From Russia to WannaCry, Bad Actors are Hard to Nab

ka_0011-2David Strom is editor of the email newsletter, Inside Security. He also consults to vendors on emerging technologies, products, strategies, and trends. Strom, formerly the editor-in-chief of Network Computing, has authored two books on the topic.

OPAQ: What are hackers looking for lately when it comes to attacks on business and is there a focus on particular verticals?

DS: Yes, any vertical where there is money. It’s all about whaling attacks and CEO phishing attacks. Any business that is successful is a target, which is scary. Malware is getting a lot sneakier, too. There are all sorts of ways to hide the attacks by using registry exploits, PowerShell and other things that make use of the internals of Windows infrastructure to elude detection. But even when malware authors aren’t using these techniques, their attacks are still sitting on the corporate network for months. Too many people still have their head in the sand. You may be a $1 million or $2 million corporation and think that your business is too small to target. But everyone is a target now. You really need to have the best defenses as possible.

OPAQ: We’ve all heard enough about Russia and the elections, yet not quite enough about why these attacks happened, and what government or political organizations can do to ensure they never happen again?

DS: Russia began with Estonia, and then they moved on to the country of Georgia, and later they hit German destinations and, of course, the United States. Estonia, even, is pretty sophisticated when it comes to digital policies and protections. The problem is that people are not doing a great job of examining what data is leaving their networks. It used to be that everyone was focused on what was coming into their networks, but the real issue is what is leaving. I can grab a database and move it offsite very quickly into a Dropbox account and no one’s the wiser. People aren’t scrutinizing the right side of the equation. You need some kind of intrusion detection system that works in both directions and looks at what is entering and leaving networks and can distinguish between ordinary and abnormal activity.

OPAQ: In recent news related to the WannaCry ransomware outbreak, Marcus Hutchins was arrested and charged with creating and distributing the Kronos banking malware. We rarely hear about the bad actors being discovered and arrested. Any thoughts on why so?

DS: First on Marcus, it’s not even clear that he is a bad guy. It’s not like an accident on the freeway where you get hit and someone sees the accident in plain sight. A lot of this stuff is not readily observable. We need tremendous cooperation between private and government researchers to track these people down. Organizations can put lures called honeypots on their network to bring in the bad actors. Yet, that might not even be legal in some cases. A private business may not have the right to prosecute because the digital fingerprint isn’t always clear. Or if the individual is from another country, they might not be able to do anything about it. Attribution is very difficult: it’s a hall of mirrors. I could try to break into GM and when they come after me, I could say no, they are hacking me! The legal system is way behind on these matters. Even with a lot of technical knowledge, I think it’s going to be really hard to prosecute Mr. Hutchins.

OPAQ: Which new advancements in enterprise security technology are interesting to you and why?

DS: New password and authentication technologies are very exciting. Passwords are still the biggest weakness in companies. We can make this much more automated with the latest single sign-on and password management products. We also need better defense mechanisms, especially on phones and tablets. A lot of people use their phones on enterprise networks. But let’s say my kid downloads an app on my phone that’s infected with malware. The next day I go to work and login to the network from my phone. Very quickly that malware can sniff out passwords across the network. Google has done a terrible job in handling malicious apps in the Play Store but it just came out with Google Play Protect, which automatically screens devices in the background for malware. The third area is ransomware-as-a-service. This will get stronger because that’s where the money is. I can have no skill whatsoever and put together a ransomware campaign with a few mouse clicks and make a lot of money. Corporations have to do a better job of making regular data backups and inspecting their network traffic to combat ransomware attacks.

OPAQ: Any thoughts on the security-as-a-service market and how it will grow in the coming years?

DS: Putting security in the cloud is definitely the wave of the future. We will see many more MSPs doing consolidation in this area to broaden their offerings. Smaller companies want to avail themselves of these services because they can’t afford to have that expertise on staff, yet they’re still going to get attacked. We are seeing threat-sharing databases get more popular. Cloud vendors can still have a proprietary take on security, but don’t need to create their own databases. These two parties will have symbiotic relationships. Over time cloud security services will be more attractive to larger companies. They are moving more of their data into the cloud so it makes sense to put security there too.