Addressing 2013's Top 4 Cyber RisksStrategies to Fight Mobile Malware, Emerging Threats
"Organizations, with respect to the mobile threat landscape, need to understand that the notion of an organizational perimeter is quickly disintegrating," says Royal, associate director of Georgia Tech's Information Security Center, in an interview with Information Security Media Group's Tom Field [transcript below].
Georgia Tech recently published its Emerging Cyber Threats Report, which identifies botnets, mobile vulnerabilities and search engine poisoning as top concerns for organizations.
Criminals' tactics also need to be better understood, Royal explains. "Criminals will often be opportunistic," he says. In order to mitigate attacks as much as possible, organizations should use the strategy of risk deference. "Make yourself less desirable as a target because there may be an alternative organization that would be easier to go after," Royal says.
Further, organizations need to continue to prioritize security. "It should not be an afterthought," Royal explains. "Most major organizations should have the equivalent of a chief information security officer."
The nature of computing is quickly changing, Royal says, and the security role needs to evolve as well. "Unfortunately, last-century security best practices don't necessarily hold," he explains. "You have to understand how things are changing in order to be of greater value to your organization."
In an interview about Georgia Tech's 2013 Cyber Threats Report, Royal discusses:
- The four top emerging threats to organizations;
- How organizations and information security pros can counter these threats;
- New training techniques to improve threat awareness and response.
Royal is a research scientist in the College of Computing at Georgia Tech and associate director of the Georgia Tech Information Security Center. In this role, he engages in collaborative research on various facets of the online criminal ecosystem. Prior to Georgia Tech, Royal served as principal researcher at Purewire Inc., where he identified emergent threats and designed methods that enhanced the company's web security service.
Emerging Cyber Threats Report
TOM FIELD: For some background, what can you tell us about this new cyber threats report and how it was conducted?
PAUL ROYAL: We sourced faculty at the Georgia Tech Information Security Center, as well as other parts of Georgia Tech, such as the Georgia Tech Research Institute. We wanted also contrasting views so we reached out to a variety of people in industry and solicited a participation in this report, and then aggregated together into major sections the corresponding findings based on interviews of these people.
FIELD: I'm eager to get into the threats. I'm going to ask you up-front what the top cyber threats are, and then we'll get into each of them in depth. Bottom line, what are the threats we need to be concerned about?
ROYAL: We should be concerned about the ease of availability of cloud-based resources being repurposed for nefarious purposes. You can combine conventional types of online cybercrime like the theft of credit card numbers with what's effectively the recruitment of armies of virtual resources to use in an attack. In addition, the way that your search history reflects the results you receive can actually be modified in a new type of attack. This isn't traditional search engine optimization. In this case, it's most specifically because modern search algorithms, like Google and Bing, personalize the results based on your search history. So if an attacker can get a hold of the piece of validation data that lets them perform searches in your name, then they can actually change what you'll see in the future, even if you remove a piece of malware that originally made those modifications.
In addition, there's increasing concern about organizations that have traditionally focused on securing their perimeter, but now have to begin considering allowing devices to be brought in - the BYOD model - because that basically and effectively dissolves the perimeter.
Finally, attackers are finding new ways to monetize different platforms, not so much mobile, but alternative operating systems like MAC OSX. Earlier this year, we saw 600,000 botnet flashbacks emerge, which would actually monetize Click on Macintosh-based systems. In addition, there are certain fundamental models that the security industry uses. Specifically, they make use of automation to identify new threats, and we've seen the emergence of threats. This segways to mention a flashback that will use a type of software licensing - almost like digital rights management - for malware to make the process of threat identification and analysis difficult.
FIELD: Let's talk about each of these threats in some more depth. Let's start with the cloud-based botnets. When you're talking about these, are these similar to the botnets that we've seen used in the recent DDoS attacks against financial institutions?
ROYAL: I'm actually not familiar with the particulars of the attacks against the financial institutions, although it's worth mentioning. What I do know is that those were primarily attacks on the websites. Obviously, there's a separate set of networks that corresponds to the actual transactional business, although there's some annoyance associated with the customer's inability to log into the website, but it wouldn't be surprising to see a similar attack that was able to leverage virtual resources acquired through elicit means. You can take a credit card number, buy a bunch of say Amazon EC2 instances from another cloud provider, and then basically turn these into high-bandwidth attack cannons with which to attack your target.
