It’s long been said that when botnets first appeared, they were the first usable forms of cloud computing. Now with hindsight they fit the NIST definition of cloud computing very well and have become rapidly scalable and on-demand.
More recently criminal malware has taken a turn towards being more akin to enterprise-grade software through its entire lifecycle. It’s not unusual to find your rental of a botnet now comes with 24x7 support and channel reseller margins. Buying exploit kits, renting botnets, and using enterprise-grade cloud technology, Crime-as-a-Service (CaaS) has become part of the latest breed of XaaS, offering the same benefits of cost and complexity reduction as well as lower barriers to entry. Using CaaS gives anyone an instant criminal business model in the cloud.
What we know today, is that CaaS is starting to have its own marketplace, run by well organized criminal mega-gangs; support contracts for purchasers are not uncommon.
CaaS has been given much publicity since the 2014 Internet Organized Crime Threat Assessment (iOCTA) report from Europol described the commercialization and availability of the technology and how it’s impacting legitimate enterprises in real time.
The rise of CaaS is another step on the roadmap of the crimeware that has been instrumental in many of the most recent attacks, where Zeus and its variants like Citadel and Gameover have led to significant loss of data. What we know today is that CaaS is starting to have its own marketplace, run by well-organized criminal mega-gangs; support contracts for purchasers are not uncommon, nor are healthcare and pension plans for employees.
This threat takes how we think about our own protection to a new level. The high-profile breaches of the last twelve months all managed to evade well known or best of breed corporate defenses, so it’s no surprise that enterprise IT managers and CIOs are starting to lose sleep about their next big breach. In many cases, this fear is born out of a realization that platforms like CaaS have become rapidly more advanced than the protections they have within their own environments.
Targeted Threat Protection is once again at the top of the agenda, for C-level managers, as well as those who deploy and run the technology. The sophistication of the attacks means we can no longer sit back and wait for our protection to do its job. We all need to become much more actively defensive – not offensive, but active in our defenses.
In tennis, you never want to commit an unforced error. These are the worst kind of point-costing blunders a player can commit – the completely avoidable, self-inflicted ones that have nothing to do with the skill of the opponent or the excellence of their shot.
Losing to an exceptional opponent is not (really) something a tennis player can control, but losing because of an untimely, unforced error, or a series of them, is a different story.
If you've ever worked in information security, you can probably see the parallel.
Every day, you fight talented opponents of your own – sophisticated cyber-criminals who constantly evolve their methods to exploit any and all vulnerabilities you may have. And every day, you and your peers are losing battles to these criminals, who can exploit both your unforced errors – self-inflicted failures of your cybersecurity technology – and create clever schemes that trick your users.
These attackers have a strong track record – more than half of U.S. small businesses now say they have been victims of a cyber attack, according to the National Small Business Association (NSBA). And an overwhelming majority of these attacks – 91 percent – begin with email-based phishing and elaborate, highly targeted spear-phishing schemes.
These attacks are so effective because of the simple fact an IT department can't completely control all of its users, all the time – they're too unpredictable, and it only takes a mistake by one user for a breach to be successful. However, what an IT department can control is the technology it uses to protect its email systems from spear-phishing attacks. Failure to do so is an unforced error that could cost you.
You certainly wouldn't be alone. Secure Mentem President Ira Winkler, speaking at RSA Conference 2015 in San Francisco, said that even though users get the blame following a successful spear-phishing attack, it's usually a failure of technology that allows the socially engineered email bait to arrive in their inboxes in the first place.
Technology should be your first – and second, third and beyond – line of defense. If a malicious email is neutralized by your spear-phishing defenses long before it even reaches your employees' inboxes, they won't even have a chance to facilitate the attack unknowingly – users can't click on links or download attachments that they never see.
That's where Target Threat Protection (TTP) comes into play. With this technology in place, CIOs, CISOs and IT department heads gain the peace of mind that their users are protected against targeted spear-phishing attacks. Even if – or perhaps, when – a user clicks on the wrong link or downloads the wrong attachment, IT departments will know they have a fail-safe in place to end the attack before it spreads.
As Winkler said during his RSA session, "there is no such thing as a perfect countermeasure," and he's right. But TTP will reassure you that you have the technology you need to create a first line of defense.
To learn more, please see our new whitepaper, "The Spear-Phishing Attack Timeline" which walks through the stages before, during and after a spear-phishing attack and provides a minute-by-minute look at how these attacks can be prevented.
It was reported earlier this month that Russian hackers accessed President Barack Obama’s email system inside the White House. When asked to comment on the attack, Deputy National Security Advisor, Ben Rhodes, said: “We do not believe that our classified systems were compromised.”
Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire. After the recent barrage of data breaches in the U.S. – spanning the retail, entertainment and healthcare industries, and now the government – it’s time for organizations to take action when it comes to email security, specifically, making employees aware of existing threats. Here’s why:
The White House hack was triggered when a compromised email account in the State Department was used to send a spear-phishing email to an individual in the White House and the executive office of the President. The State Department was aware of the breach and forced its network offline to try and rid themselves of the hackers.
