New Approaches Needed For Hyperscale Security Threats

August 25, 2014 Alex Woodie

In the ongoing battle for network superiority, cybercriminals appear to be gaining the upper hand. The rise of commercial malware and the sophistication of hyperscale hacker tools are giving the bad guys incredibly powerful tools to perpetrate their crimes. Considering the disjointed approach to cyber threats in Western nations, some experts say it’s time to explore fundamentally new approaches to fighting it.

The specter of cyber warfare is not a pretty one, especially in the wholesome land of Mom and Apple Pie. But guess what? Hackers and cyber criminals around the world have already declared war on pretty much everybody, from citizens and small businesses to the largest enterprises and governments. Just because you’re not paranoid, it doesn’t mean they’re not after you. In fact, you can rest assured they are.

“You have been hacked!” declared Hold Security the Milwaukee, Wisconsin-based company that claims to have identified a gang of cyber thieves in southern Russia who have amassed a database of more than 1.2 billion unique user name and password combinations associated with 542 million email addresses, likely constituting the largest single collection of breached data of its kind. The database was independently confirmed to be authentic by the New York Times earlier this month.

The hack initially started when the gang, dubbed CyberVors (Vors means “thief” in Russian), simply bought user credentials on the black market, where cyberpunks sell all manner of stolen data and tools for perpetrating crime on the Net, not to mention all other manner of illegal goods and services. Then the CyberVors got access to a botnet, which is a large group of virus-infected computers, and automatically conducted “possibly the largest security audit ever,” Hold Security said.

The botnet allowed the group to identify more than 400,000 websites to be potentially vulnerable to SQL injection flaws, the company says on its blog. The CyberVors then used the vulnerabilities to steal login data from everybody from small businesses to Fortune 500 firms. If there are no IBM i user credentials in there, it would be surprising.

Smarter Security Approaches

The CyberVors used well-known and established techniques to exploit older vulnerabilities. SQL injection attacks have been on the radar screens of security experts for at least a decade. So what’s new here? It’s the fact that cybercriminals are using hyperscale techniques learned by large Web-scale companies to launch attacks against the rest of us. Defending against such attacks is not going to be easy, and will require new approaches.

Better education will have to be part of the answer. We’ve heard this before, but a cybersecurity outfit called KnowBe4 is hoping to enlighten regular employees about the Net’s new risks. The Florida company, which is affiliated with the infamous black-hat turned white-hat hacker Kevin Mitnick, is offering to help train users how to prevent becoming infected with the so-called second-gen ransomware, a new form of commercial malware that’s started emerging from Eastern Europe and Russia this summer.

Once infected with ransomware such as CTB-Locker or Cryptoblocker (usually by trying to open an infected email attachment), a user is forced to pay upward of quarter of a million dollars to have their systems unlocked. Good old education is the best way to stop this sophisticated form of malware, says KnowBe4’s CEO Stu Sjouwerman. “Security awareness training is needed now more than ever,” he says. If a client is infected after training, KnowBe4 will pay the ransom, providing an element of insurance to the cybersecurity business model.

Better cooperation is also needed. Security information and event management (SIEM) software is supposed to capture and correlate potential security signals from multiple channels for a single organization, but what about using the SIEM approach with thousands or millions of organizations? The SIEM vendor LogRythm seems to be taking this approach with its new Threat Intelligence Ecosystem. Unveiled last week, the group aims to bring together Symantec, CrowdStrike, Norse, and Webroot to provide customers a comprehensive security analytics platform for detecting sophisticated cyber threats.

By the way, LogRythm supports the capture and analysis of IBM i logs, along with most of the rest of the usual SIEM suspects. While IBM i shops may think all this security hullabaloo doesn’t apply to them, they do so at their own danger, says PowerTech director of security technologies Robin Tatam.

Tatam has watched as external hackers have again become Public Enemy Number One in the eyes of security experts. He’s responded by putting together a new IBM i-oriented webinar called “Why You Shouldn’t Worry About Hackers.” It may not be what you think.

