The only thing more depressing than the increasing frequency and growing scale of the cyber attacks in this year’s headlines was the consistency of key attributes across so many of the events. From the retailer breaches of late 2013, to the almost regular cyber events of 2014, the “four horsemen” of the headlines included phishing tactics, the prominence of “pay-to-prey” threats, the curse of outmatched Internet trust standards, and the high cost of slow time-to-detection.
Phishing for Phools
Over the last year, we met the weakest link in enterprise security, and, yes, it was us. There’s nothing new about criminals targeting human carelessness, but we’ve never seen the use of phishing and spearphishing wreak such havoc, at scale, upon governments, retailers, banks, and other organizations.
McAfee Labs’recently released phishing quiz results gauged how well business users could identify fraudulent messages designed to victimize them. Out of 16,000 business users taking the test, more than 80% failed to identify at least one of seven phishing emails. Even more discouraging, the results showed that finance and HR departments performed the worst at detecting scams, falling by a margin of 4% to 9% behind the rest of the group.
To counter this all too common tactic, organizations must up their game in educating employees to recognize fraudulent emails and implement email-validation solutions where possible.
In recent times, the technical barriers to engaging in malware development to carry out cyber attacks have significantly reduced. The Cybercrime-as-a-Service or “pay-to-prey” marketplace of target researchers, threat developers, attack managers, and infrastructure providers makes it very simple for an attacker.
Over the last couple of years, for instance, the cybercrime economy has flourished in large part due to the availability, sale, customization, and reuse of malware code. By allowing this “off-the-shelf” code to be customized and enabled to dodge traditional hash-detection defenses, the pay-to-prey community has enjoyed an innovation advantage that has increased the frequency of attacks, from three or four every year to three or four every week.
But if we allow organizations to use contextual threat intelligence, it’s possible to identify code used in previous attacks based on its behavior (not just merely its hashes). Accomplish this, and you shorten the lifespan of threats by more effectively rendering them useless after a certain number of attacks.
This places a threat innovation burden on hackers to develop more unique and original code to create, launch, and sustain cybercrime campaigns. Force a rise in the demand for cyberskills, and you raise economic barriers to entry for cyber criminals.
It’s not a stretch to say that, for the first time, we can change the economics of cybercrime in favor of the white hats.
Trust Standards Are Outmatched
Months after the discovery of the Heartbleed exploit of Open SSL, McAfee Labs continues to see user information lost to such schemes turn up on online marketplaces. Survey after survey continues to find unpatched OpenSSL websites, and lists of those websites are being used for automated exploit schemes, at scale. Patching exploitable systems is incredibly time-consuming, and many organizations struggle to achieve the bare minimum of security updates. Unfortunately, we’ve seen individuals exhibit as poor a track record as organizations on this front.
Consider the password, an even more prominent Internet trust standard overtaken by cyber criminals. We use passwords for everything, and we hate managing them across the dozens of apps, services, and systems that now require them. As a result, we use the same ones over and over again. Like the unpatched OpenSSL website, we fail to update them regularly. If the passwords are stolen, the bad guys use the compromised credentials across dozens of sign-in pages.
Yes, organizations must be more conscientious about implementing patches to deflect the deflectable.
Yes, individuals can be more conscientious about updating and strengthening their passwords.
And, yes, corporate policies and education could make a difference in addressing both.
But in both cases, an undeniable over-reliance on these old, outmatched, and difficult to manage standards puts organizations and individuals at a security disadvantage.
The bottom-line reality is that while Internet trust standards such as SSL and passwords served us well in the first 20 years of the Internet Age, we need new, easier-to-manage trust standards to make the next 20 years (and more) as successful.
During the last year of cyber-events, we’ve seen network-security solutions detect attacks in-progress but fail to communicate their discoveries with the rest of the enterprise. Enterprises failed to connect the dots on events in progress, and the attack campaigns went on for days, weeks, and even months. The cost of this inability to share and learn from real-time threat data was staggering.
Organizations must establish three sustainable advantages that together improve overall security by amplifying the collective capabilities of individual solutions. These include messaging, centralized inspection, and end-to-end threat intelligence.
Messaging can provide a standard for classifying and communicating details on attacks between individual product components. Without it, threat intelligence lies dormant within the context of individual point products until diagnostic teams can sift through it to determine the cause of a compromise. With it, threat intelligence can be shared in real-time so the overall security infrastructure can learn from each solution and understand what is happening in the environment.
Centralized inspection provides a framework for security products to collectively pinpoint threats and act as a unified threat-defense system. This provides the adaptive security resilience and immunity to infections that organizations must have.
Finally, end-to-end threat intelligence delivers the practicable information and insight into attacks across all the key attack vectors. It’s not enough to detect indicators of compromise (IoCs), or clues that a breach has occurred and damage has been done. Ideally, threat intelligence includes indicators of attack (IoAs), the clues that a malicious party is attempting to break into the enterprise.
Together, these critical components amplify the effectiveness of individual security products. If they are truly sharing attack information in real-time, and if they are connecting the dots on events in progress, enterprises will be able to detect, contain, and deflect attacks before they inflict significant damage.
The cybernews headlines of 2015 will read better if we can effectively educate employees and consumers to identify phishing emails; better identify and disable reusable malware code; implement new trust standards for the next 20 years; and dramatically reduce the time to detection for targeted attacks.
Each effort involves its own set of challenges, but if our industry can make the progress that is already possible with today’s technologies, we can put down this past year’s four horsemen and turn the tables on cyber criminals on a number of fronts.