Cybercrime - Staring into the Eye of the Beast
I have a problem. Actually, we all have a problem. You see, our life is gooood. Digitally, at least. We’re on the technology speed train, addicted, going full throttle without any desire to slow down. On the contrary, we strive to shift gears to quicken technology’s advancement. We can’t see our lives differently now and we’re expecting things to just get better. But here’s the problem – the bad-guys know this too.
Hackers Are One Step Ahead
Since the early days of the WWW, companies have been fighting hackers. Actually, the term fighting is not really a good choice of words here. It’s more like defending their systems in an ad-hoc manner to protect against the threat of the day before. As the Internet evolved, so did hacking and its motivations. Two decades ago hackers mainly got a kick out of simply rendering a banking site’s servers unavailable. Vendors reacted by applying network security controls. Hackers installing viruses? Deploy an anti-virus at each end station. Hackers performing DoS attacks? Router ACLs, Network Firewalls, IP/DS and VPNs will fix this.
But while the deployed security controls were beginning to secure past technologies, Web 2.0 came right around the corner. And as the Web allowed us to share information, hackers at this stage realized that they could now hold the keys to the kingdom. That information—data jumping from system to system – is worth a whole load of money. And data is now the hacker’s currency.
The New Security Approach – Be Proactive!
Frustrating? Of course! Can we prevent cyber-crime? No. Where there is money, there is crime. Are we then just left sitting on the bench waiting for the next wave of crime to come around and hope it will bypass our data? It is precisely this last question that security practitioners have been asking. The answer is an absolute no - a new security approach needs to be taken. As an industry, we need to move beyond vulnerability patching and threat management. We need an approach that is not reactive to yesterday’s hack but rather anticipates tomorrow’s. Security controls can then quickly adapt to the threat landscape. Proactive is the new defense.
The proactive security approach comprises two parts:
1. Knowing the threat landscape – profiling the hackers, their organizational hierarchy, business models and modus operandi. With this knowledge, current security controls could be strengthened. It could even be used to achieve immediate security value. The intelligence could be used to identify compromised computers being actively exploited to launch attacks, to quickly identify attack campaigns at their early stages, to discover zero-day vulnerabilities in the wild rather than in the lab, and to identify targets of upcoming attacks in advance. In the longer term, understanding the hacker landscape could allow new security controls to be developed and deployed in advance to protect against the next attack.
2. Implementing data security controls. Companies are beginning to understand their need to strengthen their applications, databases and file systems from insiders as well as from hackers.
Proactive Security – Sci-Fi?
Proactive security is a relatively new concept from the past couple of years. And although it’s a young concept, we’re seeing it already applied in the field. For example, a couple of months ago my employer, Imperva, announced a vendor-driven initiative named the “Hacker Intelligence Initiative” (HII) which aims to track and monitor hacker activity. The HII is a formalization of ongoing research from the previous year where different attack campaigns were unfolded right beneath our noses. After just a handful of attack campaigns, the company gained an understanding of some of the technologies and attack methods frequently employed by attackers, and of the similarities as well as differences between attacks. New business models were another small result of these findings. Using proactive security techniques, a security vendor specializing in fraud, Trusteer, was able to uncover a Zeus C&C botnet that mainly targeted UK banks. The banks were able to beef up their security accordingly. A few days later, a security company, M86, unveiled the discovery of another bank-hitting botnet. Continuing on the theme of botnets, another security vendor, AVG, recently discovered a botnet “Mumba” and provided some insight into the technology used.
Understanding the Hacker Landscape
It will take time to paint a clear picture of the hackers. We have some brush strokes, but not the full painting. We hope though that with a new, proactive approach, we will be able to shed some light on the landscape.
In this series I'll describe this hacker landscape by presenting to you findings resulting from the proactive security approach vendors are taking. I will provide current examples from recent incidents where new discoveries about the hacker landscape can give us an idea how to protect our systems. Accordingly, I’ll outline the steps vendors should take, or discuss the required new-generation security enhancement. In my next column I’ll discuss the attacker profile. And just as a trailer-teaser I’ll tell you it’s not what Hollywood wants you to believe, so stay tuned as I talk about Hacking Inc.!