“It’s not that you shouldn’t worry about hackers, but rather that IBM i shops still need to accomplish many basic steps to even catch up with the controls that IBM began to include in the OS more than 25 years ago,” he says. “The IBM i community needs to get deadly serious about security (over and above minimal compliance) and do it now! Until we educate our staff, allocate recurring budgets, and buckle down and deploy the controls properly, the only saving grace for us will be that we are inside the perimeter firewall and have less visibility than our Windows colleagues.”

New Cybersecurity Laws

The U.S. government and private companies both agree that law-abiding citizens are losing the cybersecurity battle. “Malware and attack methodologies are evolving much faster than defenses,” writes Victoria Loewengart of the American Military University in a 2012 paper titled Proactive Defense Against Cyber-Criminals. (Things are worse now than they were in 2012.) “Cyber-criminals, especially the ones that are backed up by the governments of their countries, are well organized and well educated.”

Loewengart argues that it’s time for a stronger deterrent against cybercriminals. “Proactive defenses using innovative strategies and technologies, and sometimes even the same tactics as the hackers use, will be a stronger defense and a stronger deterrent,” she writes. “It is imperative to get the buy-in from the policy makers in order to allow a more aggressive cyber defense approach, and to enhance cyber laws to make proactive defense possible.”

New laws also would help. The patch-work of laws currently in place around the world gives cybercriminals the freedom to perpetrate their acts with little fear of being caught or prosecuted. U.S. law enforcement has no jurisdiction in Eastern Europe or Russia, where many of these attacks are launched. “Russian cybercrime never hacks in Russia itself due to the likelihood of immediate arrests by Russian security services,” Sjouwerman says. It would be nice if our Russian brothers would investigate the CyberVors, but such cooperation is unlikely.

While there’s some talk of using Interpol to thwart the security risks, don’t get your hopes up that tough new cybersecurity laws will be passed. “It is unlikely that there will be a single overarching regime for cyberspace any time soon,” says Joseph Nye, a member of the Global Commission on Internet Governance, which recently released its first working paper. Instead, you can expect fragmentation to continue. “Governments want to protect the Internet so their societies can continue to benefit from it, but at the same time, they also want to protect their societies from what might come through the Internet,” Nye says.

Security expert Dan Geer, CISO for In-Q-Tel and Black Hat Conference keynote speaker

Some security experts are advocating a different tack, and think the answer may be for the U.S. government to take a more active role. Dan Geer, who is the chief information security officer at In-Q-Tel, the venture capital arm of the Central Intelligence Agency, raised such an idea during his keynote address at the recent Black Hat Conference in Las Vegas.

Geer, speaking for himself (not In-Q-Tel) suggested that the U.S. government should buy and disclose all the world’s vulnerabilities. What’s more, he argues that the U.S. government should pay way beyond fair-market value for the flaw. “By overpaying we increase the rate of vuln finding, while by showing everyone what it is that we bought we zero out whatever stockpile of cyber weapons our adversaries have,” Geer says in his keynote (a transcript of which is available here). “We don’t need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world’s vulns and have shared that with all the affected software suppliers.” In other words, utilize the power of open source to create a more even playing field.

Geer also suggested that the U.S. pass a law requiring mandating reporting of security breaches, which could lead to more professional handling of cyber intrusions. The Centers for Disease Control is good at what it does because of laws requiring infectious diseases be reported to the government, he says. The CDC also has the analytic skills to differentiate between a statistical blip, and the tactical wherewithal to tackle outbreaks wherever they might pop up.

Treating malware like Ebola or other infectious diseases could thwart their spread. Does it make sense that “diseases are treated by professionals, but malware infections are treated by amateurs”? Geer says. “Diseases spread within jurisdictions before they become global, but malware is global from the get-go. Diseases have predictable behaviors, but malware comes from sentient opponents.”

At the end of the day, there’s no silver bullet to solve the security problem. While the U.S. government may be furiously building “smart bombs” that can target the computer infrastructure of enemy cyber warriors and cyber gangs, the Wild West nature of the Internet is likely to continue for the foreseeable future. For individuals and businesses, creating a comprehensive and multi-layered defense is still the best strategy.

The Internet is a crazy and haphazard place by design. While its rough edges sometimes give criminals cover, the decentralized design also prevents central control and ensures freedom. Geer says we must make a compromise. Out of three characteristics–freedom, security, and convenience–you get to pick two. For Americans, that’s going to be tough.