Security 360 Highlights: Threat and attack convergence

In the previous series entry, we discussed the criticality of protecting user privacy, highlighting how this cybersecurity concern has made its way to the top of the list that threat actors are targeting as they attempt to compromise devices, users and data across the modern threat landscape.

As we continue to draw from Jamf’s Security 360: Annual Threat Trends Report, we dive into the trend of threat and attack convergence and how stringing various attack types together creates novel threats that could undermine organizational security practices by sidestepping controls altogether. In this entry, we discuss:

• What is convergence?
• Why is this so concerning?
• How can it undermine my security plan?
• Can you provide some examples?
• How you can protect against converged threats

Onward we go…

What is convergence?

Convergence noun

con·ver·gence

1 : the act of converging and especially moving toward union or uniformity

According to Merriam-Webster, the definition of “convergence” above is just one of several meanings relating to the unification of two or more entities. The fourth meaning defined, relates more closely to the topic at hand and is noted as“the merging of distinct technologies, industries, or devices into a unified whole.”

Taken a step further into the cybersecurity realm, CSO Online defines convergence to mean the “formal cooperation between previously disjointed security functions.”

Why is threat convergence so concerning?

Convergence is one of those phrases that crop up in technology every few years after new technologies have been around for some time and find a second wind when combined with another seemingly disparate technology to introduce something that is newer, or at the least, addresses a previously unknown need.

Consider when existing internet access was merged with standard mobile phone functions, like calling, contacts and messaging support, to introduce smartphones that handled all the above while enabling internet-enabled features, such as email and web apps on the go. That merging was effectively the convergence of those two technologies (internet and mobile phone) to introduce what would become mobile computing and revolutionize personal and professional usage in the years to come.

While the above is an example of a good form of convergence, today's focus is to discuss a negative side to convergence. One achieved when threat actors leverage multiple technologies to create a new form of threat or devise a novel attack that, if used, may introduce risk into the enterprise.

How can it undermine my security plan?

“0.02% of Android devices were rooted and 0.001% of iOS devices were jailbroken in 2022. 0.004% of users / 0.3% of organizations had a jailbroken or rooted device in 2022.”

Last year’s stat: Less than 1% of organizations had a jailbroken or rooted device in 2021.

Emerging threat tactics are the epitome of threat and attack convergence in cybersecurity. In doing so, bad actors can disproportionately impact the endpoints connecting to your organization’s infrastructure by using known threats and attacks in new, unknown ways to increase the success rate of data breaches. Because of the way in which convergence works – to give existing technology new life, as mentioned before – your company’s security strategy may only be capable of detecting and subsequently staving off a combined attack in part, or perhaps not at all.

Whether the converged attack penetrates your defenses in whole or in part is inconsequential to the fact that it pierced your security and in turn, compromised defenses. The extent of the fallout from the breach will vary wildly from one organization to the next and be wholly based on factors, such as:

• unique business continuity needs
• regulatory compliance requirements, if any
• the severity of damage to:
  • equipment
  • data (sensitive and user privacy)
  • reputation
  • business operations
  • loss of revenue

Can you provide some examples?

Unfortunately, there are a number of real-world scenarios to draw from when it comes to assessing how critical it is to protect against converged threats and attacks. The following few examples have occurred over time – ranging from recent years while others go back nearly three decades.

But make no mistake, bear in mind what convergence is and what it is intended to achieve: to create something new out of two or more things that are known, existing quantities. This is to say that, even older threats and attacks thirty-plus years old have the ability to gain a new lease on life as a “new converged threat or attack” that is capable of circumventing modern security protections that would’ve otherwise thwarted the legacy threat by itself.

But it’s air-gapped?!

2010: Any IT or Security person worth their salt (and of course, working in the industry at the time) will no doubt know of and remember Stuxnet. The first-of-its-kind WORM was developed to target vulnerable software that managed the SCADA interfaces used to control centrifuges used in the uranium enrichment process.

That’s the short take on it. For a longer take, Wired has an excellent write-up on the entire timeline leading up to and encompassing the event for those that wish to dive deeper into how the first digital tool was weaponized for cyberwarfare.

TL;DR: the computers used to manage the equipment were air-gapped, meaning they were cut off from the internet. And yet, through the ingenuity of converging a physical threat (USB thumb drive) and a malware threat (Stuxnet), the first targeted attack of its kind was made possible whereas neither threat might not have otherwise been successful on its own.

Supply-chain whack-a-mole

2020: Occurring more recently and having decidedly a further reach of impact is the SolarWinds supply chain attack. Billed as a routine update, the real nightmare that was about to unfold only did so after 18,000 estimated customers – not devices but actual companies that relied upon SolarWinds’ Orion software to monitor and manage their networks – downloaded and installed the routine update.

The update was, in fact, a vehicle for delivering malicious code to Orion which was then leveraged to carry out the larger cyberattack, as explained in further detail by NPR.

TL;DR: the suspected nation-state attack was made possible by bad actors relying on multiple threat vectors, namely compromising SolarWinds’ network and their build system (used to deliver updates to customers), creating a trojan that would deliver malicious code to clients that updated (infecting systems inside customer networks), installing tooling to exploit customer’s systems and networks, compromised cloud-based services accounts (allowing threat actors to read confidential/sensitive data, like documents and emails) to elevate account privileges for espionage and exfiltration of sensitive, confidential and classified data.

But who are you, really?

1995: Kevin Mitnick, the white-hat hacker, keynote speaker and security evangelist we know today got his start at the ripe old age of sixteen when he carried the first of many computer crimes before turning fugitive from the U.S. Department of Justice (DOJ). During his two-and-half-year run, the DOJ tallied up Mitnick’s crimes – many of which utilized advanced convergence techniques to keep them at bay.

TL;DR: while it’s beyond the scope of this blog to cover each of the crimes committed, it is sufficient to say that illicit access gained during attacks came by way of social engineering (masquerading as utility company employees to obtain physical access to secure locations), spoofing communications (convincing target networks to obtain access to networks), exfiltrated proprietary software and data, intercepted communications, like email, and used cloned cellular phones to hide his location and remain anonymous.

Help protect against converged threats

By now we know the criticality and severity of threat and attack convergence, as well as the benefits that convergence has made in the technology overall. So, it should come as no surprise that converging security protections play an equally significant role as part of a coherent, risk management program.

Much like how a defense-in-depth strategy relies on layers of controls to catch threats that may otherwise slip through undetected, the convergence of security functions, practices, protocols, alerts, reporting, monitoring, threat hunting, detection, incident response, policies and remediation workflows aims to integrate and organize within priorities and business objectives through:

• Communication
• Coordination
• Collaboration

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) developed the Cybersecurity and Physical Security Convergence Action Guide, a resource providing high-level guidance to organizations looking to understand “risks associated with siloed security functions, a description of convergence in the context of organizational security functions, benefits of convergence, a flexible framework for aligning security functions, and several case studies.”