June 20-21 in Moscow was held . As a result of the event, visitors could draw the following conclusions:
- digital illiteracy is spreading both among users and among cybercriminals themselves;
- the former continue to fall for phishing, open dangerous links, and bring malware into corporate networks from personal smartphones;
- among the second, there are more and more beginners who are chasing easy money without immersing themselves in technology - they downloaded a botnet on the dark web, set up automation and monitor the wallet balance;
- security guards are left to rely on advanced analytics, without which it is very easy to overlook the threat in the information noise.
The Congress was held at the World Trade Center. The choice of the site is explained by the fact that this is one of the few facilities with the FSO approval for holding events with the highest ranks of the country. Visitors to the Congress could hear speeches by Minister of Digital Development Konstantin Noskov, Head of the Central Bank Elvira Nabiullina, President of Sberbank German Gref. The international audience was represented by Aiden Wu, CEO of Huawei in Russia, Jürgen Storbeck, retired Director of Europol, Hans-Wilhelm Dünn, President of the German Cybersecurity Council, and other senior experts.
Is the patient more alive?
The organizers chose topics that were suitable for both general discussions and practical presentations on technical issues. At most of the speeches, artificial intelligence was mentioned in one way or another - to the honor of the speakers, they themselves often admitted that in the current incarnation it is more of a “hype topic” than a really working technology stack. At the same time, without machine learning and Data Science today it is already difficult to imagine the protection of a large corporate infrastructure.
It is possible to detect an attack on average three months after penetration into the infrastructure.
Because signatures alone cannot stop 300 new malware that appear on the Web every day (according to Kaspersky Lab). And it takes an average of three months for cybersecurity experts to detect intruders on their network. During this time, hackers manage to gain such a foothold in the infrastructure that they have to be kicked out three or four times. We cleaned up the storages - the malware returned through a vulnerable remote connection. Network security has been established - criminals send an employee a letter with a Trojan supposedly from a long-time business partner, whom they also managed to compromise. And so on until the end, no matter who wins in the end.
A and B built IB
On this basis, two parallel areas of information security are rapidly growing: ubiquitous control over infrastructure based on cybersecurity centers (Security Operations Center, SOC) and detection of malicious activity through anomalous behavior. Many speakers, such as Trend Micro's VP of Asia Pacific, Middle East and Africa, Dhanya Thakkar, urged administrators to assume that they have already been hacked - not to miss suspicious events, no matter how insignificant they may seem.
IBM on a typical SOC project: "First, the design of the future service model, then its implementation, and only then the deployment of the necessary technical systems."
Hence the growing popularity of SOCs, which cover all parts of the infrastructure and report in time the sudden activity of some forgotten router. According to the director of IBM Security Systems in Europe Georgie Ratz (Gyorgy Racz), in recent years, the professional community has developed a certain idea of such control structures, realizing that security alone cannot be achieved by technical means. Today's SOCs bring a service model of information security to the company, allowing security systems to be integrated into existing processes.
With you my sword and my bow and my ax
Business exists in conditions of personnel shortage - the market needs about 2 million information security specialists. This is pushing companies towards an outsourcing model. Even the corporation's own specialists are often preferred to be brought into a separate legal entity - here one can recall SberTech, and Domodedovo Airport's own integrator, and other examples. If you're not a giant in your industry, you're more likely to turn to someone like IBM to help you build your own security team. At the same time, a significant part of the budget will be spent on restructuring processes in order to launch information security in the format of corporate services.
Scandals with leaks from Facebook, Uber, the American credit bureau Equifax raised issues of IT protection to the level of boards of directors. Therefore, CISO becomes a frequent participant from meetings, and instead of a technological approach to security, companies use a business prism - evaluate profitability, reduce risks, lay straws. And counteracting cybercriminals is also acquiring an economic connotation - you need to make the attack unprofitable so that the organization, in principle, is not of interest to hackers.
There are nuances
All these changes did not pass by the attackers, who redirected efforts from corporations to private users. The figures speak for themselves: according to BI.ZONE, in 2017-2018, the losses of Russian banks due to cyber attacks on their systems decreased by more than 10 times. On the other hand, social engineering incidents at the same banks increased from 13% in 2014 to 79% in 2018.
Criminals found a weak link in the corporate security perimeter, which turned out to be private users. When one of the speakers asked everyone who has specialized anti-virus software on their smartphones to raise their hands, three out of several dozen people responded.
In 2018, private users were involved in every fifth security incident, 80% of attacks on banks were made using social engineering.
Modern users are spoiled by intuitive services that teach them to evaluate IT in terms of convenience. Security tools that add a couple of extra steps turn out to be a distraction. As a result, a secure service loses to a competitor with prettier buttons, and attachments to phishing emails are opened without being read. It is worth noting that the new generation does not show the digital literacy attributed to it - every year the victims of attacks are getting younger, and the love of millennials for gadgets only expands the range of possible vulnerabilities.
Reach out to a person
Security tools today are struggling with human laziness. Consider whether it is worth opening this file? Do I need to follow this link? Let this process sit in the sandbox, and you will appreciate everything again. Machine learning tools continuously collect data on user behavior to develop safe practices that will not cause unnecessary inconvenience.
