Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Fraud , Phishing

The Evolving Hacker Mantra: Simplicity Why Nation States, Cybercriminals Prefer to Keep Things Simple
The Evolving Hacker Mantra: Simplicity
Rob Joyce, Chief of Tailored Access Operations for the NSA, talks tactics at the USENIX 2016 conference.

Advanced attacks are out, while persistent, relatively simple attacks are in. That was one takeaway from the numerous discussions I had with information security experts at this month's RSA Conference in San Francisco.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Of course, there will always be a place for advanced campaigns, such as backdooring the firmware used by one of the world's largest networking vendors, which many security experts believe involved up to three countries' intelligence services, starting with the U.S. National Security Agency.

"The most effective lures are the ones that just have one word." 

But despite all of the APT hype in recent years, cybercriminals, and especially nation-state attackers, prefer to keep things simple.

So says the NSA's "hacker in chief" - Rob Joyce, who heads its Tailored Access Operations. At the recent USENIX 2016 conference, he said that when doing nation-state exploitation, the NSA uses the simplest techniques, whenever possible, and isn't afraid to be incredibly persistent, waiting for targets to make a slight mistake or misconfiguration.

Simply Profitable

Intel Security Group's Christopher Young addresses RSA Conference 2016.

Witness that paradigm at work in the form of ransomware infections, which allow attackers to charge their victims directly, should they wish to decrypt their hard drives, post-infection. Of course, the number of people - and organizations - who pay up attests to a widespread lack of preparedness, such as maintaining up-to-date, offline backups (see Hollywood Hospital Pays Ransom to Unlock Data).

On the opening day of this month's RSA briefings, Christopher Young, general manager of the Intel Security Group - formerly known as McAfee - noted that profits related to version 3 of the CryptoWall ransomware are estimated to have reached at least $325 million. I also spoke with Raj Samani, Intel's CTO for Europe, the Middle East and Africa, at the conference, who told me that the amount of fraud that's been tied to CryptoWall version 3 so far is likely grossly underestimated.

Cheap Tricks

Attackers have long employed social-engineering attacks - trickery - to accomplish their goals. For nation states, that can mean gaining persistent, long-term access to targeted networks, for example, by tricking an employee into opening a malicious Excel file, as happened in the 2011 breach of conference sponsor RSA.

Unfortunately, in this age of people being conditioned to click on the latest-and-greatest cat videos, our collective ability to fall for such tricks makes it seem endemic to being human.

How bad is it? "The most effective lures are the ones that just have one word - 'info' [for example] - with a .doc attached," Ryan Kalember, senior vice president of cybersecurity strategy for security firm Proofpoint, told me at the conference.

Education, as well as tough love, can help. Kalember's colleague at Proofpoint, Dave Jevans, who also chairs the Anti-Phishing Working Group, told me that many organizations not only use fake phishing campaigns to test their employees, but also require those who fail the test to submit to related training. And some organizations will remove offenders' ability to access sensitive information, or even fire them.

For enterprises that must do battle against an increasing number of simple yet effective attacks, maybe tough love pays.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network