Threat Intelligence

5/23/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Staying a Step Ahead of Internet Attacks

There's no getting around the fact that targeted attacks, such as spearphishing, will happen. But you can figure out the type of attack to expect next.

"It's difficult to make predictions. Especially about the future," Yogi Berra famously stated. While this may be true for general predictions, I don't believe it's true for Internet security predictions.

By training, I am a cryptographer. In the late '90s, I realized that Internet security wasn't really about cryptography or even how protocols were implemented. Instead, it was about people and their actions. I believed criminals would start circumventing Internet security measures — authentication, in particular — by tricking people, using techniques we now refer to as "phishing." However, no one else at that time seemed to believe that this type of deception would ever be successful.

To prove my point to skeptical colleagues, I set up a series of simulated phishing attacks and found I could easily trick about 10% of the (unwitting) participants to enter their credentials. At that time, phishing was just starting to happen and nobody understood the potential success rates of these attacks. Next, I tried a similar version of the same attack, where I first extracted information about my "victims" to create a more convincing attack. (Today, we refer to this type of targeted attack as spearphishing.) Surprisingly, more than 70% of the participants fell for it.

This led to two key conclusions. First, targeted attacks will happen — especially where there is the potential for financial gain. And second, it is possible to make predictions about these attacks. If one criminal succeeds with a particular type of attack, copycats will soon follow and a trend will emerge. Eventually, toolkits will hit the market, enabling anybody to become a criminal. Take the increasingly popular, targeted business email compromise (BEC) attack as an example, which the FBI estimates grew by 2,370% in less than 24 months.

The important thing isn't whether we can predict a particular type of attack. The point is that by using insights into what constitutes a massive criminal opportunity, as well as what makes people mistakenly place trust in something, we can identify where things are likely to go. Seen from another perspective, by understanding what makes typical users fail we can also understand how  attackers will succeed.

Predicting fraud trends isn't only about measuring what end users will fall for, though. It's also about understanding which countermeasures are inherently weak. For example, take antivirus (AV) technology. The predominant approach to detect malware is to use signatures, which are snippets of code and data associated with known malware, and are used to for comparison with incoming executables. If there is a match, the executable is blocked.

Think like a Cybercriminal
Now, imagine you're a criminal and want to spread malware or cash in on a ransomware campaign. You install some AV products, then try infecting your machine with your malware. If you succeed, your malware is unlikely to be detected when you release it. And if you don't succeed, you tweak the malware — or use a crypter, which is software that compiles the source code together with a random number to create a new obfuscated executable for you — and test again, until you succeed. When AV companies learn of the threat, they add a new signature for your malware. So, you do what you did before — and release your new batch of malware.

The fact that the signature paradigm is central to this process means that criminals will spread malware in small batches, creating new versions every time AV solutions are updated. Subsequently, we can predict they will create new threats in shorter cycles, and use an increasing variety of obfuscation tools. Today, malware is commonly distributed in encrypted attachments, with each new campaign looking different from previous campaigns.

We can also make predictions based on how unwanted emails are most commonly blocked, based on Internet service providers identifying anomalous volume spikes or a commonality of the same unique URL in many malicious emails. This means that criminals will focus on targeted attacks that use personalized URLs or craft attacks without any URLs at all. This criminal trend will continue, because many filtering technologies are based on URL blacklisting.

In addition, I believe we will see further increases in targeting to make attacks more credible; whether using account takeover techniques, social networks, or just publicly available information. As a result, more emails will look "right" to the victim and fewer malicious emails will be reported. This will hamper traditional blacklisting-based methods, which depend on reporting.

The adoption rate of defenses can also be used to more accurately predict the timing of new attack trends, which can be just as important as predicting the types of attacks. Because attackers will use the easiest and most lucrative methods, until an effective countermeasure is widely adopted, we can predict when we need to have the next set of defenses in place to protect against a new attack. For example, the current trends of spearphishing, ransomware, and BEC attacks will continue to grow until more organizations have effective defenses in place. Once these defenses are widely adopted, cybercriminals will move onto more advanced attacks, such as account takeover techniques. 

We will see cybercrime through email continue to escalate as traditional countermeasures fail to provide a good defense. However, there is a silver lining: Although the Internet is rife with digital deception, we don't have to wait for bad things to happen to make things better. Instead, we can predict the likely future, and then set about improving our protection. While we cannot predict individual attacks, we can easily determine what types of attacks will be common in the future. Armed with this insight, we can try to build more effective defenses.

Related Content:

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
5/25/2017 | 1:09:16 PM
Re: Targeted emails?
Good questions!

A personalized email is one that uses information about the recipient to make it more credible. In other words, a targeted attack. 

And an email without a URL ... simply what it says. Many malicious emails have hyperlinks going to malicious webpages, or malicious attachments. Some have neither. Business Email Compromise (BEC) emails are in this important category. This is a growing problem (https://www.ic3.gov/media/2017/170504.aspx) and is harder to detect by many security services than emails with malicious URLs or attachments.



 
jweiler021
50%
50%
jweiler021,
User Rank: Apprentice
5/24/2017 | 9:04:16 PM
Targeted emails?
What do you mean by ' personalized emails' and 'emails with no URLs at all'?
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.