-Deepen Desai, Chief Security Officer, Zscaler

Why do you think threats to manufacturing companies are increasing? / Why was manufacturing the leading category targeted?

The rise in threats targeting manufacturing companies can be attributed to several factors: manufacturing organisations have become hubs of innovation, driving significant economic impact as they work to rapidly adopt new technologies, IoT/OT devices, and dramatically expanding connectivity in their networks while overhauling legacy systems for improved productivity.

This means, in turn, that they have become rich cyber targets. Not only do they have valuable intellectual property, but their expanded attack surface and complex supply chains mean that attackers can often find substantially more weak entry points into manufacturing networks.

Meanwhile, the role of manufacturers as critical infrastructure providers and key drivers of GDP can make them attractive targets to nation-state backed threat actors seeking to disrupt commerce.

In light of these challenges, the manufacturing sector faces a critical need to balance innovation with cybersecurity measures. While embracing Industry 4.0 innovations like smart factories and the internet of things (IoT) and adopting generative AI applications hold the promise of increased efficiencies, these advancements expand the attack surface and expose manufacturers to increased security risks, creating additional entry points that cybercriminals can exploit to disrupt production and supply chains.

Recently, Zscaler ThreatLabz research revealed manufacturing as the industry most targeted by encrypted attacks in 2023, accounting for 31.6% of total encrypted attacks observed across the Zscaler cloud.

No industry is immune from having to navigate the paradox of encryption. It is essential for all organisations to inspect every aspect of traffic to minimise the risk of encrypted attacks infiltrating the enterprise.

Are these attacks/threats related to [disrupt] technology or attempting to find a way into [disrupt] administration?

Encrypted attacks are sophisticated and versatile, targeting various sectors by exploiting encrypted channels to bypass standard security controls. These attacks are not just about gaining unauthorised access but are meticulously planned to achieve specific outcomes aligned with the attacker’s goals, the nature of the threat, and other factors.

In 2023, malware emerged as the predominant type of encrypted threat, comprising 78.1% of such incidents, marking a 6.9% increase from the previous year. The strategy of encrypting malicious payloads to evade detection underscores the evolving sophistication of threat actors, enabling them to penetrate networks and stealthily compromise critical assets.

The second most common encrypted threat, ad spyware sites, grew by 290.5% year-over-year. This evolution in threat tactics necessitates a shift towards a zero trust security framework, compelling enterprises to scrutinise all encrypted traffic meticulously to mitigate the risk of such covert attacks.

In the broader context, encrypted attacks encompass a diverse range of threat actors and motivations, utilising encrypted channels to deliver various types of attacks tailored to specific targets, whether they involve information technology (IT), the Internet of Things (IoT), or operational technology (OT), depending on the desired outcomes and available tools.

This nuanced approach adopted by attackers signifies that threat groups often specialise in attacks that yield success against particular targets, such as specific industries, regions, or organisations bound by certain compliance mandates or vulnerabilities. This strategic targeting highlights the importance of maintaining a comprehensive and adaptive security posture to effectively counter the multifaceted nature of encrypted threats.

How can companies defend themselves better against attacks?

To defend against the evolving encrypted threat landscape, organisations must rethink traditional security and networking approaches and adopt a comprehensive zero trust architecture that allows them to inspect all encrypted traffic and leverages AI/ML models to block or isolate malicious traffic based on business policies.

This approach simplifies policy application across all traffic without compromising performance or creating compliance issues. More specifically, organisations can defend against encrypted attacks by leveraging Zscaler’s ability to inspect encrypted traffic as part of a zero trust architecture.

The full inline SSL inspection capabilities of Zscaler allow for the complete examination of encrypted content and communication channels, enabling the global enforcement of security policies based on adaptive risk-scoring, even when the data is encrypted. This method is crucial for identifying and mitigating threats hidden within encrypted traffic, effectively preventing compromise and data loss.

Zscaler reduces the risk of cyberattacks and inhibits the spread of threats by ensuring secure transactions and user-to-app segmentation, thereby improving protection against cyber threats and data breaches.

• Use AI-powered application segmentation to reduce access, even for authenticated users. The Zscaler zero trust access solution, Zscaler Private Access™ (ZPA), creates a one–to–one segment that is brokered and authenticated by the Zero Trust Exchange to connect users directly to a requested application without ever exposing the network. ZPA automatically generates policy and app segment recommendations based on machine learning, effectively reducing the attack surface and preventing lateral threat movement.
• Use a zero trust architecture to secure all connectivity holistically between users and applications, between devices like IoT and OT systems, between all locations and branch offices, between cloud workloads, and more. This empowers enterprises to inspect all traffic, all the time — improving security while simplifying operations.
• Use an inline, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
• Leverage an AI-driven cloud sandbox to isolate and quarantine unknown attacks and stop patient-zero malware, as soon as it touches your users.
• Reduce the number of entry points into your environment. Audit your attack surface, stay up to date with security patching, and fix any misconfigurations. You should also place internet–facing applications behind a cloud proxy that brokers the connection.
• Inspect outgoing northbound traffic along with incoming southbound traffic to disrupt command-and-control communications and protect your sensitive data.
• The point of cyberattacks is always financial gain? or [disrupting business] operating procedures?

 Cyberattacks are not always motivated by financial gain. While financial gain is a common motivation for many cybercriminals, there are various other motivations that drive cyberattacks, including those that target operating procedures, seeking to disrupt operations or undermine an organisation’s reputation.

