Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/23/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Staying a Step Ahead of Internet Attacks

There's no getting around the fact that targeted attacks, such as spearphishing, will happen. But you can figure out the type of attack to expect next.

"It's difficult to make predictions. Especially about the future," Yogi Berra famously stated. While this may be true for general predictions, I don't believe it's true for Internet security predictions.

By training, I am a cryptographer. In the late '90s, I realized that Internet security wasn't really about cryptography or even how protocols were implemented. Instead, it was about people and their actions. I believed criminals would start circumventing Internet security measures — authentication, in particular — by tricking people, using techniques we now refer to as "phishing." However, no one else at that time seemed to believe that this type of deception would ever be successful.

To prove my point to skeptical colleagues, I set up a series of simulated phishing attacks and found I could easily trick about 10% of the (unwitting) participants to enter their credentials. At that time, phishing was just starting to happen and nobody understood the potential success rates of these attacks. Next, I tried a similar version of the same attack, where I first extracted information about my "victims" to create a more convincing attack. (Today, we refer to this type of targeted attack as spearphishing.) Surprisingly, more than 70% of the participants fell for it.

This led to two key conclusions. First, targeted attacks will happen — especially where there is the potential for financial gain. And second, it is possible to make predictions about these attacks. If one criminal succeeds with a particular type of attack, copycats will soon follow and a trend will emerge. Eventually, toolkits will hit the market, enabling anybody to become a criminal. Take the increasingly popular, targeted business email compromise (BEC) attack as an example, which the FBI estimates grew by 2,370% in less than 24 months.

The important thing isn't whether we can predict a particular type of attack. The point is that by using insights into what constitutes a massive criminal opportunity, as well as what makes people mistakenly place trust in something, we can identify where things are likely to go. Seen from another perspective, by understanding what makes typical users fail we can also understand how  attackers will succeed.

Predicting fraud trends isn't only about measuring what end users will fall for, though. It's also about understanding which countermeasures are inherently weak. For example, take antivirus (AV) technology. The predominant approach to detect malware is to use signatures, which are snippets of code and data associated with known malware, and are used to for comparison with incoming executables. If there is a match, the executable is blocked.

Think like a Cybercriminal
Now, imagine you're a criminal and want to spread malware or cash in on a ransomware campaign. You install some AV products, then try infecting your machine with your malware. If you succeed, your malware is unlikely to be detected when you release it. And if you don't succeed, you tweak the malware — or use a crypter, which is software that compiles the source code together with a random number to create a new obfuscated executable for you — and test again, until you succeed. When AV companies learn of the threat, they add a new signature for your malware. So, you do what you did before — and release your new batch of malware.

The fact that the signature paradigm is central to this process means that criminals will spread malware in small batches, creating new versions every time AV solutions are updated. Subsequently, we can predict they will create new threats in shorter cycles, and use an increasing variety of obfuscation tools. Today, malware is commonly distributed in encrypted attachments, with each new campaign looking different from previous campaigns.

We can also make predictions based on how unwanted emails are most commonly blocked, based on Internet service providers identifying anomalous volume spikes or a commonality of the same unique URL in many malicious emails. This means that criminals will focus on targeted attacks that use personalized URLs or craft attacks without any URLs at all. This criminal trend will continue, because many filtering technologies are based on URL blacklisting.

In addition, I believe we will see further increases in targeting to make attacks more credible; whether using account takeover techniques, social networks, or just publicly available information. As a result, more emails will look "right" to the victim and fewer malicious emails will be reported. This will hamper traditional blacklisting-based methods, which depend on reporting.

The adoption rate of defenses can also be used to more accurately predict the timing of new attack trends, which can be just as important as predicting the types of attacks. Because attackers will use the easiest and most lucrative methods, until an effective countermeasure is widely adopted, we can predict when we need to have the next set of defenses in place to protect against a new attack. For example, the current trends of spearphishing, ransomware, and BEC attacks will continue to grow until more organizations have effective defenses in place. Once these defenses are widely adopted, cybercriminals will move onto more advanced attacks, such as account takeover techniques. 

We will see cybercrime through email continue to escalate as traditional countermeasures fail to provide a good defense. However, there is a silver lining: Although the Internet is rife with digital deception, we don't have to wait for bad things to happen to make things better. Instead, we can predict the likely future, and then set about improving our protection. While we cannot predict individual attacks, we can easily determine what types of attacks will be common in the future. Armed with this insight, we can try to build more effective defenses.

Related Content:

Markus Jakobsson, chief scientist for ZapFraud, has worked for more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. He leads ZapFraud's security research with a focus on using ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
5/25/2017 | 1:09:16 PM
Re: Targeted emails?
Good questions!

A personalized email is one that uses information about the recipient to make it more credible. In other words, a targeted attack. 

And an email without a URL ... simply what it says. Many malicious emails have hyperlinks going to malicious webpages, or malicious attachments. Some have neither. Business Email Compromise (BEC) emails are in this important category. This is a growing problem (https://www.ic3.gov/media/2017/170504.aspx) and is harder to detect by many security services than emails with malicious URLs or attachments.



 
jweiler021
50%
50%
jweiler021,
User Rank: Apprentice
5/24/2017 | 9:04:16 PM
Targeted emails?
What do you mean by ' personalized emails' and 'emails with no URLs at all'?
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.