Home Interviews “We are seeing very tailored attacks targeted against very specific businesses”

“We are seeing very tailored attacks targeted against very specific businesses”

Rik Fergusen, Trend Micro

Rik Ferguson is one of the biggest cybersecurity influencers in the world. He is the Vice President of Security Research at Trend Micro and has been involved in the information technology industry for over 25 years. He has witnessed the development of the cybersecurity sector over that time. He has constantly been on the lookout for how the latest infrastructure changes will impact security for both end-users and businesses. Rik has also been a Special Advisor to Europol’s European Cyber Crime Centre (EC3) and was inducted into the Infosecurity Hall of Fame in 2011. 

Rik was one of the key personalities at the Cyber Security Nordic 2019 at Messukeskus, Heslinki. In an exclusive interview with Augustin Kurian of CISO MAG, Rik spoke about the emerging threat landscape, Bot wars, corporate espionage and state-sponsored attacks, and the skill gap in cybersecurity among several other things. 

Briefly tell us a bit about what the impending threats are that are lurking in cyber space. How is the attack surface evolving?

I kind of touched on it in the presentation; criminals and attackers don’t innovate unless you force them to. And it is still too easy, far too easy, to break into an organization, to fly under the radar, to stay hidden, to steal information or steal access to resources on an ongoing basis. The average time that an attacker is in an organization before they even become aware of it is still the better part of a year–it’s like 170 days or something like that, according to the Verizon Data Breach report.

So, attack methodology isn’t going to change if the defender methodology doesn’t. There are still too many old vulnerabilities out there: operating systems, poorly configured servers, poorly configured clients, etc. So, the threats that you will continue to see on an ongoing basis are the threats that you have already been continuing to see.

A lot of the time we do see stuff being repurposed. Ransomware, for example, has been in decline for a year and a half, or two years; beginning of this year, we saw for the first time, an uptick in ransomware behavior, but it’s not targeted against individuals. Now, it’s very tailored attacks targeted against very specific businesses like government entities or healthcare providers or industrial victims.

It’s an old tool repurposed in a new way. So, that’s kind of what we must be on the lookout for. Take phishing for example. In the first half of this year, we saw a decline in the number of phishing websites that our customers were attempting to access, and obviously, we were blocking that. But we saw a significant increase in the number of those phishing websites that were Office 365 clones.

So, phishing is moving away from being a consumer-focused exercise to gathering corporate credentials. That’s what Office 365 is focused on. So, attackers are definitely at the moment, repurposing existing techniques and tools to more effectively target businesses because the profit per attack is much higher. If your victim is a business, you ask for a half a million ransom, if you’re a victim as an individual you ask for a US$50 ransom. That’s the difference.

Corporate espionage is on the rise and so is activity from state-sponsored actors. Which is the larger problem?

It’s a difficult question to answer because there is a significant crossover in attackers. It’s not very often you will see state entities subcontracting the online illegal activities to independent hackers. And that’s what I found interesting in a presentation specifically about Russia. A lot of the Russian military capability around cyber, was actually recruited directly from criminals.

And their problem is that they then expect these criminal recruits to stop being criminals while they’re now in the army, and that’s an unrealistic expectation to have. So, there is, and always has been a significant crossover between patriotic hackers and nation state employees. But I would argue that, from a victim perspective, victims of criminal attacks are far more than victims of nation sponsored attacks. It is much more numerous because the aim of a nationally aligned attack, whether it’s sponsored or not, are much more restrictive than the aims of a financially motivated attack. So, your potential victim pool is much smaller.

You have written and spoken several times about fake ransomware attacks on individuals. How can consumers safeguard themselves from such attacks?

Basically, sextortion is already a thing, and is primarily targeted at younger victims capturing footage of them that they would be ashamed of, and then threatening to publish that footage online if they don’t pay the attacker. And we have unfortunately seen people committing suicide because of those kinds of attacks. So, this is a threat with serious physical real-world consequences for individuals.

Even if the attackers don’t get what they need by spying on your computers, they resort to deepfakes to achieve that. All the attacker has to do is take the image or the likeness of that person from their social media accounts, and create a fake video using pre-existing phone footage or simply generated from nothing. Once the algorithms are capable of doing that kind of thing, you have a no way to overcome the attacker than to let the attacker extort you because the victims believe their friends aren’t going to care if it’s real or not.

One of the best ways to prevent it is through awareness. Education is one way, the more the general population is aware that this kind of fakery is a possibility the less the victim is going to feel threatened by the fact that people will believe it.

So, there should be general societal education of what those kinds of capabilities are. And like I said, as a security issue as well; we have to take into account the fact that attacks are going to evolve in this way. And we have to make sure that from a protection perspective we are capable of recognizing fakes as fakes.

How do we do that? That’s a question for product development to dig into right now. We have to, if we’re going to provide effective protection, take into account that the new threat model exists.

Another impending threat is the bot wars–machines fighting machines. With the evolution of AI and Machine Learning, bot wars are at a tremendous pace. Where do you think this new and super-dangerous attack vector is heading? And what can we do about it?

That is in the real world physical or kinetic weaponry. It’s a real concern. It doesn’t have to be machines fighting machines, it can be machines fighting people, which is even more horrific. We have to address that at an international level. We have to address that through bodies like the United Nations and that’s happening right now. The best that we can hope for is that societal acceptance or societal realization, that that kind of warfare is unacceptable. We have achieved it with other kinds of warfare, in general, the use of poison gas, the use of nuclear attacks on civilian populations. You know we have international norms in place that forbid these kinds of activities. And by and large, it’s successful. And if someone contravenes those agreements and those rules, then there are consequences. Bot wars are another thing that we need to add to that list. It must be controlled.

A major problem in the infosec industry is the skill gap. Inclusivity including gender diversity, racial diversity, and neurodiversity is usually pointed to as a leading strategy, but the problem remains. What are your ideas on fixing it?

It won’t go away, and we are going to fix it.

What we are attempting to address it, right now it is a pipeline problem, in terms of humans having enough humans in the pipeline–gender diverse, racially diverse, neurodiverse. That’s great. Definitely, that needs to be done particularly addressing those diversity requirements, but we are addressing it by saying we need enough humans in the pipeline to be able to deal with the roles that are currently vacant. ISC2 estimates that there would be lack of 1.8 million cybersecurity professionals. That’s an incredible number. But that number’s not going to go down, if we don’t address the data pipeline. There is more data being generated that needs to be dealt with from simply a security perspective, let alone anything else. We have to re-tool to be able to do the donkey work of that data. Because the amount of data is growing exponentially. So, we have to address not only the human part but also address how do we deal with that data pipeline as well.

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

Augustin traveled to Finland on invitation of Business Finland and F-Secure to attend Cyber Security Nordic 2019 at Messukeskus, Heslinki.