Persistence: Trait Giving Infosec Leaders a HeadacheMcAfee's Dmitri Alperovitch on 2011's Digital Threats
Among the growing threats facing many organizations in the new year is the advanced persistent threat, continual patterns of digital assaults aimed at government and business IT systems to steal intelligence and trade secrets, often backed by foreign governments or their supporters.
"The major difference between advanced persistent threat attacks and cyber criminal attacks is that APTs are persistent," Dmitri Alperovitch, threat research vice president at McAfee Labs, says in an interview with Information Security Media Group. Cyber criminals typically will move on to a target that is much less secure but those behind advanced persistent threats will spend months if not years trying to penetrate an IT system until they succeed, Alperovitch says.
In the interview, Alperovitch discusses the IT security threats McAfee Labs identified for 2011. Besides advanced persistent threats, they include:
- Exploiting social media. Social media is replacing e-mail as the primary distributor of malware as well as identity theft. Similarly, McAfee Labs also sees increased abuse through short URL and locative services.
- Mobile. The increased adoption of mobile devices, and instance by employees to be allowed to use them in the workplace, will see increased threats not only to individuals but to their employers as well.
- Apple. Historically, Apple's operating systems haven't been targeted for abuse, but the popularity of iPads and iPhones in business and the easy portability of malicious code could place many users and businesses at risk next year and beyond.
- Applications. Whether at home or the workplace, applications on devices such as iPhones and Androids are becoming increasingly popular and will increasingly become targets. With historically weak coding and security practices, cybercriminals will try to manipulate a variety of physical devices through compromised or controlled apps, raising the effectiveness of botnets to a new level.
- Sophistication mimics legitimacy. 2010 we saw an increase in the sophistication of some threats such as signed malware that mirrors legitimate files. As this trend intensifies in 2011, look out for an increase in stolen keys and techniques and tools to forge fake keys.
- Botnet survival. In the coming year, McAfee Labs expects a greater focus on botnets that remove data from targeted systems rather than sending spam. Botnets will engage in advanced data gathering as exploit social networks.
- Hacktivism. As the WikiLeaks episode demonstrates, hacktivists will increase its use of crowdsourcing to recruit an army of motivated hackers to pursue a political agenda. Alperovitch says these attacks are not sophisticated, and organization should be able to successfully defend against them if they take appropriate action.
"We are seeing an escalating threat landscape in 2011," Alperovitch says.
Alperovitch, interviewed by ISMG's Eric Chabrow, leads McAfee's Internet threat intelligence analysis as well as the development of real-time, in-the-cloud global threat intelligence services. He's an inventor of numerous patent-pending technologies and has conducted extensive research on reputation systems, spam detection, public-key and identity-based cryptography and network intrusion detection and prevention.
Georgia Institute of Technology awarded Alperovitch a master degree in information security and a bachelor degree in computer science.
Escalating Threat Landscape
ERIC CHABROW: How will 2011 be different from 2010?
DMITRI ALPEROVITCH: We are seeing an escalating threat landscape in 2011. There are a couple of areas where we think the cyber criminals and other threat actors are going to specifically focus in 2011. One area is certainly social media. We are seeing it rapidly replace e-mail as a primary vector for delivering malware. For example, traditional e-mail spam is down significantly in 2010, back to almost 2006 levels in terms of overall volumes, and at the same time we're seeing significant spikes in the malware and spam that is being delivered to social networking sights like Facebook, Twitter, and others.
We expect that cyber criminals will focus their attention specifically on two areas in the area of social media. One is short URL abuse. We think it will invade all other forms of communication with McAfee tracking over three thousand per URLs every single minute around the world and many are used for spam, scanning, and other malicious purposes. Another area is location services, services like Foursquare or Facebook Places, Google Latitude, with their growth in popularity, we are expecting it to be a huge area of interest for criminals.
Another area we think is going to really explode in 2011 is mobile. We've already seen some of the malware experimenting this year. For example, Zeus has released NSMS malware for the mobile platforms in order to help it conduct phishing attacks. We expect really with the tremendous growth in smart phones like iPhones and Android platforms, to really see a number of very sophisticated malware threats targeting those platforms in 2011.
Another area is application. We believe that applications will be targeted both on the mobile devices in terms of road apps and other apps that target user privacy and to identity data, but also on social media like Facebook and imbedded devices as well as we see Google TV, and other Android-based platforms launch out of the mobile area and the option being delivered through that channel. We expect cyber criminals to follow suite pretty rapidly.
The Mobile Threat
CHABROW: You mentioned social media and mobile technology as being more at risk in 2011. What can organizations such as governments, banks, and hospitals do to help prevent threats in those areas?
