DAST
Continuously monitor web applications for vulnerabilities at scale with Cobalt Dynamic Application Security Testing (DAST).
DAST
Continuously monitor web applications for vulnerabilities at scale with Cobalt Dynamic Application Security Testing (DAST).

Keep Calm And Secure Your Crypto Assets

A rookie security guide to surviving the crypto "Wild West"

The “Wild West” is a common reference to the history surrounding the expansion of European settlers across the west and southwest of the United States of America in the late 18th and early 19th centuries. Land was cheap, regulation was low, and there was opportunity in chaos. The “Gold Rush” came a bit later on, but that’s a topic for another blog.

The legends of the Wild West have been captured in western media as a genre for decades. The gunslingers, the whiskey, the general lawlessness. And who doesn’t love a good Louis L’Amour novel?

Each and every time a new crypto hack hits the news, I get visions of carriages being held up, with masked men on horses galloping off over dusty plains to divvy up their ill-gotten gains.

While those visions align more with the romanticised folklore of the Wild West, there are some startling parallels e.g. lack of regulation, opportunism, and a risk vs reward mindset.

Why should we care about securing crypto assets? 

 

There has been over a billion dollars of cryptocurrency lost in cyber heists in the first quarter of 2022.  This is roughly 8 times the same figure for the first quarter of 2021.

First off, let’s talk about what I mean by cryptocurrency:

A digital currency in which transactions are verified and records maintained by a decentralised system using cryptography, rather than by a centralised authority.

This means that banks and governments aren’t responsible for issuing and maintaining the currency like traditional money, it is done with a series of distributed software systems.

Cryptocurrency has skyrocketed in popularity, and individual holdings are increasing at an amazing rate. Why? At a micro level, personal investors want to capitalise on this lucrative market, and make money on the digital assets themselves. Stories abound of bitcoin purchases at less than a dollar a piece, and at the time of writing the value is in the tens of thousands.

At a macro level, digital currencies provide ways to quickly and cheaply move money around the world, and do so securely and somewhat anonymously. They can be used for selling property, building smart contracts, and securing identities. These transformational services have pushed investors to try and realise the value of the networks and platforms that underpin this market.

How are attackers targeting cyber assets?

 

While crypto assets are often the artefact attackers are seeking to steal, the attack vectors are the users and software systems that are needed to interact with them.

What started out as attempts to scam users into handing over access to their assets has evolved into a much more lucrative industry. Recent attacks have targeted the platforms used to buy and trade currency, particularly the exchanges that move artefacts between blockchains, as users seek ways to exchange and trade digital equity.

What we’ve seen in the industry is an eye-watering pace to bring these amazing products to market, and a lack of regulation. In the first instance, as is so often the case with software products in a fast-evolving space, it's hard for security to keep up with rapid development. For example, Ronin Bridge reported that their validators had been compromised, in part because some technical safeguards had been temporarily turned off to accommodate immense user load. Another case study showed that a company had completed a security audit a month before a huge breach.

When the rewards are regularly in the hundred of millions of dollars, you can bet  attackers are persistently seeking new targets — and are developing skills and forging career paths in an industry that has proven to be a rewarding place to “work.”

On the topic of regulation, the maturity of some software systems and the rules they put in place have been called into question. In a recent incident with Beanstalk, allegedly taking 10 seconds to execute, unknown actors borrowed tens of millions of dollars in order to acquire majority voting rights to a decentralised financial exchange. This happened legitimately because of a system Beanstalk had in place: the more tokens users held when borrowing virtual funds, the more voting powers they had. The actors abused this rule to transfer the company’s holdings to a separate location, withdrew the cash, and paid back the original loan. I use the word “incident” when describing this situation, as it’s not even clear what exact laws were broken. The actors did follow Beanstalk’s rules of exchange, albeit in a way that would financially disadvantage thousands of users.

Think 80s style hostile takeover, but in the blink of an eye!

How are security teams responding? 

It’s not all doom and gloom though, as several recent high-profile breaches have yielded return of hijacked assets, and forensic investigations have become more and more adept at following the breadcrumbs in the aftermath.  

Stolen digital assets are becoming harder and harder to monetise (or fence/launder) after breaches — which reduces their value and increases their cost. Like any security practitioner will tell you, to discourage attacks you simply have to make them less lucrative.  

That being said, there are takeaways from this for both investors and Web 3.0 companies alike. For any budding coin buyers out there:

  • Be prepared for financial losses.
  • Don’t put all your eggs in one basket. Diversify!
  • Maintain healthy digital security. Use complex passwords, and only use them once.
  • Be wary of scams, and the patterns that personal attacks are likely to take.

For companies dealing with any modern technology, particularly one that is very high value to attackers:

  • Invest in people, invest in tooling.
  • Be aware. Know your assets, know the risks.
  • Patch all the things!
  • Put your defences to the test with red teaming or external pentesting.

Note that prevention is only part of the solution — Cobalt’s CISO talks more about this in a recent podcast episode for Humans of InfoSec. Andrew goes in depth on why it's not realistic only to focus on preventing cyber attacks, and that they will happen however much you try to keep them out. This makes it crucial to learn your environment inside-out and invest in monitoring – this way you can catch the signals and changes in patterns that happen when you're being attacked, and you know where to concentrate your resources to contain and stop the problem.

New call-to-action

Will crypto and security align in the near future?

Frederick Jackson Turner wrote that the Wild West was the scene of a defining process of a new civilisation, and that “The frontier promoted the formation of a composite nationality for the American people."

Only time will tell if the cryptocurrency revolution will be remembered fondly as a transformative time for the human race, as billions of people across the globe begin to learn and interact with these new technologies. As companies mature, and as legislation and governance is put in place to add structure to a new industry, the risks will decrease. There are many other complicating factors such as environmental considerations, geopolitical influences, and let’s not forget tech billionaires who can make or break a new cryptocurrency with a single tweet.

It’s beyond a doubt that cryptocurrency and Web 3.0 are here to stay, and as we move from chaos to a more stable way of transferring money, assets, and more around the world, it’s imperative we seek to secure these systems. At Cobalt we are proud to work with some of the most innovative companies in the world, and partner to deliver a safer, more secure future, to leave the world a better place than when we found it.

Also, buy DogeCoin!*

*Disclaimer: no individuals have profited from the author’s sketchy predictions on which coin will “make it big” in 2022.  We advise you to proceed with caution when following the advice of a man who thought DEX was a clothing store in Toronto.

Back to Blog
About Mark Hamill
Mark Hamill is a Director of Product Management at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of highly skilled testers. He is a passionate advocate for people-centric design that focuses on experimentation and learning. When he isn't glued to a laptop working to improve Cobalt's Pentest as a Service (PtaaS) platform, he is either drinking coffee, cooking BBQ, or strolling in a forest. More By Mark Hamill