As low-hanging fruit runs out, cybercriminals are getting creative – and you must too

Why the Cisco Talos threat-hunting team is the best security consultant you’ve never met

Credit: Taken by Braue at the scene

Better software security has made vulnerabilities harder to exploit – but that, a Cisco threat-intelligence expert warns, hasn’t stopped cybercriminals from chalking up one victory after another as they refine malware and redouble their efforts to trick humans into installing it.

“Attackers are like everybody else in that they don’t want to do extra work,” Earl Carter, a threat researcher with Cisco Talos, told attendees at the Cybersecurity Innovation Day at this week’s Cisco Live! conference in Melbourne.

“The low-hanging fruit is getting harder to find, and the vulnerabilities that attackers can use to break into systems aren’t as easy to use as they were a few years ago. If I’m an attacker, I might need to put 2 to 3 vulnerabilities together to do what I could do 5 years ago with one vulnerability.”

Pushed to pursue alternatives, cybercriminals are a constant focus for Carter and his team within Cisco’s threat-intelligence arm, which blocks some 19.7 billion threats last year and monitors attack trends through analysis of a wealth of data collected through sources such as Cisco’s OpenDNS, queries through its Advanced Malware Protection (AMP) system, product telemetry, information from open-source communities, and internal vulnerability research.

Talos maintains internal teams focused on areas including threat intelligence; development of security engines used across Cisco’s products; research into malware detection; R&D and operations around vulnerabilities; liaising with open-source and security communities; and outreach with other parties across industry, academia and beyond.

This level of liaison was crucial given the complexity of today’s cybersecurity environment, and the mutually beneficial need to protect customers from all manner of threats, Carter said. As a result, Talos was regularly engaging with outside organisations and competitors to share information that could help shut down new threats across many different security platforms.

“At the end of the day, it’s a group effort,” he said. “Attackers share techniques all the time. They learn from each other, and keep evolving their game. If we don’t do the same, that becomes a big challenge for everyone.”

Internal capabilities in areas such as malware analysis and reverse engineering had helped the team become more effective at spotting suspicious activity as the paucity of easily exploitable vulnerabilities drives cybercriminals to refine their techniques – and Talos, by extension, forces the bad guys to innovate even more.

“We want to know what are the most sophisticated attacks these guys are throwing at our networks,” Carter explained. “We know if we can get those, we’re going to get the stuff in between as well.”

Continuous, human intervention was crucial to spotting new methods of attack such as https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html " target="_blank">DNSpionage, which manipulated ubiquitous DNS servers to target “blind spots” that would help cybercriminals stay under the radar.

This sort of evasion had become fundamental to cybercriminals’ newly derived attacks, which were being delivered via macro-based and other types of malware installed by tricking humans into executing their code.

“We can take that attack and drive it out into your security solutions,” Carter said. “We can immediately start blocking those on all of our customers’ networks – so now that attack is no longer effective.”

Yet understanding and blocking cybercriminal activity was no longer just about picking out new attacks, Carter said: behavioural analysis was also important to understand cybercriminals’ goals – which can, in turn, help researchers better understand how much effort they need to put into stopping them.

“As we dig into our data even further, we can start finding the context around those attacks,” he said. “It’s important to know if an attack was driven by an ROI like financial gain: if someone is trying to target your network and they’re doing it for monetary reasons, they’re only going to go so far in trying to do that. If it becomes too difficult, it’s not worth their money anymore.”

Tags ciscosoftware securitythreat intelligenceCiscoLive!Cisco Taloscybercriminals

Show Comments