Despite the continuing and almost daily reports of data breaches there’s a glimmer of hope in the war infosec pros are waging against cyber attackers, according to a year-end review by security vendor Sophos.
The fact that more than 50 per cent of the entire web is now encrypted, and nearly 80 per cent
of all network traffic is encrypted in response to cyber attacks is “a stunning success,” Chester Wisniewski, one of the company’s principal research scientists, said in a commentary accompanying the release of the report on Wednesday.
“We have a tendency to judge ourselves by our failures, and no one takes the time to celebrate our successes,” he wrote. But the fact that attackers are constantly changing tactics to respond to moves by security vendors and CISOs is some evidence what the infosec community is doing is having some impact, he reasons.
Organizations and consumers are updating and patching computers faster and removing software favored by hackers, like Adobe Flash. Now criminals “prefer to use deception to convince people into running malicious email attachments, exploiting human vulnerabilities rather than software,” he wrote.
“The work we do matters. It has a pronounced effect on forcing criminals to seek out new methods, and as defenders, we must continue to learn from the adversary’s changes and improve our own defenses.”
However, the report is also a sobering reminder there is still lots to do. SophosLabs has noticed a ” small but growing number” of criminals are responding by using a variety of manual hacking techniques until now deployed by sophisticated attackers to maintain their income, said Sophos CTO Joe Levy in the report.
One example of the sophisticated manual attacker are the groups behind the SamSam ransomware campaigns, said the report, which typically start with brute force password attacks against computers with remote desktop protocol (RDP) software installed. Once in the attackers look for domain administrator credentials. If they get one of those, they may try to defeat some defences — which has sometimes involved firefights with alert infosec pros — with the goal of waiting until an opportune moment, like a weekend, to plant malware.
“The downside,” wrote Levy, “is that it’s much more challenging to halt these hybridized threats using conventional methods, but it also means there are fewer criminals competent enough to conduct them, and we keep driving up the cost of their operations. It’s a Darwinian process, and the sort of shift in attacker/defender economics we’ve been striving to achieve for a long time. We consider that a victory, and the start of a trend of attacker disruption that we intend to continue driving.”
‘Living off the land’
Another trend Sophos noted this year was the willingness of attackers to leverage operating system tools like PowerShell as part of a chain of attacks, as opposed to initially planting malware, against an organization. The technique has been dubbed “living off the land.” In an era where the executable appears only at the very tail end of the kill chain, says the report, defenders need to think outside the box to stop these attacks before they get to that final step.
Other trends noted are new ways of exploiting holes in Microsoft Office, getting around Google Play Store’s attempts to find malware in Android apps and infiltrating IoT devices.
Among Sophos’ recommendations to infosec pros is if you need to install RDP on a computer, put it behind a VPN. Multi-factor authentication “is an amazingly effective tool for preventing the abuse of stolen credentials,” it adds.