The goal of National Cybersecurity Awareness Month is to educate individuals and organizations on how to detect and avoid cyberattacks, and be safer and more secure online. Lastline is pleased to contribute our information and expertise towards accomplishing this important goal. This year we’re sharing three types of information:
Everywhere we turn, someone’s talking about artificial intelligence (AI) and machine learning (ML) and how they will transform information security, raising the risk of both terms becoming overused and misunderstood buzzwords. AI is the science of trying to replicate intelligent, human-like behavior. Machine learning is a specific type of AI. Furthermore, there are two distinct types of ML: Supervised and Unsupervised, and to be effective it’s essential that the right type is applied given the available data. One example of where machine learning can be used effectively is to analyze network behavior data and categorize is as normal or anomalous. But the results are only as good as the available data. AI faces, however, a unique challenge in information security: algorithms must grapple with data that’s attempting to fight back. This is known as adversarial learning. Such a development highlights the reality that AI and ML aren’t silver bullets. There are a lot of unrealistic expectations that AI and ML can do anything. But that’s not the case. AI for cybersecurity applications isn’t enough to keep organizations safe on their own – it requires human input, guidance, decisions, or intervention. Our recent blog post on this topic provides the details.
Any computerized system that has an interface to the outside world is potentially hackable. But why would someone want to hack into a car’s computer systems? One answer is to use the car as a weapon, causing a crash. One example of how this could be done is that the car’s machine learning system could be polluted so that a road sign that looks like a stop sign to a human might look like a different sign to the car. And there are examples of successfully hacking autonomous cars. So, who’s responsible for ensuring these vehicles of the future are safe? Lastline co-founder Engin Kirda thinks this issue can’t be solved with government regulation alone – the systems are simply too complex. What do you think?
In our Q417 Malscape Report we presented data on the different tactics in use by attackers and how they differ from region to region. As we go through 2018 we may be witnessing some changes that highlight how quickly attackers adapt their techniques in response to improvements in security technologies. The US is the most mature market on the planet in terms of security, and is where the early adopters and front runners of new technology deployments are most prevalent. The Anti-Virus industry has evolved over the last year or so to include new Artificial Intelligence and math-based solutions to prevent new executable files from evading threat analysis, and it seems to be working. So, attackers needed to up their game. Since we conducted our study, we are already seeing fewer .exe payloads delivered in the US by lure documents. The success of the prevention strategy of math-based static analysis has had a side effect, however – instead of solving the problem it has changed the problem. We now see more diverse file types and a retooling of attack payloads into different scripting languages to subvert the math.
To kick off National Cybersecurity Awareness Month we thought we’d offer a story about a target that, in all likelihood, few of you have considered: container ships at sea. Yes, indeed cybercriminals are launching malware-based attacks against ships with at least two possible objectives: 1) If a criminal can compromise a ship’s systems, such as their navigation or communication system, the shipping company will very likely pay a ransom because of the very dire consequences of those systems being down. They could end up dramatically off course, for example. Or the crew, who is away from loved ones for months at a time, can become completely cut off. And 2) Criminals have accessed files containing details of the containers on board, and rearranged the container numbers so that their illicit contraband that’s in one of the containers is seen as a benign shipment that is less likely to draw attention and get inspected. One of Lastline’s partners, GTMaritime, provides technolgy to ensure vessel compliance, communications, and overall business operability, including threat protection, so that the world’s shipping fleets, and the goods they carry that we’re all anxious to purchase, arrive at their intended destination on time, and safe from criminal tampering. Here’s a recent article on GTMaritime.
by Giovanni Vigna, Lastline Co-founder and CTO
I remember when…botnets first appeared in a Denial of Service attack. That was in 2000, and I had just become a Professor at University of California Santa Barbara (UCSB). I was traveling in Italy when one morning, my dad came to me and very excitedly let me know that UCSB was in the news in Italy! I went to see the newscast and I found out that some hosts at UCSB had been compromised and were used to perform a coordinated Denial-of-Service attack against CNN and eBay. This attack turned out to be one of the first in which a series of “bots” were under the control of a single hacker, who could use their combined power for nefarious purposes. It was the rise of the botnets. Here we are almost twenty years later, and malware and botnets have become an everyday reality for every Internet user. The security community has not been sitting still. Instead, both academia and industry have innovated the field producing novel technology to analyze, detect, and block these attacks. One technique that we have relied on at Lastline is the use of AI along with our deep understanding of malware behaviors to connect numerous alerts into a single, coordinated incident or attack, elevating the priority for remediating it while directing analysts to all affected hosts.
I remember when… malware was singular in nature. That is, it really only had one malicious technique. How times have changed… Looking back in the day compared to the present, malware has matured to evade, disguise, and utilize multiple advanced malware techniques. This is true of Conficker, which was the first of this type, way back in 2008. Conficker targeted Microsoft Windows flaws within the OS and preformed dictionary attacks on passwords to propagate while also creating a botnet. Conficker also utilized many advanced malware techniques that were difficult at the time to counter. Millions of devices were infected because the virus changed its propagation and strategy from version to version. Today this is all too common, and as malware detection capabilities improved, so did evasion techniques, which is the subject of one of our recent blog posts.
I remember when… little was heard of fileless malware, which is malware that resides only in memory and does not install on the disk. That was until the novel SQL Slammer worm hit in early 2003, targeting Microsoft’s SQL Server Resolution Service listening on UDP port 1434. SQL Slammer was so small that it didn’t have to write to disk and therefore stayed in memory. The novelty at the time was that it attacked a service, which caused a denial of service of numerous routers across the world given the bombardment of traffic from these infected machines. What compounded the problem was the reactionary routing table updates caused additional routers not in the line of attack to fail. The Internet had to be rebooted. Fast forward 15 years and fileless malware is rampant and evasive, now targeting multiples services and users for monetary gain. To learn more about this, you might be interested in a recent article in Intelligent CISO by Lastline Co-founder and Chief Product Officer, Christopher Kruegel. Chris’ tips for detecting fileless malware include looking for security options that can pick up malicious behavior at the network level. Good overall cybersecurity hygiene will also help, for instance, patching of disclosed vulnerabilities or policies to ensure infected machines are identified and quarantined swiftly.
I remember when…we could trust email from our personal contacts. Yes, there was a time… back in the day. In the 1990’s, email gained popularity and soon the world heard and would become mesmerized by, “You’ve got Mail.” Back in the day, we trusted the email senders just like we trusted senders of physical mail until one fateful day in the year 2000 when tens of millions opened an email from a trusted contact with a subject line of “I Love You.” Yep, your boss, mom, daughter, best friend and colleague loves you and you opened the attachment LOVE-LETTER-FOR-YOU.txt.vbs. The vbs extension, hidden by default on Windows, was executed and began to worm its way sending a copy of itself to all the addresses in your address book while overwriting random types of files on your computer. While this was certainly a nuisance, it was not particularly damaging – no files were encrypted or deleted. Fast forward to today where email is rampant with malicious intent that is far more sophisticated and damaging than what became know as the I Love U virus. Who can you truly trust and how do you dodge the endless attacks launched via email? Here is some useful infomation about the more pervasive email threats, and how to protect against them.
What’s the biggest, meanest, nastiest piece of malware? Our Death Match pits two notorious strains against each other, only one of which will emerge from this epic struggle. So, place your vote – what’s the baddest of the bad? The winner will be decided at midnight on Saturday, at which time the next two combatants will enter the ring.