Some are drawing the conclusion that human error was at fault – exploiting individuals in the White House allowed the hackers to pivot their network access into a more sensitive and secure network than the one they initially compromised. In complex long-con attacks like this, where threat actors are resident on a network for long periods of time, it becomes almost inevitable that someone will eventually (and unknowingly) help them reach their ultimate goal. Trust is built quickly by email, and it is likely the attackers exploited the trust of having a @state.gov email address to gain access to the White House and POTUS. This use of a trusted third-party is getting more common, and something I’ve written about previously.
What worries me about Rhodes’ statement is; he’s hinting about the security of the classified systems at the White House. No doubt checks have been made to ensure there are no obvious compromises. But just as humans were used to move from the State Department to the White House, the same could surely be true of a further attack inside the White House to gain access to the classified systems. It wouldn’t take too much effort on the part of hackers to move from the unclassified to classified systems. Exploiting the weaknesses in humans once is easy, with only a little trust to abuse, but given a lot more trust, elevating privilege internally becomes very simple.
Humor me for a moment. If I was an attacker, and had been successful, I would have made sure that Mr. Rhodes and his colleagues from the FBI and Secret Service would never detect my presence. So while Rhodes does not believe his classified systems have been compromised, I’m sure he is still hunting for intruders.
Given the complexity of this attack, against what could be one of the most protected governments in the world, it would be fair to say that there’s no amount of technology that can keep out skilful and determined hackers. Do we give up on the technology? Or perhaps revert to pen and paper or typewriters? Of course not.
Making humans aware enough to not react to the social engineering in a spear-phishing email in the first place should be a top priority of any CISO, CIO and IT manager. Deploying a new spear-phishing gateway is important but may not be enough. You need to make sure users – humans – understand the risk, the threat and how to detect the presence of an attack.
Once you achieve this understanding you’ll have deployed a key part of your security infrastructure - your own human firewall. And it’s humans who are your key protection against these new and emerging threats.
Half the problem with protecting your enterprise from every hacker, phisher, visher and botnet herder is the helpful part of human nature, that wants to be…helpful. We’ve known for a very long time that the vast majority of successful cyber-attacks rely on this helpfulness to achieve their goal. We know that social engineering plays a significant role in these attacks, from the most complex right down to the most ‘mundane’ phishing email; and our attackers know this too.
I sense that enterprise cyber security has reached a turning point that will solve this problem.
For years, we’ve been talking about the de-perimeterization of the network, as end users and cloud services make the corporate firewall less relevant. CIOs and IT Managers I’ve spoken to have long been trying to shoe-horn their existing cyber-security into this new model, but have been losing the battle. The ubiquitous nature of connectivity and mobile computing was not so much the straw for this poor camel, but the entire haystack.
So, this is where I sense a pivot occurring, in the way we think about enterprise cyber-security; one that leaves those legacy ideas on the LAN and introduces a more task-orientated set of security rules. Rules that consider how the humans’ use our enterprise services and how those same humans are exploited. And importantly, rules that change the game in our favor, as opposed to the business-as-usual cyber security arms race we suffer under.
Of course, security professionals have been asking for more training for their human users since the dawn of the ILOVEYOU virus, but sadly this has always been low on the priority list for the budget controllers in businesses.
Security and IT professionals also know there is no single technology solution that will protect humans either. Sadly, until very recently, that’s about as far as the conversation went. Enough budget would be allocated for ‘reasonably regular’ (i.e. every six months, if you’re lucky) security training – and we’d all cross our fingers that no one would do anything stupid.
But they did, and they still do. Humans click links, especially in emails, and there’s no way of stopping them from doing that. So we’ve begun to learn that a new approach is needed here. An approach that is the foundation to the wider pivot I mentioned above. If technology can’t completely help us, and in isolation security training isn’t effective anymore—maybe the answer is in the last place we would have looked a few years ago? In the humans.
It’s after all our users who have become the front line for attackers looking to gain access to your network and we know this is because the humans are easier to hack than the code they write. So instead of constantly hardening our code and infrastructure why don’t we start to harden our humans?
Invoke a Human Firewall to help protect our businesses and de-fang the threats that target them. We know that our routine security training doesn’t work and we know our technology is less effective—so why not use the technology to help train users in a more real-time manner, or at the point of click in an email. Subtly warn them they might be able to experience something malicious, and block them if it does turn out to be a watering-hole or drive-by attack. But help them understand the risks, educate them constantly and in new and exciting ways, not once or twice a year in traditional training session.
It’s only when you start to get humans thinking for a fraction of a second longer than normal before performing a task, running an attachment or clicking a link, have you started to drive a behavior change in them. It’s this behavior change that we need to encourage, one that makes them a tiny bit suspicious of those emails that look ever so slightly odd, one that means they’re more aware than we could have ever hope for.
This behavior change is what invokes your human firewall, it’s the only way you’ll protect your humans from themselves, and it’s the only way we might be able to solve our cyber-security woes.