies are supposed to be hard to breach. Target was supposed to have good information security – and from a certain point of view, it did. Its SOC team was even able to detect signs of the breach, although they dismissed it as a false alarm. Instead of a frontal assault, the Target attackers were able to compromise its security by infiltrating a low-level vendor with extensive access within the company.

What were the ramifications?

Things changed as a result. The attack was one of the first to affect a large swath of American consumers in a material way, and it changed public awareness about cyberattacks. Decision-makers began to realize that it was too easy for attackers to steal people’s credit cards via the internet – the Target breach may have been the impetus for our adoption of the EMV “chip and pin” system. Target itself lost millions of dollars in fines, in addition to the resignation of its CEO.

3. WannaCry

What was it?

WannaCry was an infectious ransomware worm that struck on May 12th, 2017. In less than 24 hours, it infected over 200,000 systems in 150 countries and cost an estimated $4 billion in damages.

Why was it a black swan?

WannaCry was based on an exploit developed by the NSA. Known as EternalBlue, it was designed to infect unpatched versions of Server Message Block (SMB) in older Windows PCs. The NSA never planned or anticipated that one of its creations would be leaked by one of its contractors and then sold on the black market, but here we are.

What were the ramifications?

Attackers have been using and refining the EternalBlue exploit to a startling extent. EternalBlue was the nucleus of the destructive NotPetya campaign that occurred just a few months after WannaCry, and also made its appearance in banking trojans and cryptojacking malware. Since there are nearly a million unpatched computers – still vulnerable to Eternalblue – connected to the internet, it’s likely that attacks based on this exploit will be viable for years to come.

How Will You Keep Yourself Safe from the Next Black Swan Attack?

The only thing we know about the next black swan attack is that it’s basically inevitable. It will come from a vector that we don’t expect, and it will tie up a significant amount of global productivity. Afterwards, we’ll notice the signs that we should have seen – the patch that we should have applied, the malware that was taking shape, and we’ll swear that it will never happen again.

We’ll be wrong, of course.

We tell ourselves that if only we’d patched our computers up to date and installed the latest security tools, we’d be safe from unknown threats. But even though there are thousands of new patches released every day, not all of them work, and not all of the tools work either. A remarkable number of black swan events don’t even rely on true zero-day exploits because patching every zero-day is no longer feasible.

Your only real defense against a black swan is to make sure that no malware encounters your computer – ever. The best way to do that is with a remote isolated browsing solution.

The next zero-day will likely be distributed as a phishing attack, but remote isolated browsing removes internet browsing as a malware distribution channel. In this configuration, malware never reaches your endpoint. Instead, users log in to a fully interactive browser in the cloud that streams the internet to their device. The cloud browser sits in a container – if a user visits a phishing site by mistake, malware drops into the container and can’t get out. Once the user ends the session, the container is destroyed along with any malware inside it.

When it comes to keeping malware off your device at all costs, remote isolated browsing is a strong starting point. If administrators keep building on this foundation, maybe one day we’ll be able to create a black swan that affects attackers more than security professionals.

Written by Danny Miller who is Director of Product Marketing at Ericom Software