Editor’s Note: This post is a collaboration between security researcher Dhia Mahjoub and OpenDNS IT Pro Owen Lystrup.
Crowds of security enthusiasts and vendors have descended upon San Francisco once again this week for the RSA conference, and the security community’s off-RSA event, BSidesSF.
RSA and BSides both provide an opportunity to survey the security scene, but while one can run a marathon of booth demos, keynote speeches, and after-parties at RSA, BSidesSF is a great way to meet the key players and innovators in Internet security research, and have thoughtful conversations about the future of the industry.
This year’s BSides, not without controversy, had a fantastic breadth of knowledge in its presenters. As the research team sat through the first few speeches during BSides, it became clear how pointedly apparent the risks of the security landscape are today.
While the technologies behind backdoors and exploit code are becoming increasingly more sophisticated, so too are the graphic design, research, targeting, and convincing nature of attacks. Talks from Phishme.com, EnergySec, MalwareBytes, KindSight, Twitter, and Mandiant illustrated how cybercriminals are becoming much more design oriented, and are putting more effort into betraying the trusting nature of their targets.
The reigning trends from these events seemed to be as follows: spear phishing is here to stay; state-sponsored groups are getting more involved; the design and architecture of malware and botnets are becoming a sophisticated cottage industry; and security companies need to collaborate more to change the game and the fight against cybercriminals.
1. The Converse All-Star of Malware
Spear phishing attacks remain a go-to choice for cybercriminals. About 91% of all attacks begin with a spear phishing attempt, according to a TechWorld report. As highlighted in multiple presentations at BSidesSF, the engineering, design, and hosting efforts of botnets and spear phishing operations rivals those of some Fortune 500 companies. A good example is the recently discovered Adobe PDF ransomware that redirects to a phony Adobe site designed as a spitting image of the real thing.
More often attackers are taking effort to design more convincing company letterhead and logos for phishing attacks. They are even using techniques akin to investigative journalism research to find personal info on their targets (SCADA Protection: Imminent Phishing Attacks and the US Cyber strategy). Aspects like design and hosting are increasingly being offered as services for purchase to those looking to run a botnet without the effort of engineering one.
2. Going Mobile
The security community has conceded that BYOD is here to stay. Any security policies put in place, if companies are smart about them, should include plans for protecting a mobile workforce. Kevin McNamee from Kindsight gave a provocative talk on Android botnets. In it, he mentioned the rising sophistication of spurious Android app stores that will deliver apps packaged with malware. Android device users can find themselves unknowingly installing a “trojanized” popular app that transforms the device into a bot (Build Your Own Android Botnet).
3. Getting Help from a Huge Backer
The reality with malware and the levels of espionage we’ve seen, as in the case of APT1 (see our analysis in a previous blog post), is that there’s money to be made in this game. And in a talk from Christopher Lew at Mandiant, we heard about the reality of state-sponsored attacks, that can take years of preparation and execution, and leverage “massive” financial and technical resources to achieve their goals (Chinese Advanced Persistent Threats: Corporate Cyber Espionage Processes and Organizations). The persistence level seen in recent attacks make them difficult to trace and mitigate. But, according to Lew, the first step is figuring out what the attackers want and how they will go about getting it.
4. Betraying User Trust
Malvertisement attacks that exploit trust between ad networks and content publishers are ramping up and becoming trickier to catch because they get a free pass around domain/IP reputation systems. When an agency like RSA or Bit9 with a secure reputation gets compromised, systems programmed to trust these authorities are wide open to attackers to do things like distribute malware.
We see increasing instances of stolen certificates or fraudulently issued ones that are used to sign malware to evade detection or used by cybercriminals to conduct “man-in-the-middle” attacks directed at users of legitimate online services or to fake the authenticity of malicious sites in phishing attacks. In an effort to mitigate these last threats Twitter is now serving everything to everybody using HTTPS as it was pointed out in the “SSL++: Tales of Transport Layer Security at Twitter” talk. In this talk, the speaker also reviewed several mechanisms for web browsers that mitigate common browser attacks. Such mechanisms include protocol downgrades, HSTS, CSP, canonical links, and clickjacking defenses. He also described Twitter’s decision to release their “secureheaders” gem, which automatically enforces these mechanisms for safer browser content delivery.
5. Graphing the Security Landscape
The rapidly changing landscape means that we will all need to continue efforts toward collaborating and sharing to keep ahead of the criminals. And the Umbrella Security graph is our offering toward that effort. It is a tool others eventually will be able to use to build their own algorithms and domain research. Collaborators can use the security graph for their own investigation, and make use of the interface to tap into Umbrella’s data, scores, and correlation.
WiFi issues and possible malware infections aside :), our presentation at BSidesSF and the demos we were able to give at the post-RSA event at the OpenDNS office gave people a chance to see what’s to come. The security graph will put the power of our Big Data into the hands of smart researchers in need of effective tools.
To say the least, our participation in RSA and BSidesSF reassured us that the launch of Umbrella and our recent work to produce cloud-delivered security tools and Big Data research methods are essential building blocks to equip the security community to fight tomorrow’s threats. Because today, the current strategies are not keeping pace with the criminals.
Building the security tools of tomorrow also means effectively harnessing the Big Data available today. The Umbrella Security graph presentation at BSidesSF wowed those in attendance, and for good reason. Dan Hubbard and Frank Denis illustrated what can happen when it’s possible to harness the power of Big Data and use it to gather predictive intelligence about malicious sites, botnets, and malware hosts.
As the week comes to an end and we reflect on everything we witnessed and learned from our peers, we remain emboldened that our approach is spot on.