Current threats and the evolution of cybercrime

Dr. Eric Cole is a security expert with over 20 years of hands-on experience. He is actively involved with SANS working with students, teaching, and maintaining and developing course-ware. He is a SANS faculty fellow and course author. In this interview he discusses current threats, the evolution of security products, phishing attacks, the future of cybercrime, as well as his SANS “Security Essentials” training course he’s hosting at SANS London in late November 2010.

As we move forward and the industry takes care of some threats, new ones emerge on the radar almost instantly. Will we ever be able to get ahead in this race?
Absolutely, if we focus in on the right areas. At the end of the day we have to remember that security is all about risk management. If risk management was a losing battle, every insurance company would have gone out of business. Insurance companies have shown that if we focus correctly on risk, it can be properly managed and mitigated.

The important thing to remember is that you cannot secure something you do not know about. Insurance companies focus heavily on due diligence prior to writing a policy. Organizations lack in doing due diligence and thus the major reason of why it seems attackers have the upper hand. They think if they spend money it equals security, which is not true.

Organizations need to understand their environment and make sure they are fixing the right things not just good things.

As new threats emerge it is important to make sure we focus on the root cause problem, not just fixing the symptoms. Fixing the symptoms will give short term relief but spending time to understand the core problems and fix those, allows an organization to achieve scalable security.

Many organizations think that spending money on security will fix the problem and therefore many companies who have large security budgets still get broken into because they implement products and not solutions that properly reduce risk to the organization.

With a continuous evolution of a fast paced threat landscape, can we expect there to be a stronger artificial intelligence (AI) component in future computer security products?
The threat landscape is changing as shown below:

  • (Past) Visible -> Stealthy (Today)
  • (Past) Disruptive -> Data driven (Today)
  • (Past) Low hanging fruit -> Targeted (Today)
  • (Past) Static -> Dynamic (Today)
  • (Past) Ad hoc -> Persistent (Today)
  • (Past) Basic -> Advanced (Today)

Since the threats are changing, an organizations approach to security must also change. Therefore new technology must be developed to keep up with the evolving threat.

AI (artificial intelligence) could help by creating more adaptive fuzzy learning technologies or help us better understand complex problems and their relationship through neural networks, however AI is not necessary going to instantly fix everything. As with any system, it is only as good as the data provided to it and how it is configured and maintained. To properly protect an organization we need proactive, adaptive and predictive security and AI is one possible option to obtaining this.

A significant number of people are divulging a wealth of personal information on social networking sites which makes spear phishing attacks a high risk threat. This trend is bound to continue, so what type of phishing attacks can we expect in the future?
Attackers will always go after the easiest point of exploitation and the path of least resistance. Until people stop failing victim to current social engineering focused attacks, attackers will continue to exploit them. Attackers do not need to adapt if their methods are working. Humans have and will always be the weakest link in any organization.

Unfortunately, we will continue to see these attacks continue because while they seem very simple, they are extremely effective and difficult to prevent against. The only way to stop them is to convince people to not trust anyone and have no friends. Therefore common vectors like web and email will continue to be the focus of attacks.

During the few years, botnets have become one of the most significant threats. How do you expect cybercriminals to use them in the future?
One of the key trends for awhile was trying to break into as many systems as possible. In order to perform large scale exploitation, automation was key and botnets provided large scale automated attack drones for the enemy to use to break into systems. While we will still see some use of botnets for information gathering and large scale exploitation, as attackers change their focus and start performing very focused attacks on data exploitation, large scale botnets will not have as much value.

If an attacker is only trying to break into 30 organizations, steal data and not get caught, large scale botnets have minimal value. Therefore you will see botnets become smaller armies focused on stealthy exploitation of specific sites. As this trend continues and attackers focus on more strategic targets the use of botnets will decrease because they are noisy and set of big signatures which contradicts being stealthy on a network.

What does your SANS training course look like? What skills can attendees expect to acquire?
SEC401 – Security Essentials is an intense, very information rich course teaching students how to effectively implement security that works. The material covers all of the core areas of security, shows them how the pieces interact, and is based on actual experience working with organizations. What the students learn is not text book information but methods and techniques that actually work and are being used in organizations around the world to effective stop attackers. Overall students will learn skills that they can apply directly when they go back to work.

SANS London 2010 is Europe’s largest training event offering 14 courses covering software and audit, management and compliance as well as new additions around security within virtualized environments, network forensics and ethical hacking.

The sessions, course materials and deep interaction with peers, instructors and subject matter experts extend past the classroom. We help to build practical skills allowing you to meet the goals of your organizations, but also to enhance your individual value in what is still a highly competitive market.