Cyber security is often stated as a problem organisations need to deal with, but it’s an issue which is never going to be completely fixed. Instead of viewing cyber security as a problem, organisations need to start viewing their cyber security as a game and cyber adversaries as challengers in that game. The difference being that problems, like 1+1, have a singular answer. Too much network traffic load for your security perimeter? That’s a problem — install another firewall: done. Games, on the other hand, are never “done”. Games are dynamic and require teams to adapt to moves made by a wide variety of other players.
Security challenges today involve bad actors that range from hacktivists and organised crime to nation-states – all contributing to information security’s “Game of Adversaries”. These are complex equations with variables that are constantly changing. As a result, we need increasingly adaptive security solutions that can rapidly evolve to address continuous changes in our adversaries’ attacks — whatever those changes may be.
Attacks move to Digital Channels
Traditionally security teams have focused on keeping everything inside the corporate firewall secure. But like any modern game, the latest adaptions of the cyber security battle have spread onto digital channels, areas exposed beyond the firewall, and increasingly outside of the perimeter. Some of the most rapidly evolving attacks occur across our primary digital channels — web, mobile, and social media – making it challenging to get visibility into what adversaries are doing outside the network using traditional security controls like firewalls, host agents and network sensors.
This is clearly illustrated by the evolution of phishing. According to the Verizon DBIR for the past several years “more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.” Roughly 50% of targets “open e-mails and click on phishing links within the first hour” of receiving them, leading to an outcome where 60% of organisations targeted are compromised “within minutes”.
Detecting phishing is no longer a human-analysable problem, and static detection rules have become ineffective, forcing the hand of the security game player. Adversaries are using sophisticated software development technology to rapidly customise and modify their phishing attacks, while extending them across all digital channels. Detecting these threats and keeping pace with their rate of change requires sophisticated automation and machine-learning (ML) techniques to be deployed in return.
Customers, employees, and revenue are moving toward digital channels, making this is a key battleground for the information security game today, and the adversaries are showing up here armed to the teeth.
As a result, two of the biggest and fastest growing new external-threats in the cyber security game are:
1) Phishing via social media
2) Adversaries shifting their attack resources across large expanses of threat infrastructure for obfuscation
Rogue Social Media Attacks
For the last several years, attackers have been pivoting their phishing campaigns from traditional email and web attacks to mobile applications. More recently they have started using social media platforms like Twitter. These platforms are rich environments to target with hundreds of millions of users created with weakly verified authenticity. Criminals can easily use popular topics, group memberships, or falsely claimed affiliation with trusted brands to target specific groups and make themselves, and their malicious activities, appear credible.
What makes these attacks especially challenging to detect and defeat is their high rate of speed and limited duration. Many campaigns only last five to eight hours, with the majority of damage occurring in the first few hours.
Finding and shutting down rogue social media accounts even 24 hours after an attack begins is akin to locking the barn door after all the proverbial quadrupeds have been stolen. If we want to stop these campaigns we need to detect and respond to attacks faster. This requires technology that can detect phishing across all digital channels: web, mobile, and social media using machine learning to identify new/modified campaigns quickly, without prior knowledge.
Threat Infrastructures are Moving Target
To compound this problem, attackers are rapidly growing and scaling their threat infrastructure while they diversify their attack vectors across new channels. To do this, they have adopted agile software development and cloud-based rapid deployment tools. Attackers are leveraging the same cloud services and third-party hosting providers that legitimate businesses use — to run their infrastructure more cheaply and efficiently.
They use this infrastructure to host multiple copies of malicious payloads and files, so they can quickly shift their attack resources around. One of the most advanced new techniques being used to obfuscate attacks and evade security analysis is to create layered traffic distribution services (TDSs). These are essentially sequences of redirectors to bounce the traffic around a dozen or more times in an attempt to confuse security products and analysts about where the final destination (the malicious payload) actually is.
These advanced threat infrastructures are being used for phishing; malvertising campaigns; more traditional malware distribution, and most recently to help launch attacks over social media. However, there is also good news here.
Winning the Game of Adversaries
There are many indicators that can be tracked and used to identify and analyse an adversary’s threat infrastructure as a collective whole. At a minimum, it requires PDNS, Whois, and SSL Cert Registration Information, along with an automated ability to correlate them to known threat campaigns. Using these indicators security analysts can better take control of the cyber security game, understand what attackers are doing, and mapping out their infrastructure, so that it can be blocked and/or taken down all at once. This also has the potential to prevent future attacks before they happen — effectively taping over all the holes on the whack-a-mole machine at the same time.
The cyber security game is never going to end, attackers will continue to build new infrastructures and change tactics. However, using the right technology and automation techniques, organisations are better able to detect them, stop them and significantly increase the cost of doing business for criminals, while protecting themselves and their users.
By Ben Harknett, VP EMEA, RiskIQ