In this podcast recorded at RSA Conference 2017, Lance Cottrell, Chief Scientist at Ntrepid, talks about the growing trend of targeted attacks, as well as strategies organizations need to consider as the breakdown of traditional security perimeter continues.
Here’s a transcript of the podcast for your convenience.
So, Lance, just to start out, can you just give us a little bit of your background and talk about what your path was to Ntrepid?
Sure. I’ve been in the security and privacy space for over 20 years. I started off as a hobby actually, writing security software while I was doing my PhD in astrophysics and ended up dropping out of that to found Annonymizer.com, which pivoted after 9/11 from being specifically a consumer security and privacy product, to then building enterprise-class solutions for government and business. And then I sold Anonymizer to Ntrepid in 2008 and now I’m chief scientist there.
Let’s get right down to it. I want to talk about the growing trend of targeted attacks. Something that I know your product Passages, your secure virtual browser protects against. Can you give us a little more into this type of tactic and attack?
We’re seeing a real big move by attackers towards highly targeted attacks, and they do this for a couple of reasons. With a targeted attack, you choose to only attack certain individuals – if you compromise a website, only the chosen targets will ever see the malware. No one else will. The advantage of that for the attacker is it avoids detection. All of your usual methodology for seeing attacks, for knowing that the website’s been compromised don’t work. You also, as the attacker, with a targeted attack, you can sculpt it and customize it for your targets so it improves the likelihood of the attack succeeding, whether it’s a phishing attack and you’re more likely to click on a link, but also you understand the technology, so it’s more likely that the exploit you’ll be using will be effective. And it’s more damaging because they’ve though through how they’re going to use their exploit once they get in. They know what they want, and they know what they’re going to do with it. And that makes it the worst kind of attack to experience.
Who’s at risk and what are the potential consequences?
Really, everyone’s at risk. It used to be that attackers only went after certain kinds of businesses, only people with credit cards and that’s really fundamentally changed. The attackers are going after any kind of business, any kind of organization and there’s a lot of different motivations. So there’s the ones that are going after political targets, there’s the ones that want to collect personal information and then of course there’s this huge rise in extortion-based attacks where, whether it’s ransomware or threatened Denial of Service attacks; they’re looking to get you to pay them directly. And there’s so many different mythologies and reasons why they’re going to do this that no one can consider themselves safe or immune or irrelevant target. Literally everyone’s a target.
What strategies do organizations need to consider as the breakdown of traditional security perimeter continues?
They really need to be looking at keeping up with where the vulnerabilities are. It used to be we tried to defend some sort of an edge to the network, but that’s completely dissolved with BYOD and mobile workforces and people working from home. Companies need to be looking at where are the real attack surfaces, and when we’re talking about desktop computers, the attack surfaces of the applications, especially the browsers – that’s where over 90% of the undetected malware’s coming in. They need to focus on making sure that that is not a soft spot in their systems and actually wrap the perimeter around that browser itself.
How can businesses deal with the problem of employees putting their organization at continued risk by clicking on phishing links and making other silly mistakes?
Yeah, it really, it has to be a technological solution and we need to be deploying what I like to call user-resistant security. People will try to train their users and training can be a good thing, but there’s just no way you’re going to train your way out of this problem. There are always going to be people who will click on the wrong thing and frankly, with the sophistication of many of these targeted attacks. It’s not even a foolish mistake to click on these things – I firmly believe that absolutely everyone will fall for a sufficiently well-crafted, targeted phishing attack.
You’ve been involved with the Internet and privacy longer than most. How did the industry change over the years and what’s still missing in the market and where do you think we’re headed?
The sophistication of the attackers has really changed substantially over the last years. Back in the early days, most hackers were there to sort of claim credit, to deface websites, to get into somewhere where they weren’t supposed to be. And in recent years, it’s become much more professionalized. We’re looking at organized crime, we’re looking at nation-state actors, we’re looking at hacktivists, terrorist organizations and these are well-resourced, well-funded, very skilled attackers with specific objectives in mind. And that makes them especially dangerous.
In fact the industry’s been sort of slow to keep up with these threats and they’re trying to keep existing historic solutions limping along hoping that the anti-malware will be able to do the job for another year, and the reality is these solutions are just falling over; they’re not able to successfully provide the protection that people need. And we’re beginning to now see a next wave of security solutions where people are taking fundamentally different approaches to how to provide this security. And I think that’s going to start making a difference – it’s actually a very exciting time in security right now.
Now that we’re talking about sophisticated attacks and attackers, I know that Ntrepid has been particularly vocal about the OPM breach. So, what are your biggest concerns about this breach? What are the risks here, what should we learn and what should be doing about it?
The OPM breach really hit close to home for us. Most of the people at Ntrepid have experience working with the government, have clearances and so all of our personal information was exposed in that breach. And it’s an example of that vulnerability being at the edge. This data that came out of the OPM breach had all of this person information, extremely detailed information about all of these cleared or formally cleared personnel. These are people with access to exactly what many attackers want – by leveraging that information it would allow an attacker to create extremely sophisticated targeted attacks, extremely sophisticated phishing emails, and know who is going to be able to give them access to what kind of information – what are the stepping stones they need to take to get into these government organizations to get access to this very sensitive information. These are extremely valuable targets.
The solution that came out after OPM was to offer them all identity theft protection or identity theft monitoring, and that’s not really what they’re really at risk of. Nation states are very unlikely to take out credit card numbers in these people’s names – they’re going to be leveraging them to try to do espionage against the United States’ government, and I think it’s imperative that we reach out and try to provide effective security tools to protect these people. In fact, we’re offering our tools for free to the OPM victims to help keep them from being exploited as a stepping stone to putting the government at risk.
Well, clearly you have a critical mission as it comes to a company, and I’d love to know, you know, if you can give us a glimpse into what’s ahead for Ntrepid for 2017.
Yeah, right now we’ve been mostly focusing on providing the secure browser Passages to large enterprises. Over the course of 2017 we’re going to be rolling that out to small and medium businesses, and looking in the next 12 months or so to be supporting consumers as well. Cause we think it’s important to get this kind of security and capability into everyone’s hands.