ALPEROVITCH: One of the trends that we have been seeing for a while is consumerization in the IT space, both the cloud government and the commercial sector. So in mobile area in particular, we're seeing all kinds of devices being proliferated through the enterprise, iPhones, iPad, Android devices that may or may not be controlled by the corporate IT or security department. Executives are bringing these devices in because they use them at home and they find them convenient, and the IT department has no choice but to accept those devices. Most of these devices are not secured, are not being tracked through the enterprise and really present a tremendous threat both from an insider prospective because these devices are on the network and can be used to execute data by malicious insider, sort of more of the WikiLeaks situation, although that was not a mobile device issue. But another way is really to these platforms be targeted by malware and then essentially have that malware have complete access to the network through that mobile device and being used to steal financial data as well as for some of these persistent threats, there are a huge focus of espionage activities.
CHABROW: What should CISOs in these organizations do?
ALPEROVITCH: They need to start paying attention to the mobile devices that are being used in the emerging area in the security space, so there are these out there providing some security software that you can install on these phones and essentially lock it down being able to control what data those phones can access on the network, encrypt the data while it resides in the device and also do remote wiping, locate type of services for lost phones.
CHABROW: Does this put more pressure on IT organizations to step up their defensive mobile technology, or does some of the responsibility fall on their employees?
ALPEROVITCH: There is no getting away that the security organizations have to step up and realize that computing is moving to the mobile platform. You can not just pass on the responsibility for security to the employees. You do have to have some centralized control when it comes to these devices. Yes you can allow individuals to bring their own devices into the enterprise, but you have to set certain rules as far as how they are going to be used, what software, what applications are going to be allowed to be installed on those devices, and what data needs to be encrypted when the device is connected to the network.
Hacktivism: Beyond WikiLeaks
CHABROW: I am intrigued by hacktivism. It seems to becoming more damaging even beyond website graffiti and distributed denial of service attacks. How is hacktivism evolving? What should we expect in 2011, and what can organizations do about it to protect their information?
ALPEROVITCH: Hacktivism has been around of course since almost the beginning of the internet expression of political thoughts through malicious attacks have use in wars and conflicts around the world, and what we, of course, saw just this late year is the whole WikiLeaks situation bringing into yet another life where activists on both sides, both in support and against WikiLeaks have used this crowdsourcing method of getting individuals to volunteer their computers to attack corporations that have been against WikiLeaks and to attack WikiLeaks itself.
We expect this trend to continue. Really, it's becoming much, much easier for an individual to voluntarily participate in a hackerous group that is targeting a particular political or commercial target. The attacks thus far have not been sophisticated and can be fairly easily thwarted, but certainly many, many organizations aren't prepared even to face these unsophisticated attacks. So as long as that continues to be the case, we expect there will be plenty of volunteers that will lend their services and computers in mind to these efforts.
CHABROW: Is the defense merely just to take for organizations who know how to prevent these attacks just to make sure they are doing it, or is there something more to be done?
ALPEROVITCH: You have to pay attention to the threat, particularly if you are involved in sensitive political areas or if you are an organization that is taking perhaps a controversial position that may attract some enemies. Not every organization is going to face the hacktivism threat. It just depends on the nature of your business or if you are a government, the type of activities you are involved with. In general, these are not sophisticated threats. So if you are building your security to face the cyber criminal threats, which are much more sophisticated or these nation state threat, cyber espionage threats, hacktivism will pose no problem to you.
Advanced Persistent Threat
CHABROW: Let's talk about that advanced persistent threat which you just made reference to, basically cyber attacks that are emanating from nation states who are backed directly or indirectly by nation states. What is in store for 2011 and what can be done about that?
ALPEROVITCH: 2010 really put these attacks in the forefront due to the Google incident as we as the Stuxnet incident. Both of them have believed to be nation state sponsored. APTs themselves have been around for almost a decade now, but primarily focusing on a target, attacking government systems as well as systems of various defense contractors for many years. 2010 really indicated a shift of these attacks now going after the commercial sector and focusing on economic as well as national security cyber espionage. What we expect to see is many more companies that are involved in a particular areas of the world, coming under these highly complexed and well-executed targeted attacks in the near future. Multi-nationals in particular that do business around the world are primarily targets, but also smaller firms that can assist those companies in doing business. Again, just with hacktivism, not every organization needs to worry about APTs but if you are operating in the areas of national security or have significant economic interest in various parts of the world, you certainly need to expect to fact that threat.
CHABROW: Is this something that is going to be a touch challenge for organizations that want to prevent it?
ALPEROVITCH: Definitely. Really the major difference between APT attacks and cyber criminal attacks is that APTs are persistent, so not all of them are extremely sophisticated. They are really A teams, B teams, and C teams when it comes to APT attacks and the C teams are often as unsophisticated as some of the low end cyber criminal groups, but the difference is that once they pick a target they are relentless in going after that target. Whereas the cyber criminals will typically move on to a target that is much less secure, APTs will continue to attack and will spend months if not years trying to penetrate an organization that is of interest to them until they succeed.