Smart devices, social media and increased online activity through app stores and other transaction-based websites are coming together in what one researcher says is a scary combination of factors that have dire implications for national security.
Roger Thompson, recently hired by ICSA Labs, an independent division of Verizon, as the company's first chief emerging threats researcher, says it's time for traditional security measures to move forward in a new direction. Malware has exploded to levels that antivirus software can no longer keep pace with, he said. The tactics criminals use to exploit machines is becoming ever more targeted, with social networks and smartphones to aid them in their background research on victims.
How should the industry respond? Thompson spoke with CSO about thoughts for 2012 and further when it comes to malware, and what needs to change in the fight against it.
You've mentioned that think malware lives in "ages." What is the current age of malware today, as you see it?
This most recent age is the web-attack age. It started in 2005 when things started shifting over to the web-based attacks, exploits and drive-by downloads. That's still going on and we are in an age where there's a lot of money to be made and everyone understands that. Criminals are well organized and opportunistic, and they are mostly attacking us via the web. If it were a baseball game, I would say we are in about the fourth inning. This is going to continue for some time.
But I think we are poised to enter a new age, an age of cyber war. I'm fairly confident. For example, look at the Stuxnet worm. No one knows who really did it and no one knows who the target really was, although we can all speculate. But what we may be confident of after discovering Stuxnet is that any country not thinking along the lines of cyber war before, now is.
The United States has plenty of friends in the world, but it also has plenty of people who don't like it terribly much. If they could do something, like shut off our power, they would.
I feel the new age is one where it's been proven software can damage hardware now, with Stuxnet. And, more importantly, that software can damage infrastructure -- that's the part that alarms me.
And I don't believe this stuff is going to be stopped by antivirus software alone. More things need to be done at the IFC level, or possibly at the testing level. Overall, security has to step up.
What form do you think a newer generation of malware might take?
Cross-platform infecting, but Windows based. In terms of Stuxnet, it carried within it malware to infect the Siemens industrial software and equipment. I expect we will see more of that. And I expect it will be exploit-driven. Someone will open a Flash file or a Word document and the file will drop on the system.
The malware itself won't change, we'll just see more of what we have now because the underlying platforms are still the same. They are just going to be using new vulnerabilities, blasting their way in and doing the damage they're designing it to do.
If you predict malware will be increasingly designed to sabotage companies or government infrastructure, who do you think the target might be? A person with a position of authority, or privileged access, within an organization?
Exactly. And if you want to launch a directed attack against some organization, you need a lot of information about them. You can't just throw a virus in an email and hope it works. You actually have to craft a special email that looks like it came from a person two floors down, talking about stuff that you should be possibly talking about and attaching a document or something you could be expecting to get from them and that someone might reasonably open. That's how it works. They call it advanced persistent threats; that's the buzz word. But really what it is is spearphishing.
If you want to spearphish someone, you have to know them. You have to understand them and know what they are interested in. One thing that alarms me is there are 800 million users on Facebook and most of them can't even spell security, let alone care about it. Facebook does their best and takes security seriously, but they've got a million people developing apps for them and I'm fairly confident that not all the million have security interests in mind.
And there are so many people building apps for smartphones. Very often, there is no clear way they are getting a dollar out of it. That's always alarming to me. To build a good app, it takes six months. So if someone is putting some time and effort in to it, you have to question: how they are getting their pay back? If there is a trial version that you eventually upgrade to a pay version, that's OK. Or if it's a brand building app, like the Weather Channel, obviously there is a pay-off there.
But if there is no obvious pay off, we should be concerned. We don't know whether it's adware or information gathering, but people are creating these apps for a reason.
I'm watching all these things come together and the ingredients are there for a very, very dangerous time. We have a proven situation where some countries are clearly engaging in cyber war, or at least cyber espionage. We've proven software can damage hardware and infrastructure. If you want to target all these people in an organization, you need information about them. And the opportunity, between smartphones and Facebook, to leak a lot of information is there.
What changes or new measures are you advocating going forward in a new age of malware?
One thing that bothers me is the world currently expects their antivirus software to protect them. Every bit of AV in the world is basically a signature scanner. Which means it's great at detecting a virus that it knows about, but it can't see it if it's new.
It's been this way since the early '90s. The world decided signature scanning was the best thing to do back then. But now, the bad guys realize all they have to do bring out something new and it won't get detected.
Every AV line in the world gets about 3000 sample submissions every day. Of those, 25 to 30 thousand are new and unique.
Bad guys know when they release a new downloader to install their pay load that within a week it will be discovered and within a few days after that every AV lab will add it. But they don't care, because they have a ten-day window where they aren't going to be discovered by everybody and they will swap out the downloader every day. So they are just laughing.
Every AV product does have a behavior layer now, but they don't work it very much. One of the things I hope to do is encourage vendors to pay more attention to their behavior lab and developers. If the bad guys are facing a disparate number of products, each with a different behavior layer, that alone with make the infrastructure much less penetrable.
So you're saying AV, as it now operates, is becoming obsolete?
Yes, in my not-so-humble opinion, yes it is. But that can change. There are 25 AV programs in the world. If antivirus software were using behavior detectors rather than signature scanners, it would make a huge impact.