VC funding of cybersecurity companies hits record $5.3B in 2018
https://techcrunch.com/2019/01/17/vc-funding-cybersecurity-record/

2018 wasn’t all bad. It turned out to be a record year for venture capital firms investing in cybersecurity companies.

According to new data out by Strategic Cyber Ventures, a cybersecurity-focused investment firm with a portfolio of four cybersecurity companies, more than $5.3 billion was funneled into companies focused on protecting networks, systems and data across the world, despite fewer deals done during the year.

That’s up from 20 percent — $4.4 billion — from 2017, and up from close to double on 2016.

According to the Cryptocurrency Anti-Money Laundering Report from Ciphertrace some $927 million had been stolen from cryptocurrency exchanges in the first three quarters of 2018 alone. That total will almost certainly have hit, if not smashed straight through, the $1 billion mark by now. So, who were the hackers behind the heists and how did they get away with it?

The how remains sadly predictable throughout the year, truth be told; exploiting vulnerabilities in crypto wallet software and servers, social engineering/password compromises and insider theft. The who covers equally predictable territory with lone wolf criminal opportunists at the lower end of scale through to well-resourced nation-state actors at the other.

SIM-swapping endeavor, an increasingly common method used to compromise otherwise secure accounts by gaining access to two-factor authentication codes sent via SMS

Then there are the state-sponsored actors.

North Korea remains firmly in the cross-hairs for anyone investigating cryptocurrency theft, especially at the bigger end of the attack scale. One group in particular, the Lazarus Group, is thought to have been involved in a number of attacks. Often launching their attacks out of China, possibly in order to try and obfuscate accurate geo-political attribution, the Lazarus actors are widely thought to be nation-state players tasked with cyber heists to help boost the beleaguered North Korean economy.

In this regard, Lazarus is thought to have been spectacularly successful: more than $571 million in cryptocurrency is reported to have been stolen by the Lazarus Group since the start of 2017 and it is thought that 65% of stolen cryptocurrency ends up in North Korea.

Insurance is a funny business. Life insurance, for example, is essentially betting someone you will die before your time. With the recent focus on companies getting hacked, it isn’t surprising that cybersecurity insurance is now big business. Get hacked and get paid. Maybe.

The reason I say maybe is because of the recent court battle between Zurich and Mondelez. Never heard of them? Zurich is a big insurance company and Mondelez owns brands like Nabisco, Oreo, and Trident chewing gum, among others.

It all started with the NotPetya ransomware attack in June of 2017. Mondelez is claiming it lost over $100 million dollars because of the incident. But no problem! They have insurance. If they can get the claim paid by Zurich, that is. Let’s dig in and try to see how this will all shake out.

That’s a Lot of Money

By anyone’s standards, $100 million is a pretty big wad of cash. Apparently, Mondelez uses Windows-based software for shipping and order fulfillment. By adding up property damage (lost hard drives, perhaps), supply and distribution disruption, customer order loss they came up with the $100 million figure.

You might argue if that number is really accurate.

However, even if you deflated the estimate by an order of magnitude, you are still talking about a $10 million dollar loss. Not small change. Having lived through some major cyberattacks, I can tell you just the time spent in meetings between IT, executives, and lawyers can add up pretty quickly.

Loophole

As you can probably guess, Zurich isn’t wanting to pay the claim. Insurance companies have a reputation for being happier to take your payments than they are paying your claim, and things like this are why. On the other hand, insurance companies have a fiduciary responsibility to their other customers and their shareholders to not pay out any more than they have to, and we get that too. So other than the “We didn’t know you’d ask for $100 million dollars!” defense, how can Zurich not pay if they agreed to underwrite Mondelez against cyberattacks?

Many insurance policies have a clause in them that excludes things like acts of God and acts of war. Well, the technical term is “force majeure” but it covers things like earthquakes and other natural disasters.

If you have a homeowner’s policy, you probably don’t want a force majeure exclusion.

The act of war is a bit trickier. The logic is the same. If an army marches through your town and burns everything to the ground — or a nuke does the job remotely — the company would be on the hook for so much that they would have to raise premiums quite a bit. In the United States, though, the chances of that seem so slim that no one usually minds. If a nuke hits your house, you probably aren’t going to care anymore anyway.

As usual, though, trying to apply old ideas to new technology causes problems.

According to media reports, the exact language in the insurance policy covers “hostile or warlike action in time of peace or war” and includes any agent of any government (including a de facto government) or military force.

The problem is, in a world where the battlefield is the Internet, how does this apply? There is a lot of evidence that NotPetya was state-sponsored by Russia and targeted Ukraine. The fact that it spread globally may even have been a mistake. Russia, of course, denies this.

Lesson Learned

Not being a lawyer or an insurance expert, this whole thing made me think. If you are buying cybersecurity insurance, maybe you don’t want an act of war exclusion. That’s going to drive up costs, but nearly any widespread cyberattack from another country could be argued as an act of war. Especially since in so many cases, these acts are perpetrated by persons unknown. Did the Russians create NotPetya? Did they deploy it? Did they hire some hacker group to do it for them? Does that matter? What if a hacker did it and then says they were paid by some government? How would you ever prove one way or the other?

Most Organizations Have More Intelligence Than They Know What to do With..

We’re finishing up the holiday season and at this point most of us have spent more time than usual at family gatherings. Let’s be honest, while often enjoyable, they can also be trying. Depending on who is in attendance, the location and duration of the event and the occasion, we resort to avoidance techniques like going for frequent walks around the block, dodging certain topics of discussion, taking deep breaths, staying in a hotel or some combination. By understanding as much as we can about those who will be at a specific family event, we can make better decisions about how to approach it. We turn to methods that have worked in the past to decrease the stress and maintain family harmony

According to the 2018 SANS Incident Response Survey published in October 2018, 40 percent of organizations take more than a day to respond to incidents. We all know that by then much of the damage is likely done as exfiltration is typically measured in minutes and hours. Perhaps more troubling, 44 percent report that they have been breached by the same threat actor at least twice, with 34 percent saying either the same or similar tactics, techniques and procedures (TTPs) were used. The remainder state that different TTPs were used, but they may have limited visibility and missed certain indicators the first time.

These are the best stories on hacking and information security that we wish we had reported and written ourselves.