Internet noise and encryption provide cover for cyber criminals

The ready availability of strong encryption providing cover for terrorists has been well publicized, in the context of Facebook’s WhatsApp for example, but it is also being exploited across the wider cybercrime community to hinder protection against a wide variety of attacks. This was a key finding of Cisco’s 2018 Annual Cybersecurity Report, which also identified “noise” associated with a variety of commonly used internet utilities such as drop boxes as a cover for various attacks, because they make it harder for defenses to separate real threats from all the background activity.

Cisco’s report almost coincided with Akamai’s Q4 2017 State of the Internet Security survey, with at first sight surprisingly little overlap between them. Cisco’s combined data and analysis from its own threat researchers and several technology partners, while Akamai drew on attack reports from its Operations Control Center.

Akamai highlighted web applications as a major attack growth area in 2017, increasing in number by 10% over the year, which Cisco agreed on but without separating it out as a specific category. Cisco talked up the importance of machine-learning and AI to combat security threats, which Akamai hardly mentions because it concentrates on threats rather than defenses against them.

There is obvious consensus between the two surveys that what security professionals like to call the “threat landscape” is expanding almost exponentially. This reflects the continuing proliferation of web sites, increasingly intricate supply chains and above all the rise of the Internet of Things (IoT). Akamai sounded a pessimistic note by concluding that it will take a long time to get a handle on IoT security because there is little agreement over who is responsible, both within enterprises and at a national or even global level where there is uncertainty over breakdown of liability for breaches between governments, service providers and users.

The upshot, according to Akamai’s Senior Editor and Security Advocate Martin McKeay, is that Mirai and other IoT-focused malware will wreak some havoc through connected devices that are not properly secured for the foreseeable future.

Mirai is a prime example of quite simple malware that has become a menace in the IoT era by recruiting devices like IP cameras and home routers that run Linux, for large scale botnet-based DDoS (Distributed Denial of Service) attacks. It has been involved in several infamous attacks, including the one directing 620 Gbps of traffic on the Krebs on Security site in September 2016, followed a month later by an even bigger 1 Tbps DDoS assault on French web host OVH.

Yet its action is not that sophisticated, exploiting the fact that many IoT devices use default identifiers and passwords. It can scan the internet continuously for IP addresses of IoT devices and then identifies vulnerable clients by looking up in a table of over 60 common factory default usernames and passwords. Finally, it logs into those devices and infects them with the Mirai malware, so that they can be conscripted into a botnet.

Mirai has had lasting success because, even though many of the creators have been caught, the open source software is out there and been adapted into new variants treated by the security community as the same essential malware brand. Cisco expands on this point by highlighting advances being made by attackers in IoT botnet attacks building on code bases such as Mirai’s, also citing Brickerbot and Hajime.

Attackers are targeting IoT devices because they are easier to coopt than PCs, with fewer defenses, and are usually always on so that they are available for immediate recruitment at any time. Cisco predicts that IoT botnet-based DDoS attacks will become more advanced and harder to counter during 2018, compounded by the continuing indifference to the threats by many users and enterprises. The report mentioned the finding by one of Cisco’s partners Radware that only 13% of organizations believe that IoT botnets will be a major threat to their business in 2018.

However, one nugget from Cisco’s survey indicates why many enterprises are blasé about DDoS attacks themselves, which may be because they are nearly all aimed at gaming sites. These were responsible for 79% of all DDoS attacks in Q4 2017. But this figure is declining and it is likely that these large-scale DDoS attacks will show up increasingly in all sectors during 2018, motivated by various reasons including desire to disrupt a competitor.

It is also the case that because these botnet-based DDoS attacks tend to be large and few in number, they defy statistically significant analysis anyway. This shows up in Akamai’s breakdown of DDoS attacks by country which are all over the place, swinging wildly from quarter to quarter. In Q1 2017 the US was the source country for 44% of all DDoS attacks, followed by the UK on 13% and Germany 7%. But in Q2 this completely changed with Egypt now top on 32% followed by the US on 8% and Turkey 5%. Then in Q4 2017 Germany had soared to number one accounting for 30% of all DDoS attacked worldwide, closely followed by China on 28%. Given the volatility, it is hard to tell whether the Q4 figures represents a trend or a blip.

When it comes to web application attacks the picture is perhaps clearer, with the US sourcing easily the most at 32%. The Netherlands in second on 11.9% and Russia just 5th on 4.6%. Overall attack data tends to scotch the notion that Russia is the major source of cyber-attacks, when it lags behind not just the US but also some European countries, although this varies with attack type.

Cisco emphasized the fast-growing threat posed by encryption, which is ironic given that it was developed to improve security. The report noted that 50% of global web traffic was encrypted by October 2017, up some12 points on November 2016, with the rise driven by growing availability of low-cost or even free SSL (Secure Sockets Layer) certificates. Use by adversaries is growing faster than overall traffic, with use of encryption in malware samples increasing three-fold to 70% of all cases over that same 12-month period. This was based on analysis of 400,000 malicious malware binaries.

Cisco strongly advocated use of machine-learning (ML) techniques for defending against encrypted malware, because of the need to identify unusual patterns that cannot so readily be expressed directly as rules or filters. ML can be used to detect threats already identified but since those can be filtered for its main value comes in monitoring encrypted web traffic continuously, learning to identify unusual patterns in real time within large volumes. ML also scores by helping enterprises cope with lack of skilled staff, identified as a major cause of breaches.

Cisco splits applications of ML for security monitoring into three categories, what are called known-known threats, known-unknown threats and unknown-unknown threats. The first involves detection of attacks that exactly match previous ones, which can be done by application of static signatures recognizing a specific character or numeric sequence, or dynamic signatures applying some rule to sequences. ML in this category is highly accurate but does not scale well, requires manual definition and cannot adapt to evolving threats or encrypted traffic.

The second known-unknown category involves extrapolation from known threats to unknown ones that are related in concept. This can be done through behavioral signatures that transform known rules into a slightly different domain, seeking related patterns as warnings of attack.

Alternatively, software in this ML category can look for generic high-level patterns indicative of attacks derived from training on threats that are already known. Both these categories scale better because they can be applied to more attacks and can learn semi-automatically, but still rely on some manual guidance and may fail to identify novel attacks. A key benefit over the first category is that because it is capable of transformation it can identify anomalies in encrypted traffic.

Finally, the unknown-unknown category, which is really work in progress, involves identifying divergences from normal network behavior which the software has been trained to recognize. This scales well, can recognize attacks never seen before and learns automatically.

Neither of the reports engages with one perpetual truth, that inevitably some attacks will always get through no matter how strong the defenses. Therefore an important aspect of threat mitigation is in minimizing and localizing damage when attacks have been successful. That too is fertile ground for ML and AI because it involves looking for signals of attacks unfolding inside the perimeters of an enterprise or service and then taking action immediately, such as shutting down specific servers to prevent further spread.