As we close out Q1 in 2016, what does the client-side threat landscape look like? Where is the industry headed? How are criminals changing? In this post, I want to take some time to reflect and summarize some thoughts that I’ve had over the last few months.
Cyber security has evolved
From RiskIQ’s vantage point, many of the threats and vulnerabilities that plagued us 10 years ago now have clear and straightforward solutions. Cyber security solutions that were once considered bespoke and very sophisticated in 2006 are now commoditized and commercialized. Nearly every day, a new product or technology is introduced that solves complicated problems that once plagued information security departments.
The client attack surface is rapidly being reduced
In fact, systems like DEP and ASLR are so effective that they have rendered entire classes of exploits and vulnerabilities obsolete. Software packages have filled the void to provide things like application sandboxing, application firewalls, and other interesting cyber security technologies. While many of these concepts are not new, the commonality of these inside large corporations is.
Cybercriminals change tactics
Much like a living entity, threats change, evolve, and, most importantly, respond to stimuli. Reducing the effectiveness of one technique or tactic tends to result in a threat responding by evolving to increase its ability to infect users or generate money. Ironically, as threats become more complicated and countermeasures become more efficient, threat actors seem to resort to simpler techniques.
What’s old is new
What I find most interesting is the resurgence of what some might consider obsolete—or at least basic—tactics, such as phishing or scareware campaigns. As malware and client-side exploits become more difficult to use effectively, authors do the same cost/benefit calculations that network defenders make. Often, lower tech tactics can prevail as the easiest and most cost-effective solution.
For example, as users become more tech-savvy, threat actors simply update the tactics they use to trick them. A perfect example is exploiting the common notion that users should install antivirus. Malware authors quickly came up with the tactic to create fake antivirus software, which they use as a lure to install malware and adware. We also saw this technique shift towards Acrobat and Flash after the cyber security industry made it well-known that users should patch their systems.
IT is slow to respond
Now to our next point, which is rather concerning: While the industry may have a solution for most of the tactics threat actors use to plague users, often, that solution isn't very straightforward. Many systems have a three to six-year support cycle, so while the latest and greatest operating system or whiz-bang tool might solve the problem, there is the issue of implementing it. Promptly getting up to speed with these new technologies is precisely what large-scale companies have struggled with—and while these organizations gain their bearings, threat actors evolve, changing the entire threat landscape with them.
Low tech is the future
As we have illustrated, often the simplest ways can be the most effective and many of the bad actors have moved towards social engineering techniques or have had to great lengths to come up with effective malware.