By Matt Lidestri
Could a curious toddler be the model for today’s cybercriminals? A colleague recently suggested this idea, and it made me wonder.
Consider the typical two-year-old toddler. To him, almost any object begs to be touched, shaken, or tossed across the room. While childproofing can help, it often doesn’t matter how carefully the adults have prepared and locked away their breakable objects – to a toddler, everything is fair game. Similarly, cybercriminals seek opportunities for theft and invent ways to sneak past anything that stands in their way.
The curious toddler analogy may better describe the early, more innocent days of cybercrime. Ten years ago, the Code Red, SQL Slammer and “I Love You” viruses overloaded servers, defaced web sites, and created headaches for the IT community at large. While these attacks were clever and had a significant impact, they generated more noise than outright theft.
Today’s cyber-criminals possess the persistence but not the innocence of the curious toddler. Criminals probe for vulnerabilities in operating systems, web browsers, and other third-party applications in order to make money. Cyber-criminals can leverage these vulnerabilities to deploy advanced malware packages, such as Zeus or TDSS. With annual cybercrime losses estimated as high as $20.7 billion in the U.S. and $110 billion globally, it’s little wonder why our not so innocent toddlers are so persistent.
Criminals have also complicated the situation by developing methods to evade detection from security countermeasures. A prime example is the Black Hole exploit kit – one of the most prevalent and successful tools available to cyber-criminals today.
Black Hole’s approach is relatively simple – convince users to click on a malicious link embedded in an email or a compromised web page from a known and trusted website. The initial URL will often redirect the user’s browser to several compromised servers until it reaches a malicious Black Hole server. There the exploit kit detects the browser and plugin versions, and exploits known vulnerabilities. Next thing you know, the victim’s PC is sniffing sensitive information or joining a botnet.
Black Hole’s streamlined infection technique is complemented by measures to reduce detection. Black Hole uses random, short-term URLs to stay ahead of web filters which need to categorize the URL in order to block it. Black Hole’s malware packages are scrambled on-the-fly to reduce the effectiveness of anti-malware programs and intrusion prevention systems. The latest version of Black Hole (2.0), claims to support exploits for the latest vulnerabilities and incorporates additional logic to only serve attacks that are likely to succeed. Also, the “redirect URLS” are more unique and randomized than in previous versions.
Good as our defenses may be, our relentless cyber-criminal adversaries try to stay one step ahead by continually developing better tools and methodologies. In a world where even layered defenses are challenged by the growing sophistication of cyber-criminal tools and tactics, how can we better protect our organizations in a cost-effective manner?
Here, the persistent toddler analogy works well. With so many penetration attempts starting with a social engineering pitch, it makes sense for staff to view any email with an unusual link or attachment as a potential phish, and any physical visitor capable of leaving an infected USB drive for an unsuspecting user to find. These attacks may be simple, but also they’re also effective.
Security awareness training is an important first line of defense against these attacks. While some argue that the ‘human factor’ is the hardest to control, I would counter that this increases the training’s value. Security systems can’t protect us against everything, unfortunately.
Of course, training is just one of many layers that help us protect our organizations. In light of today’s persistent attacks, it makes sense to periodically review and question the effectiveness of our defenses. Viewing security as a process rather than a checklist helps everyone focus on optimization wherever and whenever we can. Low-cost approaches for protecting your institution include modifying firewall rules and/or deploying new web filtering technology to help deal with some of these drive-by style download attacks. The idea is to continually wring more value and protection out of our current security infrastructures.
Like any parent “childproofing” a home, we need to do the best we can to prepare and protect our systems and data from relentless and ever-advancing attacks.
Matt Lidestri manages Internet Services and Security at Avon, Conn.-based COCC, Inc., a 43-year-old firm specializing in outsourced information technology and support.