"The bar's gone down," said panelist Philip Martin (Director of Security at CoinBase). "You can Google your way to being an advanced attacker, or almost." What's interesting is the attacker's goal.
The SINET ITSEF panel on the evolution of the targeted attack was chaired by Mike Murray (Vice President of Security Research at Lookout). In addition to Philip Martin, the panelists included Anup Ghosh (Founder and Chief Executive Officer of Invincea, recently acquired by Sophoos) and Ariel Silverstone (Vice President for Security Strategy, Privacy, and Trust with GoDaddy LLC).
Ghosh said that some of the interest in, and talk about, advanced attackers derives from obvious motives. Everyone says they were breached by an advanced attacker. "No one's ever pwned by dumb guys."
Automation, in Silverstone's view, is the most significant feature of advanced attacks. "Just as good guys can use machine learning, so can bad guys--what's possible today from automation is significant."
Trends in advanced attacks: short-term payoff and long-term political goals
We lump advanced attackers into one bucket, according to Murray. That's a mistake, in his view, and he asked the panel what, in fact, they saw advanced attackers doing.
Martin, speaking from the perspective of the digital currency world, said, "You can't trace or call back stolen funds. We worry about protecting company and customer funds." Nation states are becoming increasingly interested in getting into CoinBase to mine data and develop correlations. "We try to point our users toward usable, everyday security as a default." They've also implemented two-person control over important transactions.
One development Ghosh sees is that attackers can now rapidly monetize what they exfiltrate. "In the old days, you weren't really affected until people found out. Now, short-term monetization can't be ignored." All of this has now moved onto the global political stage. Individual people, not just systems, are being hacked.
One worrisome trend Silverstone called out, and one that he hoped could be stopped, is a shift in the nature of the Internet itself. We hear about advanced attacks when they're successful. But there are perhaps fifty billion security incidents a day. All of these aren't stopped. "If we don't fix the Internet, the Internet will become bifurcated: it will be clean for those who can afford it, and dirty for everyone else. He's thinking in particular about the mom-and-pop businesses who are GoDaddy customers (and about whom GoDaddy cares). If Mom and Pop are successfully attacked, then Mom and Pop are out of business. A company's value today lies in its data. But when people are hacked, their life on the Internet is at risk.
States and criminals
Returning to earlier points about state involvement in advanced attacks, Ghosh described the Ukrainian power grid hack. The attackers needed people who had some skills in utility engineering. Similarly, with Stuxnet, the people who organized that attack needed some background in centrifuge control. Thus there's additional domain knowledge now being brought into the attack planning. And with such state-directed attacks, he added, there's an ideological component that goes beyond monetization.
Martin disagreed that the principal distinction between state and non-state actors was ideology. Instead, he thought, the difference lay in focus. States are focused and persistent, much less opportunistic than criminals.
What about protection for individuals?
Since advanced attackers now go after users, not enterprises, what are the prospects for protecting individuals?
Silverstone warned that the threshold of what you need to know in order to attack someone has dropped, and frighteningly. "So," Murray asked, 'how do we keep up and protect individuals?" In Ghosh's view, "It's not one size that fits all. What you have, and who comes after it, should drive your strategy. Most of us are targets of opportunity, swept up in the long net." Noting the ready availability of tools that find and correlate your data from social media accounts, Silverstone warned, "Trust me—every address on the Internet gets attacked at least once a day."
These observations prompted a discussion of phishing expeditions, and their surprising success. "If I know enough about you," Silverstone said, "you will trust me. We have to keep it from reaching that point." He praised the US Department of Defense for its creation and use of root-of-trust: "All citizens of the world need this." He also saw the emergence of cryptocurrency as an important and positive development, with the possibility it brings of defeating fraud, and thus enabling positive transactions like micro-loans.
Where will we be in ten years?
The near future will bring sale of stolen data, in an active market, according to Silverstone. Martin believed this was happening now, and that the next phase will be targeted attacks that exploit the Internet-of-things (IoT). Ghosh pointed out that IoT devices are small appliances—when they're compromised, they'll be subjected to ransomware. How, Murray asked, could that be stopped? The panel agreed that resilience and not surrender was in order.
Silverstone asserted that it's Impossible to build adequate security into IoT endpoints—security must be built around those endpoints.
Murray took the last word. As you raise the value at stake, you'll raise the bar of security, but advanced attackers will rise to that bar with targeted attacks.