Conventional security
software is powerless against sophisticated attacks like Flame, but alternative
approaches are only just getting started.
Two weeks ago today, computer security labs in Iran, Russia, and Hungary
announced the discovery of Flame, “the most complex malware ever found,”
according to Hungary’s CrySyS Lab.
For at least two years, Flame has been copying documents and recording
audio, keystrokes, network traffic, and Skype calls, and taking screenshots
from infected computers. That information was passed along to one of several
command-and-control servers operated by its creators. In all that time, no
security software raised the alarm.
Flame is just the latest in a series of incidents that suggest that
conventional antivirus software is an outmoded way of protecting computers
against malware. “Flame was a failure for the antivirus industry,” Mikko
Hypponen, the founder and chief research officer of antivirus firm F-Secure,
wrote last week. “We really should have been able to do better. But we didn’t.
We were out of our league, in our own game.”
The programs that are the lynchpin of computer security for businesses,
governments, and consumers alike operate like the antivirus software on
consumer PCs. Threats are detected by comparing the code of software programs
and their activity against a database of “signatures” for known malware.
Security companies such as F-Secure and McAfee constantly research reports of
new malware and update their lists of signatures accordingly. The result is
supposed to be an impenetrable wall that keeps the bad guys out.
However, in recent years, high-profile attacks on not just the Iranian
government but also the U.S. government have taken place using software that,
like Flame, was able to waltz straight past signature-based software. Many
technically sophisticated U.S. companies—including Google and the computer
security firm RSA—have been targeted in similar ways, albeit with less
expensive malware, for their corporate secrets. Smaller companies are also
routinely compromised, experts say.
Some experts and companies now say it’s time to demote antivirus-style
protection. “It’s still an integral part [of malware defense], but it’s not
going to be the only thing,” says Nicolas Christin, a researcher at Carnegie
Mellon University. “We need to move away from trying to build Maginot lines
that look bulletproof but are actually easy to get around.”
Both Christin and several leading security startups are working on new
defense strategies to make attacks more difficult, and even enable those who
are targeted to fight back.
“The industry has been wrong to focus on the tools of the attackers, the
exploits, which are very changeable,” says Dmitri Alperovitch, chief technology
officer and cofounder of CrowdStrike, a startup in California founded by
veterans of the antivirus industry that has received $26 million in investment
funding. “We need to focus on the shooter, not the gun—the tactics, the human
parts of the operation, are the least scalable.”
CrowdStrike isn’t ready to go public with details of its technology, but
Alperovitch says the company plans to offer a kind of intelligent warning
system that can spot even completely novel attacks and trace their origins.
This type of approach is possible, says Alperovitch, because, although an
attacker could easily tweak the code of a virus like Flame to evade antivirus
scanners once more, he or she would still have the same goal: to access and
extract valuable data. The company says its technology will rest on “big data,”
possibly meaning it will analyze large amounts of data related to many traces
of activity on a customer’s system to figure out which could be from an
infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the
economic motivations and business models of cyber attackers, says that makes
sense. “The human costs of these sophisticated attacks are the one of the
largest,” he says. Foiling an attack is no longer a matter of neutralizing a
chunk of code from a lone genius, but of defeating skilled groups of people.
“You need experts in their field that can also collaborate with others, and
they are rare,” says Christin. Defense software that can close off the most
common tactics makes it even harder for
attackers, he says.
Other companies have begun talking in similar terms. “It goes back to
that ’80s law enforcement slogan: ‘Crime doesn’t pay,’ ” says Sumit Agarwal, a
cofounder of Shape Security, another startup in California that recently came
out of stealth mode. The company has $6 million in funding from ex-Google CEO
Eric Schmidt, among others. Agarwal’s company is also keeping quiet about its
technology, but it aims to raise the cost of a cyber assault relative to the
economic payoff, thus making it not worth the trouble to carry out.
A company with a similar approach is Mykonos Software, which developed
technology that helps protect websites by wasting hackers’ time to skew the
economics of an attack. Mykonos was bought by networking company Juniper
earlier this year.
Antivirus companies have been quick to point out that Flame was no
ordinary computer virus. It came from the well-resourced world of international
espionage. But such cyberweapons cause collateral damage (the Stuxnet worm
targeted at the Iranian nuclear program actually infected an estimated 100,000
computers), and features of their designs are being adopted by criminals and
less-resourced groups.
“Never have so many billions of dollars of defense technology flowed into
the public domain,” says Agarwal of Shape Security. While the U.S. military
goes to extreme lengths to prevent aircraft or submarines from falling into the
hands of others, military malware such as Flame or Stuxnet is out there for
anyone to inspect, he says.
Agarwal and Alperovitch of CrowdStrike both say the result is a new class
of malware being used against U.S. companies of all sizes. Alperovitch claims
to know of relatively small law firms being attacked by larger competitors, and
green technology companies with less than 100 employees having secrets
targeted.
Alperovitch says his company will enable victims to fight back, within
the bounds of the law, by also identifying the source of attacks. “Hacking back
would be illegal, but there are measures you can take against people benefiting
from your data that raise the business costs of the attackers,” he says. Those
include asking the government to raise a case with the World Trade
Organization, or going public with what happened to shame perpetrators of
industrial espionage, he says.
Research by Christin and other academics has shown that chokepoints do
exist that could allow relatively simple legal action to neutralize cybercrime
operations. Christin and colleagues looked into scams that manipulate search
results to promote illicit pharmacies and concluded that most could be stopped
by clamping down on just a handful of services that redirect visitors from one
Web page to another. And researchers at the University of California, San
Diego, showed last year that income from most of the world’s spam passes
through just three banks. “The most effective intervention against spam would
be to shut down those banks, or introduce new regulation,” says Christin.
“These complex systems often have concentrated points on which you can focus
and make it very expensive to carry out these attacks.”
But Agarwal warns that even retribution within the law can be ill-judged:
“Imagine you’re a large company and accidentally swim into the path of the
Russian mafia. You can stir up a larger problem than you intended.”
No comments :
Post a Comment