FIELD: When you're talking about cloud-based botnets, what are you talking about? And with each of these threats, who do you see as the main actors behind them?
ROYAL: DDoS, or distributed-denial-of-service, was originally used in almost an extortion-like manner. If the availability of your website was fundamentally interleaved with your business model, you could make the website unavailable and then contact the affected organization. This is as a more traditional cyber criminal that may have a botnet, and they'll say, "While your website [was] down, you were losing 'x' hundreds of thousands of dollars an hour. If you pay me money, I'll discontinue the attack. Your website operation can return."
These days, we're seeing more DDoS attacks by politically motivated individuals. We've actually seen, in addition to the potential recruitment of cloud-based resources, opt-in botnets, people in nation-states that are willing and actually understand what they're doing with respect to running a piece of software that will be used in an attack. I would say we're going to start seeing a transition and we've already started seeing that transition to some extent of cyber criminals being the actors behind this, politically motivated individuals facilitating attacks for some type of symbolic win. Obviously, the operation of the White House doesn't depend on the availability of the www.whitehouse.gov site, but if it's unavailable, there are certain bragging rights associated with that takedown.
Search History Poisoning
FIELD: Let's talk about search history poisoning. This is a new term to me. Talk a little bit more about it. Let's hear a bit about the actors behind search history poisoning.
And there is also a similar or newer type that's not necessarily dependent on search history poisoning, but does leverage search, and that's increasing the relevance of favored or particular links. For example, if you run a single hotel that's not associated with a franchise brand, you can actually hire people for literally pennies using a service like Mechanical Turk to click on various links based on searches to certain terms and, as a consequence, prevent any negative reviews from appearing within the first several pages of search results.
FIELD: One of the other topics that you broach in the report is mobile, and you talk specifically about mobile browser and wallet vulnerabilities. Now we've got organizations increasingly offering mobile services, allowing their employees to use mobile devices, and brand new mobile devices hitting the market this holiday season. What are the threats that concern you the most?
ROYAL: One concern obviously is the openness of applications with respect to their installation on the Android platform. Apple uses a more closed model and we haven't yet seen substantive threats for IOS. And interestingly enough, even for Android, if we limit our perspective just to the United States, we observe a low infection rate. It's so low in fact that it looks just like IOS. That's not the case in other countries. In this case, while there are certainly criminals innovating out there in order to monetize the use of your mobile device, there seems to be reasonable oversight and response to mobile threats in, say, the Android app store. Even if you have the availability, i.e., even if there are malicious applications in the app store, for whatever reason people in the U.S. don't seem to be downloading those. In some cases, that's because those applications are in a language that you wouldn't traditionally associate with the United States; for example, Chinese. So, to actually respond in a positive note, right now iPhone and Android are relatively both low-risk devices, at least if you're a U.S. citizen or coming from America.
Mobile Wallet Vulnerabilities
FIELD: What are the mobile wallet vulnerabilities that concern you?
ROYAL: Earlier this year, there was an NFC proof of concept that was used to achieve arbitrary code execution. Unfortunately, as we begin increasing the functionality of our mobile devices and it represents a new platform, for example as a way to pay, the newness and the relative immaturity of the systems and software are going to create new opportunities for an attacker, similar to any new area you see.
FIELD: Finally, let's talk about the malware counter-offense, as you term it. What can you tell us about that?
ROYAL: That's something of a complex topic, and in order to explore it we need to look briefly at the traditional model, let's say the antivirus industry. These days, antivirus companies receive 100,000 or more new suspect executable samples. That's because of techniques like packing, other types of obfuscation, and even the evolution of the representation of those techniques, such as service-side polymorphism which automates obfuscations at the server side. As a consequence, you've got all these new suspect binaries, and many of them, especially the malicious ones, are wrapped inside these layers of obfuscations that make the malicious portions of their program code appear as seemingly benign data.
