What a great time to start thinking of travel – the weather is fairing up, June is here, and fortunately for me, I have a chance to take the driver seat again at another BlueHat conference! This time it’s in Brussels and I’m really looking forward to talking again about one of my favorite topics (eCrime – technology and business), as well as networking with the Microsoft gang and their European counterparts.
Talking about technology and business, dealing with computer security these days has never been more challenging than when looking at how a business should protect itself. In these days of proliferation of Web 2.0 applications, and on the other hand the relative standstill of the major security vendors in terms of innovation when it comes to mobile and dynamic code, the security gap is only widening. When a business takes the time to look at what kinds of threats it needs to deal with, and with the available precautions and protections it applies to these threats, the picture is pretty grim.
Nevertheless, just this step of mapping out the threats is probably more than what most businesses do (the common M.O. is unfortunately, “ignorance = bliss”). Having said that, there still are a lot of solutions available that can provide an answer to the gap that has been created between the threats and their security solutions, they just aren’t available yet from your common AV vendor who used to be the one to provide the all-encompassing anti-X miracle drug for your security issues.
Let’s take a closer look at both sides of the fence – the threats and the solutions required to counter them.
Threats first – as mentioned earlier, eCrime has become a major economic force to be reckoned with. The reason for the pervasiveness of this threat is the fact that eCrime has adopted businesslike operating models, and as such, ditched the older ad-hoc attack models employed by early attackers on the Internet. With an improved operational model, and a clear target in mind (ROI), the eCrime groups have managed to create a lively market for knowledge, tools and goods (e.g., stolen data that could be used for profit making). From there on, it was just a matter of time for such a mini-economy to grow and evolve a threat model that surpassed most countermeasures on the market. Especially in times when the common means of protection have been highly commoditized and were made available for the developers of the attacks for testing. This situation was a practical petri dish for technologies such as dynamic code obfuscation (huge during 2007 when it bypassed all AV tools), IFRAME injections (building on the notion of invisible layout elements with malicious code in them), malicious XSS (or cross-site scripting) in search engines, and attacking popular sites (based on the latest fad) to hit many potential victims. With a distribution network that is incentive based, and attack technology that is driven to stay one step ahead of the available protections, eCrime managed to position its Web threat as the most useful attack vector, bypassing the long time leader – e-mail. Having a huge victim pool to choose from, these eCrime groups have been highly focused and are still very regional in their operations – lending on the fact that financial fraud is essentially different from country to country. Last but not least, as the individual “consumer” targets have been commoditized by eCrime in the past 12 months (seen in the volume of raw consumer credit-card and bank accounts traded in the black market), businesses started to show up as the more lucrative issue. Still, with a decent potential for the more classic keylogging and banking threats, businesses also have assets that are highly prized by eCrime such as financial reports, documentation, correspondence, plans, etc… which have been proven to be a target that is sought after by competitors in the same market in which the business operates.
Having reviewed the threats the Internet presents us with today, let’s take a look at the solutions. Dealing with Internet threats has always been the task for two industries – the antivirus and the Web filtering (or categorization) vendors. Through a combination of both, a new market segment has been created to address the Web-borne threats – called “secure Web gateway” or SWG. Lending mostly upon the URL filtering vendors, this market has struggled to find the right mixture of old-technologies from the established vendors, and innovative approaches to address the problem. Vendors of the URL filtering solutions have been moving steadily in recent years to the realization that they are only applicable as a policy governing tools – focusing on productivity and acceptable use regulations inside a company. The antivirus vendors, on the other hand, have been steadfast on leveraging the same old technologies for dealing with executable threats and have been trying to extend the lifespan of such solutions as much as possible – with marginal success in light of the new more elaborate threats. The SWG market has grown several new technologies that deal with Web threats at the gateway in real-time – a requirement that is profound in a threat vector that is based on dynamic, ever-changing code that adapts itself to who is going to be exposed to it.
With the new SWG definition in place, eCrime seems to have finally met its match; although it would take time for a clear industry leadership to grow that would be based on the “right” solution. Businesses should then look for solution providers from the SWG market that put a premium on investing in forward-looking research, and products that provide the real-time gateway scanning that is adept to dealing with modern threats. Additionally, businesses should look for solutions that are more than just “the next AV,” but are also capable of dealing with new threats related to Web 2.0 application control, which is no longer supported by URL filtering because of the dynamic nature of Web sites, and the requirements by businesses to control functionality and not just access to specific sites.
Looking forward, Web 2.0 is not the real threat. It’s just a technology (or an “umbrella” for several technologies). The real “fun” begins when Web 2.0 technologies meet usability, and suddenly most of the functionality that has been usually the realm of an operating system is moving to the Web. The Web as the next OS is a concept that has been developing in labs over the past few years, and is starting to finally get traction in the real world with offerings such as offline Gmail, ZOHO applications (office applications on the Web, which are available offline as well), Adobe Air™ applications that are semi-installed locally, etc… This “browser-OS” is a new paradigm for which even the SWG market does not have a real answer yet, and a lot more research and innovations is still to come on that front.
Final words – not to leave with a bitter taste, one should note that the situation is not as direct as it seems. Software vendors are starting to realize that they are a part in this game as well, and are quickly adapting to the kinds of threats that have emerged. Even law enforcement is showing signs of learning and enabling themselves to cope with eCrime on the legislative side as more indictments are sought for eCriminals. Once these two worlds finally formalize their relationships (e.g., vendors and LE), after years of ad-hoc cooperation, eCrime will finally have a worthy adversary that would either force it out of business, or force it to change its business model. Taking into account that modern security research is also putting the business model in focus, that would mean that consumers and businesses will have much better means for dealing with eCrime than they ever had before.
-Iftach Ian Amit
[Editor’s note: Interested in more information about the BlueHat Security Forum, EU Edition? Take a look at Celene Temkin’s introduction on the MSRC Ecosystem Strategy Blog]