How cyber attacks are mimicking legitimate tasks, and how to deal with them

As the Internet of Things (IoT) becomes a mainstream reality, a whole new set of opportunities will open for cyber attackers

The days of hackers being tech enthusiasts with a bit of anarchy in their hearts, just out to make a point, are long gone. Today, cyber attacks are unleashed by highly organised outfits constantly probing their targets for weaknesses.

When they succeed, they wreak havoc among organisations and individuals alike. And experts such as Steven Grobman, Intel fellow and chief technology officer at Intel Security Group, a unit of chip maker Intel Corp, agree that 100 percent prevention isn’t possible anymore. As a result, the response needs to include a sophisticated system of “detection and remediation” — one which can spot bad intentions even when the attacks cleverly mimic legitimate processes.

“The threats themselves have changed a lot in the last year from bad files or malware to complex attack scenarios that look very similar to normal operations within businesses, so part of the challenge is to detect the context of the action,” Grobman said. Whether a legitimate owner of a file is using encryption to protect it, or a “bad actor” using the same technology to hold the file hostage for ransom, “from a detection point of view both look very similar”.

“We’ve seen an evolution of cyber crime. If you go back 10 years, most of the cyber problems — we didn’t even call it that 10 years ago — were hobbyists, maybe some small-time criminals involved in building viruses and worms, maybe stealing some credentials for online using credit card data and so on,” Grobman said.

In the last five years, that moved to data breaches, which further evolved from stealing credit card information to looking for very personal details about individuals. Today, the shift has become even more scary as the attackers are going after physical installations such as energy grids.

“That’s being enabled a lot by connected devices, because one of the things that connected devices do is they allow technology to be closer to a physical environment — much more embedded in a physical environment. Earlier, you did what you did on your PC and you got out of it. Now people are always computing,” he said.

Grobman credited one of his colleagues at Intel with the following observation: Earlier, “we used to think about computing, and today, we compute without thinking.”

As a result, organisations and individuals have left themselves more vulnerable, and that is reflected in the “epidemic” proportions of “ransomware” attacks, Christopher Young, senior vice president and general manager of Intel Security Group, said. Technologies built for various legitimate purposes are being used for ransomware attacks, he said.

For example, crypto currency, built to remove barriers and reduce friction in financial transactions, also provide a great avenue for anonymous payments, which therefore aids perpetrators of ransomware.

Threats due to IoT

Soon, as the Internet of Things (IoT) becomes a mainstream reality, with every possible device that one can imagine connected to one or the other network, a whole new set of opportunities will open for cyber attackers.

“Many devices were never intended to be part of a network. For example, a controller in a machine in a factory, which as long as it is never connected to a network, doesn’t pose any threat, even though there may be vulnerability in its software,” Grobman said. “Now the company is working for greater automation, and hooks up the controller to a network, then the latent vulnerability becomes a real risk, as it can be exploited remotely.”

Grobman offered another example of a device built on such “flawed assumptions”, which causes vulnerabilities: A group of security researchers worked on an insulin pump, which had the capability of a wireless connection. The assumption was that the range for the pump’s radio was so small that it would be impractical to exploit, as one would have to be really close to it. Instead, the researchers just built a really strong antenna, so that they could hack into the pump even from a distance of 20 or 30 feet.

Today, it’s probably far easier to hack into a person’s car, than his implanted medical device, if one has an intention to cause harm, he said.

“It’s been such a big mental transition for people and industries that it is impossible to protect 100 percent,” Grobman said. Therefore investment is rising in detection and remediation. “You need human-machine teaming, because neither element on its own is going to be effective.”

Humans on their own can’t process the mountain of data out there, can’t see the patterns or the signals that might be pointing to a massive event, but there are algorithms that can. One needs a combination of technologies, multiple layers of filters and detection, data from multiple sources that can be sifted through and so on. “There’s no silver bullet.”

Android smartphones

The practical reality is, a lot of security architecture is driven by incentives and a lot of devices that are being connected now have very low profit margins for the manufacturers. Therefore, the incentive to not only build strong security into these devices, such as smartphones, but also maintain the devices for an extended period of time very often doesn't exist, Grobman said.

“In the Android phone ecosystem, part of the challenge is, when there is a vulnerability discovered in Android, Google can make a security fix very quickly, but Google doesn’t have the ability to deploy that fix to all the Android phones around the world.”

What usually happens is, phone makers prioritise and update mostly their newest devices with the security fix, leaving many phones that are still active on public networks, and which have vulnerabilities. “If you extend that model to the much broader IoT that is coming… if you look at the future, with self driving cars, a breach could lead to massive injuries and loss of life.”

User-driven design

The best products that people use today got there by being easy and elegant to use. This user-driven design is becoming increasingly important in IT. Cloud computing, which masks all the underlying complexity of large IT systems and simply provides people the ability to get a username and password and then get an instant IT backend, for a startup and large business alike, is a good example.

“The future of cyber security also lies in user-driven design,” Young said. “Building security from the user’s perspective will really be the way the industry will move to.”

Last year, Intel released an authentication device called True Key, which can use multiple ways of authenticating a user — using the selfie camera, for instance — or a thumb print and so on. The idea is to combine ease of use with strong security.

Another area Intel is investing in is “behavioural detection,” Grobman said. Traditional security was based on using knowledge from the past to protect current systems — using vast databases of all of the malware that people have ever encountered.

“Now the attacks have become highly polymorphic,” meaning they can change very rapidly and look different on each system that they are targeting. Therefore, one must ask questions like what is an application or a piece of code doing, and is it doing something that implies a high probability of a cyber attack.

One of the big differences between India and the Western markets is that “there are a lot more mobile devices in play here and a lot less legacy infrastructure,” Young said. “In some ways, that shift towards smartphones as core to everything that people do in their lives is at the heart of investment decisions on security technologies.”