For Hackers in 2024, Digital Assets Likely Look Like a Gold Mine

Introduction

Looking back at 2023, the digital asset industry witnessed a somewhat celebratory tone due to a reduction in the funds stolen through hacks and security breaches. The $1.5 billion stolen in 2023, although significant, was a sharp decline compared to the jaw-dropping $3.8 billion in 2022. However, with an average of at least one hack per week resulting in $1 million or greater in losses, it’s clear that hackers still have a substantial impact on the digital asset space.

The 2024 Digital Asset Threat Landscape

So far, 2024 has mirrored 2023, with cyber attackers zeroing in on crypto exchanges, Web3 apps, blockchain bridges, and smart contracts. Widespread phishing attacks and fake airdrops continue to plague the industry. Security remains a top issue preventing the digital asset and Web3 ecosystem from achieving mass adoption.

Combating Hacking: A Proactive Approach

Security must be a foundational consideration for any organization involved in digital assets. Addressing security after launching an MVP (Minimum Viable Product) is too late, as hackers move swiftly and scaling happens rapidly in this space. Organizations must assume they do not have the luxury of time to identify and patch vulnerabilities.

The Overlooked Vulnerable Fronts

Many focus solely on encryption protocols when considering digital asset security. However, there are several other vulnerable fronts that are often overlooked, which need attention.

Four Fundamental Security Pillars

1. Building Your Team with Trust

Digital asset companies can be compromised in two primary ways: hacking code and hacking people. The latter, although less discussed, is equally dangerous. High-profile examples, such as CoinsPaid, illustrate how hackers use social engineering to exploit team members.

Social Engineering Threats

Hackers use technologies like deep fakes to gain access to systems or even manipulate hiring processes to insert malicious developers into teams. To counter this, digital asset projects should thoroughly validate references, work experience, and backgrounds. Limiting the blast radius by establishing role-based permissions for financial and operational tasks is essential. For instance, your Head of Business Development should not have access to deploy code to your production system.

Multi-Factor Authentication and Security Keys

For anything not on-chain, multi-factor authentication or hybrid security keys are recommended. Establishing a primary security point of contact is also crucial. While security is a team effort, having one person constantly monitoring the threat landscape can significantly enhance your security posture.

2. System Design: Mapping and Monitoring External Infrastructure Dependencies

External infrastructure refers to anything not built internally, including parts of your tech stack developed by external actors. Key management is critical in this regard.

Choosing the Right Vendors

Work with vendors who have proven expertise, have undergone audits, and are battle-tested. The threat vectors in this area are too numerous and specialized to work with less proven vendors or to develop these capabilities internally.

Tracking Dependencies and Vulnerabilities

Keep a close track of dependencies and vulnerabilities, both on- and off-chain. Supply chain attacks, prevalent in traditional cybersecurity, are also common in the digital asset space.

3. Continuous Improvement: Building with Security in Mind

Digital asset projects typically have two phases: MVP and production. Both are vulnerable to attacks.

Testing and Documenting

Start with testing your team and code using available solutions. Define and document key invariants for modules and methods, which will facilitate more efficient and effective audits in the future.

Operational Security for CI/CD

Develop a bug bounty program or partner with someone who offers this service. Ensuring good operational security for Continuous Integration/Continuous Deployment (CI/CD) is vital when patch-gapping for open-source software. Test and document your invariants for every code commit and release to ensure you are not breaking key assumptions.

4. Red Teaming and Incident Preparedness

Even with flawless execution of the first three pillars, your business will likely be tested or breached at some point. An effective incident response plan is crucial.

Thinking Like a Hacker

Develop your incident response plan by thinking like a hacker. Test your systems from the ground up to identify gaps and potential vulnerabilities, document them, and create a plan to address these issues should they arise.

Continuous Monitoring and Testing

Assign someone on your team to focus on security trends, continuously test your systems, and implement changes as soon as vulnerabilities are found.

Conclusion

Building an effective security posture takes time, effort, and practice. Threat actors move quickly in this industry, and the Web2 mindset of “Move fast, break things, and fix it” does not apply from a security perspective. Adhering to the four fundamental pillars discussed is a significant step towards protecting your business, investors, and customers from both internal and external threats.