But what to do with a client who convinces an anti-fraud specialist to allow a suspicious transaction, although he is directly told that the addressee's account was seen in fraudulent transactions (a real case from BI.ZONE practice)? How to protect users from intruders who can fake a call from a bank?
Eight out of ten social engineering attacks are over the phone.
It is phone calls that are becoming the main channel of malicious social engineering — in 2018, the share of such attacks increased from 27% to 83%, far ahead of SMS, social networks and email. Criminals create entire call centers for calling with offers to make money on the stock exchange or receive money for participating in surveys. Many people find it difficult to perceive information critically when they are required to make immediate decisions, promising impressive rewards for this.
The latest trend is a loyalty program scam that deprives the victim of miles accumulated over the years, free liters of gasoline and other bonuses. A proven classic, a paid subscription to unnecessary mobile services, also does not lose its relevance. In one of the reports there was an example of a user who lost 8 thousand rubles daily due to such services. When asked why he was not worried about the constantly melting balance, the man replied that he attributed everything to the greed of his provider.
Non-Russian hackers
Mobile devices blur the line between attacks on private and corporate users. For example, an employee may secretly look for a new job. On the Internet, he stumbles upon a service for preparing a resume, downloads an application or a document template to his smartphone. This is how the attackers, who launched the false online resource, end up on a personal gadget, from where they can move to the corporate network.
According to a speaker from Group-IB, this was the operation carried out by the advanced Lazarus group, which is referred to as a North Korean intelligence unit. These are one of the most productive cybercriminals of recent years - they have been stealing from и , and even . APT groups (from the English advanced persistent threat, “sustainable advanced threat”), the number of which has grown to several dozen in recent years, get into the infrastructure seriously and for a long time, having previously studied all its features and weaknesses. This is how they manage to find out about the career throwing of an employee who has access to the right information system.
Large organizations today are threatened by 100-120 especially dangerous cybergroups, one in five attacks companies in Russia.
Timur Biyachuev, head of the threat research department at Kaspersky Lab, estimated the number of the most formidable groups at 100-120 communities, and in total there are several hundred of them now. Russian companies are threatened by about 20%. A significant proportion of the criminals, especially from the more recent groups, reside in Southeast Asia.
APT communities can create a software company specifically to cover their activities, or to reach several hundred of their targets. Experts are constantly monitoring these groups, piecing together scattered pieces of evidence to determine the corporate identity of each of them. Such intelligence remains the best preventive weapon against cybercrime.
Whose will you be?
According to experts, criminals can easily change their tools and tactics, write new malware and discover new attack vectors. The same Lazarus in one of the campaigns placed Russian-language words in the code in order to send the investigation on the wrong track. However, the pattern of behavior itself is much more difficult to change, so experts can guess who carried out this or that attack by characteristic features. Here they are again helped by big data technologies and machine learning, which separate the wheat from the chaff in the information collected by monitoring.
The problem of attribution, or determining the identity of the attackers, was discussed by the congress speakers more than once or twice. Both technological and legal issues are related to these tasks. For example, do criminals fall under the protection of personal data legislation? Of course, yes, which means that you can send information about campaign organizers only in an anonymized form. This imposes some restrictions on the data exchange processes within the professional information security community.
Schoolchildren and hooligans, clients of underground hacker shops, also make it difficult to investigate incidents. The threshold for entering the cybercrime industry has decreased to such an extent that the ranks of malicious actors tend to infinity - you can’t count them all.
Beautiful far away
It's easy to get frustrated at the thought of employees setting up a backdoor to the financial system with their own hands, but there are positive trends too. The growing popularity of open source increases the transparency of software and makes it easier to deal with malicious code injections. Data scientists are creating new algorithms that block unwanted actions when there are signs of malicious intent. Experts are trying to bring the mechanics of security systems closer to the work of the human brain, so that protective tools use intuition along with empirical methods. Deep learning technologies allow such systems to evolve independently on cyber attack models.
Skoltech: “Artificial intelligence is in vogue, and it’s good. In fact, it’s still a very long way to go, and it’s even better.”
As Grigory Kabatyansky, adviser to the rector of the Skolkovo Institute of Science and Technology, reminded the audience that such developments cannot be called artificial intelligence. A real AI will be able not only to accept tasks from a person, but also to set them independently. Before the appearance of such systems, which will inevitably take place among the shareholders of large corporations, there are still several decades.
In the meantime, humanity is working with machine learning technologies and neural networks, which academicians started talking about back in the middle of the last century. Skoltech researchers apply predictive modeling to work with the Internet of Things, mobile networks and wireless communications, medical and financial solutions. In some areas, advanced analytics is battling the threat of man-made disasters and network performance problems. In others, it suggests options for solving existing and hypothetical problems, solves problems like in harmless at first glance carriers.
Cat training
Igor Lyapunov, Vice President for Information Security of PJSC Rostelecom, sees the fundamental problem of machine learning in information security in the lack of material for smart systems. Neural networks can be taught to recognize a cat by showing thousands of photos with this animal. Where can I get thousands of cyber attacks to cite as an example?
Today's proto-AI helps to search for traces of criminals on the dark web and analyze already discovered malware. Anti-fraud, anti-money laundering, partly the identification of vulnerabilities in the code - all this can also be done by automated means. The rest can be attributed to the marketing projects of software developers, and this will not change in the next 5-10 years.
Source: habr.com