Defending Ourselves in an Increasingly Connected World

As we race to embrace technology, we make ourselves increasingly vulnerable to cyber attacks. This is a calculated risk we all take. But recently, the threat has evolved in ways both startling and inventive. Whereas a few years ago hackers had focused on crashing websites or harvesting data, a new type of attack—an "integrity" attack—quietly compromises the internal workings of companies or organizations, allowing criminals to pilfer exorbitant sums of money with minimal fuss. As these methods become more popular, our desperate need for trained cybersecurity professionals to combat them becomes more acute.

Motherboard spoke with Matthew Rosenquist, a cybersecurity strategist and Intel® Software Evangelist with over 20 years of experience, about the evolving methods of attackers and what we can do to defend ourselves in this digitally intertwined world.

Motherboard: Hi Matthew. What should we expect from cybersecurity in 2016?

Matthew Rosenquist: In the past several years, we're seen nation-states become tremendously aggressive in the investments they've been pouring into offensive and defensive cybersecurity. Many governments around the world have been buying technologies and recruiting as many talented people as they could. Several years ago, they started scouting out DEFCON, BlackHat, and other hacker conferences in search of talent. DARPA created a fast-track program, which allowed using, let's say, personnel that wouldn't normally pass a security background check. The program ran its course for several years to bring in new ideas and tools. Any time defense agencies invest in capabilities, they want some kind of payoff. We're seeing those investments come to fruition.

Cybersecurity has rapidly become the "fifth domain" of warfare, joining assets on the ground, air, sea, and in space. Cyber programs have really taken hold, with mature plans, operational competencies, and organizing structures within governments to foster and leverage those new capabilities. So we're going to see more activity, both offensive and defensive, as governments take advantage of all resources to protect their citizens and promote policies. Cyber tools extend what is possible and give political leaders new avenues, abilities, and options. Cyber is now another tool to move mountains from a political perspective.

MB: Do we have enough trained cybersecurity professionals to meet this demand?

MR: Right now we're probably short at least 1 million cybersecurity professionals around the world. Estimates are ranging between 1.5 and 2 million people within a couple of years. And it is painful. All of the security professionals have basically been snatched up. It's a tremendously competitive market. As one of my colleagues recently said, it's basically a zero unemployment field at this point.

We're really looking towards higher education to solve this problem, by increasing the supply of talent. Actually, Intel has taken an active role in helping to create a formally accepted cyber sciences degree within the US, and that will probably go worldwide. The pilot should be rolling out in several universities in 2018. That will help with educational content standards and overall consistency, so that the professionals coming out of higher education institutions are better prepared and there's a common expectation of their skills and capabilities.

We're also promoting a huge amount of diversity. Sadly, there's a lack of women and underrepresented minorities in cybersecurity. It really limits the industry from a creativity perspective. If you've have all the same kind of people sitting around a room, they tend to think in the same ways which creates artificial limitations. The attackers don't suffer from the same constraints; they are very diverse. If you don't have that kind of creativity you're being hobbled.

MB: Which nations are at the vanguard of this kind of technology?

MR: There are a few nations that have invested quite a significant amount of resources, time and money, and it would be the nations you would expect. I'm not going to go into specific names, but these are the ones that tend to maintain very large militaries or are active on the world stage. And they're using cyber capabilities as an extension of those organizations.

The use of cyber is not limited to large countries. In fact, there are some small countries out there, which are very tech sophisticated, which have developed advanced capabilities to conduct cyber warfare and enhance their digital defenses. There are a slew of countries that are simply buying off-the-shelf private software for surveillance or hacking purposes.

Cybersecurity holds a certain lure. It is an equalizer. Like back in the Wild West a handgun was the equalizer—everybody can hold one, everybody can shoot, and it didn't require much skill. You were a threat. So we're seeing smaller countries, ones who want to have that political chip on the table, be able to invest in cybersecurity. And they don't have to invest a lot. In fact, they don't even have to have dedicated teams; they can outsource it to hacker communities.

