Today’s security landscape is as populous as it is vast. From software firms and ISPs to researchers and consultants, new entrants bring tactics, solutions and perspectives to a space in constant flux.
Despite the tireless and heroic efforts of many, bad actors often seem to have the upper hand. Why, with all the concern and resources devoted to cybersecurity, is this the case?
It comes down to perspective. The majority of the security ecosystem is client-centric, concentrated on how fast security researchers can get mitigation to the end system, not on thwarting the threats themselves.
Unless we are willing to change how we perceive cyber threats and what resolution looks like, we will continue playing catch-up to an increasingly organized and sophisticated body of hackers.
The singular view of a multifaceted problem
While signatures for exploits tend to be released quickly, full remediation of end-system exposures takes far more time. It takes an average of four months to detect and mitigate security exposures:
- Malware is identified in the wild.
- It is observed and analyzed to determine if it is a variant of an existing exploit, or a brand-new exposure.
- A new signature is made available for clients to download and implement, at which point, the malware is finally blocked.
By this time, the bad actor has either evolved the exposure, or found a new one to exploit. And the cycle starts all over again.
Exploit and vulnerability selling has become one of the fastest growing segments on the black market. Zero-day and Half-day exposures are sold by the thousands and can give a bad actor as much as 8–12 months of undetected access.
The pandemic botnet is upon us and we are not prepared
Part of the lengthy cycle for mitigation stems from security vendors and researchers prioritizing peer-to-peer information sharing above sharing with the broader security community. Malware experts tend to talk to other malware experts; network folks tend to talk to other network folks. At least, that’s the case for many security issues. Meanwhile, bad actors are taking advantage of these communication gaps, searching for and obtaining end-system exploits they can act on faster than security professionals can remediate.
IoT devices carry a share of the blame, having introduced a complete paradigm shift in the security cycle. Most consumers rely entirely on endpoint protection for security, rather than a comprehensive approach that offers network protection, firewall protection and router controls. But there are no end security clients on IoT. There’s no antivirus, no anti-malware and no intrusion detection. Which means the handiwork of bad actors can reside on IoT devices far beyond the four-month average. In some cases, it lasts for as long as 12–18 months.
The extended timeframe affords bad actors the opportunity to better evolve their criminal enterprise networks, adding more complexity to botnets, refining how they sell access to them and maximizing their ability to extort money from victims with greater efficiency and scale.
Hackers are also growing more adept at organizing, leveraging extensive botnet infrastructure for profit and developing their methods to build better botnets. In other words, while the security ecosystem is busy treating the symptom, the disease is evolving, becoming stronger and more dangerous. The pandemic botnet is upon us and we are not prepared.
The benefit of split vision
We need a new approach. We cannot take our eyes off the end clients, but we cannot ignore the rest of the security landscape. We need both in our sights, concurrently. The way to do this is through live threat intelligence sharing across the industry.
Imagine your anti-virus, anti-malware, network intrusion detection systems, DDoS mitigation services, email systems, firewalls and your network all being alerted to a threat at the same time. Every layer of your security system would have the same dynamic awareness, leveraging their individual assets and strengths to protect against the threat and sharing information based on their specific vantage points back to the other layers.
Perhaps it seems far-fetched. But there are protocols available today that could be used to support this. One is DDoS Open Threat Signaling (DOTS), a standards-based approach that provides for real-time signaling of threat data that is designed to be shared across network companies, such as internet service providers (ISPs) and large enterprises. DOTS supports the definition, classification and mitigation of DDoS-related threats.
This means when a DDoS attack occurs, network providers can agree ahead of time, based on how attacks are classified, whether to keep an eye on it or to block it outright. DOTS can also be easily extended to provide more generic reputation information to block other threats, such as botnets, malware and phishing.
Another option is a combination of two efforts in use today: the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII), as well as other standards-based approaches designed specifically to share cybersecurity situational awareness, threat intelligence and network defense data.
How we get there
First, we need vendors to agree to participate in real-time information sharing. There are a significant number of real-time reputation feeds available today from security vendors and members of the security research community. Yet these feeds need to be standardized and vendor solutions need to support the ability to collect and act on these feeds.
Often, security companies treat threat detection as intellectual property, hampering many threat sharing initiatives. We believe vendors can continue to differentiate themselves in their ability to uniquely detect threats and protect their customer base while still contributing to the broader ecosystem. In fact, security firms can protect their customers first, then send data into the reputation feed. The entire industry benefits and vendors can continue to compete in their respective spaces.
Second, we need to establish and implement rules for what we share, what actions we will take and how and when we will take them. When should threats be blocked versus observed? How do we agree on establishing a risk or reputation score for detected exposures? Without rules and clear guidelines how can we incentivize the community to prioritize the greater good?
Third, we need the ability to extend the intelligence we gather to the general public. This will allow for the incorporation of data into new capabilities and new solutions. Crowd-sourcing intelligence will support innovation, evolution and growth that will allow us to stay one evolutionary step ahead of the bad actors.
Finally, we need to solve the vulnerability reporting/disclosure paradox. We need a way for vendors to report known exposures that have not yet been prioritized for repair/patch or are in the process of being patched. Early knowledge will take a serious bite out of the “half day” trading network, giving others in the industry more time to develop capabilities to detect and block threats while the vendor is issuing a patch.
It takes an engaged community to protect the internet. While we all have a responsibility to play an active role, we cannot neglect the broader picture as we tend to our individual parts. The knowledge, the tools and the need are there. All that’s missing is the will. Let’s take this tip from our opponents: in collaboration and organization, we can find a new level of strength.