Meltdown And Spectre For Insurance Carriers

At-Bay provides cyber insurance for the digital age. Learn more at at-bay.com.

In early 2018, we learned about two new hardware vulnerabilities: Meltdown and Spectre. These vulnerabilities seriously threaten nearly all devices in use today. I want to take a look at the trend of large-impact vulnerabilities, what it means for cyber insurance carriers, and how At-Bay is approaching this challenge.

How do Meltdown And Spectre work?

Meltdown and Spectre are vulnerabilities that let an attacker steal data that they should not be able to access.

When things are working normally, an application should be isolated and should not be able to read another application’s memory (or the system’s memory).

Meltdown and Spectre are breaking those isolations!

In other words, no matter what kind of computer you have — a server, your PC, or even your mobile phone — if an attacker can run a Meltdown or Spectre exploit on your computer, they can access everything on it from credentials to sensitive data.

In order for this to work, an attacker has to be able to run their exploit. Here are the three attack vectors hackers use to run their exploits that I find most interesting:

1. Attack a server via Remote Code Execution — Attackers use all sorts of vulnerabilities such as Cross-Site Scripting (XSS) or vulnerabilities in other web applications to run their code on a target server
2. Attack a personal computer via a Website (a.k.a. Watering-Hole) — As of today, there is a proof-of-concept attack that shows how to run Meltdown and Spectre attacks in JavaScript from a web browser. When a user browses to an infected website, the attacker can run the JavaScript code and access all of the user’s data
3. Attack a personal computer via Phishing — Attackers still have success emailing malware files or links to infected websites to unsuspecting victims

Vendors are working to mitigate the threat Meltdown and Spectre pose via these attack vectors. Updating all computers and servers at the operating system levels are important steps in preventing attacks.

For more details, visit the official page https://meltdownattack.com/.

This sounds familiar…

Last year, we saw the WannaCry and NotPetya attacks, which resulted from another critical vulnerability that was publicly released. In that attack, we saw:

• The Shadow Brokers released an NSA weapon (ETERNALBLUE).
• Microsoft released a patch just a few weeks after the leak to fix the vulnerability
• Despite the patch, attackers quickly weaponized the vulnerability for use in ransomware campaigns

The WannaCry, NotPetya, Meltdown, and Spectre attacks and vulnerabilities represent a trend:

1. A major vulnerability is found
2. Operating system and security vendors distribute patches
3. Proof of Concept (POC) attacks are nonetheless widely available, tested, and then used by hackers

We believe the POCs we see today with Meltdown and Spectre, will turn to production grade attacks. If this is a trend, in a few weeks to months, we will see simultaneous worldwide attacks being performed.

Those might even put WannaCry and NotPerya to shame. Fingers crossed I’m wrong.

The cyber insurance carrier’s point of view

As a cyber insurance company, and a risk bearing entity, fingers crossed is not enough; we need to do something.

At At-Bay, we believe that to understand these risks, we need to understand which attack vectors will be used and which cyber insurance coverages will be triggered.

Let’s take the vectors described above:

Hacking — Remote Code Execution (RCE)

Using Meltdown and Spectre on a server, an attacker would be able to read the system’s and other application data.

• The system’s data might be used as reconnaissance for coordinating a wider/deeper attack.

— This would trigger our Cyber Attack policy that covers, among other things, incident response and systems restoration costs.

• The other application’s data could be sensitive user data or data that is again used for reconnaissance.

— The breach of sensitive user data will trigger the Data Breach coverage that covers, breach response, notification, and liability costs.

Watering-Hole (WH)

Using the RCE vector, an attacker can infect your website with JavaScript code. This code triggers Meltdown and Spectre on your customers/visitor’s computer when they visit your site. Once the exploits run, the visitor’s sensitive data (including usernames and passwords for other applications) would be transmitted to the attacker.

— Providing attackers with the platform to infect your website visitors and steal their data may cause a class action lawsuit, which is covered under Cyber Attack coverage.

Phishing (PH)

Sending malicious files or links (of an infected website) to employees can cause data leaks. This may include sensitive personal data, credentials to internal systems and other types of data used for reconnaissance.

— The attack may trigger the Cyber Attack coverage for incident response costs, and depending on the type of data stolen the Data Breach or Financial Fraud coverages might also be triggered.

What should carriers do?

How should carriers respond to new vulnerabilities like Meltdown and Spectre?

To answer this, we need to be able to assess the probability and severity of a successful attack:

Severity — Is measured by the expected amount of money lost in an attack. For an insurance company it measured twice: first from a single company perspective and second from a portfolio aggregation perspective.

• On a single company — Exploiting the Meltdown and Spectre vulnerabilities could easily cause breaches that meet Data Breach or Cyber Attack coverage limits
• The portfolio perspective — Almost every processing unit on the face of the earth is vulnerable, a successful exploitation of these vulnerabilities will pose major risks to significant parts of a portfolio.

Probability — Is estimated by understanding how effective companies are at preventing attacks. For these vulnerabilities, the best mitigation is patching the operating system. However, patching is hard and often not done, both on PCs and servers.

• Given the challenges in securing against these attacks (and the trend we saw with WannaCry and NotPetya), we believe that the probability of infections is high.

Given the likelihood that attackers will use these vulnerabilities, cyber insurance carriers that want to know which of their clients or applicants are at-risk need to build strong capabilities for assessing a company’s defenses. In this case, that means understanding a company’s ability to patch assets.

Since insurance carriers do not have direct integrations to the internal systems of clients and applicants, it is impossible to have perfect of knowledge of a company’s patching practices.

As a result, we’ve tried to find ways to assess the probability of the vectors being used in attacks. We found several different methods, depending on the attack vector being considered:

1. RCE and WH — We are looking for existing RCE vulnerabilities on the companies attack surface. Where we find existing vulnerabilities (and an indication of less diligent patching practices) we accommodate for new risk posed by Meltdown and Spectre in our pricing.
2. Phishing — Given the risk to companies posed by phishing, we look for signs of strong email protection. The deployment of email security vendors reduces risk and brings may bring down our pricing, in particular for Data Breach, Cyber Attack and Financial Fraud coverages.

While both of these methods are useful for risk assessment during underwriting, for some, it is too late. What about our existing portfolio companies?

We initiate alerts to vulnerable portfolio companies with guidance on how to mitigate risk, and together we help prevent loss from these vulnerabilities.

For me, this is what it means to be AT-BAY. We provide comprehensive solutions, take some of the risks of our customers, and help mitigate the risk that is left. This means the companies we insure can focus on their business and take on tomorrow, fearlessly.

Talk to you soon!

Etai Hochman

At-Bay, CTO