Illusive Blog December 18, 2018

Automated Cybercrime Needs Automated Cyber Defenses

By Beth Ruck

The epic and exponential rise in cybercrime is a subject of near-daily discussion in the national and local news. Whether it’s from ransomware, identity theft, digital corporate espionage, information warfare, compromised election systems or hacked critical infrastructures—increasingly all of our information systems are under attack. While the media is quick to report on the “what” of each data breach (for example, company X was hacked so change your password to that account), they rarely delve into the why and the how. How are these attacks taking place, and why are they growing at a pace so much quicker than all other forms of criminal activity? Without understanding the “why and how” of cybercrime, we are doomed to fail in our battle against cyberattacks.

While cybercrime, like computer viruses and hacking, has existed more or less since the invention of computers, for decades it was mostly a minor annoyance in the grand scheme of things because there were only a small number of computers in our daily lives for cybercriminals to target. Today, that’s no longer the case. Our phones, televisions, cars, refrigerators, thermostats, pacemakers, and electrical grids are all computers, and each and every one is subject to a potential digital attack due to insecure hardware, poorly written computer code and a near total lack of user-education about digital risks that allow these attacks to occur. But that is only part of the problem. The other, larger issue is that criminal organizations, hacker collectives, and rogue nation states are developing ever-more sophisticated cyber tools to automate their attacks in their ongoing quests to steal our money, identities, and sensitive information for their own malicious purposes.

In the old days, crime largely used to be a one-on-one affair. A bad guy would go out and get a knife or a gun and rob his victim face-to-face, for example.  It was a good business model (save the moral issues and potential jail time).  Criminals could get money “tax free” this way, set their own work hours, and they didn’t have to worry about the regulatory troubles facing nearly all other legitimate corporate enterprises. There was still one problem: They could only rob so many people a day. Put in the popular parlance of Silicon Valley, their business model could not “scale.” Crime was heretofore limited in its scope and damage because it always depended on human beings to carry out their attacks. The same applied to cybercrime in the early years of the Internet, but now, as an ever-growing number of scientific and technological advances are being exploited by criminals to expand their nefarious businesses, digital crime has become automated and their scaling problem has been solved.

Thanks to the widespread adoption of the Internet and the global mass digitization of our assets and information, cybercriminals also have access today to “markets” they never could have previously imagined. A hacker in Russia can strike a corporation in Chicago, an organized cyber gang in Lagos, Nigeria can easily steal personal data from hundreds of thousands of people in London, and state-actors in Beijing can pilfer intellectual property from Washington D.C., San Francisco, or New York with little fear of interference or consequences.

These malicious actors increasingly rely upon a suite of ever-growing automated software tools to carry out their attacks. Digital offensives that were previously laborious and time-consuming to launch, such as denial of service or ransomware attacks, have become fully automated through the use of crimeware or criminal software. With the click of a mouse, attackers can employ bots, algorithms, scripts, and machine learning to launch and refine their online assaults anywhere in the world. To make matters worse, the learning curve required to grasp how to use these tools has dropped precipitously, so now even low-level criminals can take advantage of them. The growing use of AI and bots to carry out cyberattacks means that cybercrime itself has become industrialized. Indeed, we are sadly in the midst of the golden age of digital crime, an industrial revolution of sorts benefiting criminals worldwide.

What’s worse is how quickly we’re becoming accustomed to the frequency of these attacks. Ten or fifteen years ago, a large newsworthy data breach might involve a million accounts being compromised. When the American retailer Target was hacked in 2013 and more than 70 million accounts were compromised, it made national news for weeks. By 2016, data breaches were becoming so common that the media barely shrugged when Yahoo! admitted that 500 million of its accounts were hacked, later clarifying that, in fact, one billion accounts had been compromised. A year later, Yahoo! ruefully shared that actually the data of three billion of its subscribers had been obtained by malicious attackers. As you can see, the amount of accounts compromised and dollars lost due to cyberattacks is growing at an exponential pace. The problem is our defenses against these onslaughts are not.

Attackers have been excellent at automating their offensive operations, while cybersecurity defense has been playing catch up, relying heavily on individual humans for response. Given the asymmetric nature of the cyber threat (attackers only need be right once to infiltrate our data stores; defenders must always be right to ward them off), automating our digital defenses is no easy task. It requires the right tools as well as a deep understanding of the why and how of a wide panoply of digital attacks. The modus operandi of any sophisticated cybercriminal is first to gain low-level access into any targeted network. To conceptualize a cyberattack (and thus how to prevent it), it might be helpful to consider how an old-world bank robbery is carried out. During business hours, entering the bank is dead easy: just walk through the front door. From there, though, it gets a lot harder. Any would-be robber must next disable the security guards, somehow force the bank tellers and everyone else inside into submission, and work his way laterally within the bank to reach the ultimate target—the large vault containing all the cash.

Cyberattacks work in a similar fashion. Hackers first find a way in via a public network, some social engineering or a phishing offensive. Once they have established a beach head on the outer perimeter of the targeted network, they move laterally, persisting within the environment until they can reach an organization’s critical assets, or bank-vault equivalent, they ultimately seek.

While there is little banks can do to prevent customers who could be potential robbers from coming through their front door, there are numerous steps they can take to detect and prevent a robber’s lateral movement towards the vault to forestall catastrophic losses. The same is true in cyber defense.

To regain control of their digital assets and resources, organizations must have in place an automated, intelligent means to fight back. The old paradigm of cybersecurity was to build tall digital walls in an effort to keep out all attackers. Those days are over. We simply have way too many computers, networks, and vulnerable end-points to be able to defend them all. In short, our “threat surface area” or the number of places we can be attacked is growing exponentially and thus we must give up now any illusion of being able to defend everything.

Instead, we need to change our strategy to focus on protecting our most valuable digital assets, our “crown jewels” if you will. One critical way to do this is to assume, quite rightly, that attackers have already penetrated your digital infrastructure. Now it’s up to you to automate the hunt and go find them, particularly as they move laterally from one system to the next in search of your crown jewels. Doing this preemptively provides a critical opportunity to intervene in the attack process itself and stave off the worst assaults upon your most important assets.

So how do we go about doing this? First and foremost, defenders must take advantage of the full suite of automated tools available to them. This is not to suggest money should be spent willy-nilly on every new whiz-bang cybersecurity gadget the market creates. But chosen carefully, judicious use of automated tools are the only hope any organization or individual has to be able to keep pace with the exponential growth in cyber threats we are seeing today. Just as attackers are using artificial intelligence, bots, and machine learning to perpetrate their digital intrusions, so too must defenders deploy these tools. In the race between man and machine, and in a world in which hundreds of gigabytes of data and petaflops of cloud-based computing power can potentially be released against any target, speed and agility in response are critical.

If we are ever to succeed in preventing and deterring the growing wave of cyberattacks and the destruction they continue to wreak on our lives and our economies, we must change our approach to the industrialization of cybercrime. We must automate our own defenses to ensure we can survive in a world where exponential growth in technology reigns supreme.