Cyberattacks can also be driven by political motivations and espionage. It’s essential to consider a range of possible motives when implementing cybersecurity measures. Here is a breakdown of common motivations behind cyberattacks:

Financial Gain: the majority of cybercriminals engage in attacks with the primary goal of financial profit. This can include activities such as ransomware attacks, data breaches which extort victims or sell stolen information, credit card fraud, and cryptocurrency theft.

Espionage and Intelligence Gathering: state-sponsored actors or intelligence agencies may conduct cyberattacks to gather sensitive information, intellectual property, or trade secrets for political, economic, or military advantage. These attacks are often aimed at government entities, defense contractors, or organisations with valuable intellectual property.

Hacktivism: hacktivists are individuals or groups who carry out cyberattacks to promote a specific social or political agenda. Their motivations can include activism, protest, or retaliation against perceived injustices. Hacktivists may deface websites, leak sensitive information, or disrupt services or supply chains to draw attention to their cause.

Nation-State Interests: nation-states may engage in cyberattacks to further their strategic interests, such as disrupting rival nations’ infrastructure, conducting espionage, or influencing political events. These attacks can be aimed at government entities, critical infrastructure, or organisations in targeted industries.

Personal Vendettas or Revenge: in some cases, individuals may carry out cyberattacks as a form of revenge or to settle personal scores. This can involve activities such as doxing (revealing personal information), spreading false information, or launching targeted attacks against specific individuals or organisations.

Disruption and Chaos: some cyberattacks are motivated by a desire to cause disruption, chaos, or damage to systems or networks. These attacks may not have a specific financial goal but aim to create havoc, disrupt services, and/or undermine public trust.

Are we talking about attackers who are bored individuals in their bedroom or more sophisticated operators?

The cybersecurity threat landscape is diverse and constantly evolving, involving a range of malicious threat actors with varying motivations and capabilities.

These actors can include individuals, organised cybercriminal groups, state-sponsored actors, and insider threats. While bored individuals may dip their toes in the arena of hacking, they typically begin by just testing out tools, conducting low-to-no-impact scams, and learning about the possibilities of cybercrime.

The attackers our ThreatLabz researchers are focused on have made an intentional leap into executing multi-stage attacks with the intention of gaining a specific outcome or result, such as notoriety, financial gain, or political disruption. When novice threat actors start trying to prove themselves, this is often to achieve more status among cybercriminal groups so they may be invited to participate in ‘high-crime’ organised profit-driven attacks. Here is a breakdown of the most common types of attackers observed today and their possible motivations:

Individual Hackers: individuals operating alone are typically considered newer to the world of cybercrime and are often characterised by motives of personal gain, curiosity, or a desire to develop and prove their technical skills. These individuals may operate from their homes or even within the bedrooms or basements of relatives homes.

Often called script kiddies, novice threat actors tend to be poor developers and instead opt to dabble in phishing scams, exploit known vulnerabilities, and use off-the-shelf hacking tools.

However, some lone-wolf attackers with exceptional hacking skills may choose to operate alone to avoid the potential pitfalls and real-world risks of being associated with an organised crime group. Another important distinction to note is that political leanings or personal agendas may drive the actions of some individual hackers.

They may engage in activities such as spreading disinformation, conducting politically motivated attacks, or trying to influence public opinion. As an additional concern, individuals with technical skills and political motivations may engage in AI data poisoning to manipulate AI models and influence outcomes in a way that aligns with their political beliefs or personal desires.

Organised Cybercriminal Groups: cybercriminal organisations often called cybercrime gangs or families, are typically characterised as being motivated by financial gain. These groups operate much like businesses, with significant resources, expertise, and infrastructure at their disposal.

These groups, typically involved with ransomware and other headline-capturing breaches can be highly sophisticated and operate on a global scale with hundreds of affiliates incentivised to help carry out attacks. Cybercriminal groups may also have political motivations or perceived policy outcomes they believe to be aligned with specific political options or nation-states.

For example, some Russian ransomware gangs are known to have connections or protection from the Russian government. These groups may engage in activities that serve their political interests, such as conducting disinformation campaigns, targeting specific industries or organisations, or trying to sway election results.

State-Sponsored Actors: increasingly over the past decade, nation-states have joined the ranks of carrying out cyber attacks characterised under cyber espionage or cyber warfare to gain a competitive advantage, gather intelligence, or disrupt rival regimes. State-sponsored actors often have significant resources, advanced capabilities, and access to sophisticated tools and techniques.

Their motivations can be political, economic, or strategic in nature. For example, North Korea stealing crypto wallets to fund their military operations, and China spreading disinformation on social media crafted to impact the upcoming US election results. These actors may also try to poison AI models to manipulate outcomes in their favor or cover up past events that are politically sensitive.

Insider Threats: insider threats refer to individuals within an organisation who misuse their authorised access to systems or data for malicious purposes. These individuals may have privileged access and insider knowledge, making them a significant risk to the organisation’s security.

Insiders within an organisation may have various motivations, including personal grievances, a desire for personal gain, or political beliefs. They may seek to sabotage the company, influence its direction, or cause harm to others within the organisation. Insiders may use their access to systems or data to further their personal agendas, such as leaking sensitive information or manipulating AI models to produce biased results.