Typically the direct political and military influence of a small country is limited to its adjacent borders, or the bodies of water that pass by them. But when you talk about cyber, even a small country can put pressure—maybe on critical infrastructure, maybe on businesses—anywhere in the world. So if another nation-state on the other side of the planet does something you don't like, now you can reach out from the digital world and cause them inconvenience, pain, or concern. Cyber capabilities amplifies and extends influence.

MB: How have attackers' techniques evolved recently?

MR: In cybersecurity, we have three types of attack: availability, confidentiality and integrity. Some of the very first attacks were "denial of service" attacks; in fact, they're still the most popular kind of attacks out there. It's really an "availability" type of attack. It's annoying, sure. But the security community has years of experience and dedicated resources and tools to address such problems. Nowadays if you want to protect yourself from a denial of service attack, you can. There's a price tag associated with it, but it's manageable.

Coming out of those, we have a different type of attack, very prevalent over the last couple of years. It's the "I'm going to break into your company and harvest as much data as I can."

MB: Ah, like Ashley Madison.

MR: Yes. It's the data breaches. And we're seeing it with hospitals and government agencies and social services and everything else. If you think about it, it's really a "confidentiality" type of attack where the secrecy of data is being undermined. The past couple of years, security has started to respond to these attacks. We don't have all the tools yet to protect a company from every type of data breach, but we're well on the way. The security industry, by its very nature, responds to threats.

Now we're moving into the third phase. The rise of the integrity attacks. There was a recent campaign where banks were being compromised in an unusual way. Although always a popular target, this attack was different. Typically, when banks would be compromised, the attackers would capture accounts and user passwords, login, and do some nefarious things. Or they would attack ATMs for some quick cash. The losses were hundreds of thousands, maybe upwards of a million dollars in some of the bigger heists.

What we saw with this new kind of attack last year, which was called Carbanak, the assailants took an entirely different approach. It wasn't denial of service or extortion. They didn't go in and harvest people's data and log in to their accounts. Instead, what they did was compromise selected banks, about a hundred of them, and watched and listened. They were patient and took their time to understand what internal systems the banks were using to conduct their transactions. Then, over the course of a short period of time they very selectively tweaked just a few transactions here, a few transactions there. But the outcome was between 300 million and a billion dollars of loss. This was an "integrity" attack. By tampering with the communications and transactions, there were able to commit massive fraud.

We've seen some other attacks recently, where email systems of companies were being hacked. Over a weekend they would log in as the CEO of the company, and send a message to accounts payable, and go, "Hey Bob, this is Jim. I really need you to send this $30,000 check to our supplier's overseas account. We totally forgot about it. Here's the info." And the other person replies back, "Are you sure you want me to do this?" And the attackers respond, continuing to impersonate the CEO, until the fraudulent transaction is complete. This "CEO mail fraud" is rapidly growing as a popular tactic and has proven very successful.

Such attacks compromise trusted communications. This isn't a single spam or email. They have a conversation back and forth. And the attackers can weave in things they're pulling from social media: "Hey, I saw your son hit that home run last weekend. That was awesome! By the way, make sure you get this check out today. My butt's on the line!"

Ransomware is another great example. Typical malware tends infects systems to cause damage or harvest data. But what we're seeing with ransomware is it infects your system, and it doesn't pull any files off or cause system failures; it just goes in there and finds files that are really important to you and encrypts them. This scrambling makes them unusable to the owner, even though they can still access the file. Then the attackers offer a service to help you decrypt and restore those files.

It's an extortion business model. "You have to give us x number of bitcoins, and we'll help you decrypt these." Some of them even have 24/7 support, like a chat window, where you can ask how to get a bitcoin and they'll walk you through the entire process, live. It's truly amazing. If victims choose not to pay, they lose those files forever. We're going to see a huge rise in ransomware in 2016—because it's working.

MB: Is ransomware a new thing or are attackers just using it more effectively?