In addition, there's a series of executable protections that are supposed to make them somewhat tamper-resistant. In many cases, the way to discover the subset of that gigantic firehose that's meaningfully new and that's worthy of a human's attention for the purposes of creating new detections, you have to employ some type of automation. Now what we've seen in its most primitive representations right now as a response by the malware authors is the interweaving of the successful execution of a binary with the original host that it infected. Fundamentally, you take unique properties of the host and you use them to make the binary dependent on those properties for its successful execution.
Now, this has existed for a long time in traditional legitimate markets where you have to protect copyright, like streaming devices and other things, even in the software industry where you want to license a piece of software. This is basically software licensing or digital rights management for malicious software, and unfortunately that has the potential to considerably stymie the automated mechanisms security organizations use to take the firehose and turn it into attractively small subsets that can be analyzed by a set of human beings.
FIELD: That's a great overview. When you look at the emerging threats and the actors behind them, what are the common themes that you see?
ROYAL: What we see overwhelmingly is a desire for criminals to monetize resources in some way, and obviously the resources of a particular device will depend on the way in which it's monetized, but we no longer see mischievous youngsters. There's almost always a criminal or even nation-state angle with respect to a particular threat. Another common theme we see - and this is perhaps not surprising - is that newer platforms and newer paradigms are all inevitably in the beginning going to have security problems. And as we continue innovating through the use of cloud-based resources and mobile devices that can one day act as a form of payment, we're invariably going to see problems in them.
Threat Mitigation Steps
FIELD: What are some of the things that organizations need to be doing to counter these threats now?
ROYAL: Organizations, with respect to the mobile threat landscape and with things like BYOD, need to understand that the notion of an organizational perimeter is quickly disintegrating. In addition, they need to understand that criminals will often be opportunistic and, thus, one risk-mitigation strategy is risk deference, which means to make yourself less desirable as a target because there may be an alternative organization that would be easier to go after. Otherwise, organizations need to prioritize security. It should not be an afterthought. Most major organizations should have the equivalent of a chief information security officer, and instead of having several people that he reports to get to the CEO, he should presumably have a direct line.
Tips for Infosec Pros
FIELD: Let's talk about what information security pros can be doing. In terms of their careers, what do they need to be doing to prepare themselves to help the organizations counter these threats? How can they be more valuable to their organizations?
ROYAL: I think they need to understand the changes that are occurring with respect to the way people use computing devices. The more like a computer your mobile device becomes, the more desirable it will be to an attacker. The more feature-rich a mobile device becomes, the greater potential there is for sensitive data, for example, to be stored on that, which again increases its attractiveness to attackers. Unfortunately, last-century security best practices don't necessarily hold. You have to understand how things are changing in order to be of greater value to your organization, so you can put up the appropriate defenses to mitigate the risk associated with changing technology paradigms.
Georgia Tech Initiatives
FIELD: Let's bring this home to Georgia Tech. What are you doing at Georgia Tech to change your own programs to help prepare tomorrow's information security professionals and today's to respond to these emerging threats?
ROYAL: One thing we're trying to focus on in general within the computer science program is the integration of security concepts earlier and to the undergraduate curriculum. What that specifically means is that we're taking classes that are otherwise completely unrelated to security and exposing security concepts to students in a way such that they don't think it's security, so that it will feel more accessible to them.
In one example, we have a class where students are first introduced to the C programming language, and with the introduction of a low-level programming language like C, you have the opportunity of buffer overflows. For example, we designed a lab where students will actually understand how stack smashing works and will actually be required to smash the stack of an executable so they can understand the consequences, for example, of the combination of using a low-level programming language and not mediating input as it should be.
FIELD: Final question for you. You just released Georgia Tech's Cyber Threats 2013 Report. How should individuals in organizations use this report?
ROYAL: We attempted to target a wide audience to learn more about what we think are going to be important threats that require mitigation, but it can also serve as a general reference in terms of what the problems are in a particular area. If an organization is considering a BYOD policy, they should carefully read the mobile malware section and as appropriate even reach out for more in-depth feedback about the nature of the problem and what we're seeing.