MR: Ransomware isn't actually new. It's been around for a while, but wasn't very successful. A lot of the initial ransomware programs were technologically weak and weren't encrypting files very well. Or it would just be a web page you could close. It wasn't until much better written variants like CryptoWall, CryptoLocker, and some others came out, that were able to identify files and encrypt them with stronger keys. Properly coded encryption is real tough to undermine, for good guys or bad guys. And nowadays, they are writing it well.

We didn't even understand how much of a problem it was. Last year, the US government wanted to quantify how much loss was due to CryptoWall version 3, so they started tracking reports of people reporting being victims. They estimated about $17 million in losses.

The ransomware experts within Intel Security were really skeptical of that figure. We thought it to be a much bigger problem. So the team started looking at the bitcoin addresses, and began watching the flow of money. And it wasn't a 17 million dollar problem, rather it was about $325 million dollars being fleeced from victims.

Put yourself in the role of that criminal. Maybe you and a handful of associates created this software and in one year had a $325 million-dollar payday. Are you motivated to continue? Heck yeah. Are you going to take a chunk of that and make your products even better, expand to new customers, new victims? Absolutely. Greed principle says if I can steal $10 from you today, I'm going to try and steal $15 from you tomorrow. That's exactly what we're seeing happen.

MB: So what can we do to protect ourselves?

MR: Technology is a beautiful and wonderful thing that enriches the lives of people all across the world, making us happier and more productive. But the pace that we embrace technology far outstrips our capability to secure it.

In the cybersecurity world, it isn't all about technology. You have technology and you have behaviors, the human element; it's like two sides of a coin. In reality, you can install a stack of firewalls on your network, but that's not going to stop an authorized user clicking stuff on the web and downloading and installing things. It's just not. Even the most robust technology can be undermined by the actions of users.

Organizations must understand both the technology and behavior aspects. Security plans have to address both. And because the adoption of technology is now so widespread and complex, you can't immediately protect everything. So you must prioritize. And that's really the next evolution we're seeing in the industry.

MB: Prioritize what, exactly?

MR: For example, if you go back seven or eight years, the biggest theories in cybersecurity were to identify all the vulnerabilities in your environment and go patch them. It made a whole lot of logical sense. The problem was that vulnerabilities were emerging faster than you could identify or patch or mitigate. We saw security groups double, triple, quadruple in size and still couldn't get a handle on it. There was no way to keep pace.

So instead, you had to start looking at the metrics. We found that of all the vulnerabilities out there, there's actually only a small percentage that ever get exploited by the bad guys. There's reason for this. Attackers, just like you and me, like shortcuts. They follow the path of least resistance. As it turned out, you had all these vulnerabilities, so they had a huge choice; they tended to go towards the easier ones, because they worked. So if you can start to understand that—the threat, their motivation, their objectives—now you can start to prioritize. That's where you focus.

For ransomware, there are great best practices. I wrote a blog recently about some of them. You should make sure you have a backup of your most important files that's completely offline. Cloud backups are very convenient, but they too can fall victim to ransomware. Be sure systems are benefitting from good anti-malware programs, are sitting behind network controls like firewalls, and users are doing their part to not invite attacks by installing untrustworthy software or clicking links in suspicious emails.

Anti-malware companies are constantly looking at ways to identify when those ransomware executables or trojans come in, and trying to evict them off the system before they can install. There are system controls that can isolate certain applications, like the browser, so anything that's running on it can't really go out and look at the files and encrypt them. Many users might not need full administrative rights on the system. Restricting user's rights, although some users like engineers loathe not having full control over their systems, can have a big impact. Doing so compartmentalizes user's access and can greatly limit the risks.

And then there's behavioral training: Security savvy users are invaluable to keeping systems and data protected. First and foremost, keep systems updated and patched, and don't install software you're not sure is coming from a secure source. You would think common sense is common, but in many instances it really isn't. It has to be reinforced, in a good positive way. If you're installing applications from an unfamiliar site or domain, you are just asking for trouble! Although there is no perfect solution to the myriad of cyber threats, such best practices present the best and most reasonable defenses.

To learn more about Intel® Software Evangelists, please visit evangelists.intel.com..