Incident Response, Malware, Phishing, TDR, Threat Management

The new breed of attackers


The time is ripe for open dialogue around teaching trust, says RSA Conference's Hugh Thompson.

Buy Cheap Viagra now!

Ah, the good old days of phishing. There was once a time when princes shared inheritances, when wholesalers made promises of discounted herbal enhancements, and when everybody was an occasional winner of a foreign lottery they never remembered entering. Life was pretty good.

Today phishing emails are a bit different. Less sensational, unmemorable and, in a word, boring. They ask us to review a spreadsheet, install a browser plugin for a new document type the company is rolling out, or just ask us to email our credentials off so that IT can check to see if someone has broken into our account (if you hit reply on this one, the answer is “yes”). These dull phishing emails are starting to look just like the dull but legitimate work emails that we receive every day. And therein lies the problem.

Phishing emails are getting personalized, adaptive and virtually indistinguishable from legitimate email. This is why the security industry is now in serious trouble – we've bet the farm on the ability of our employees and users to make fine-grained trust choices.

Let's take a look at one of the most infamous hacks of 2011 – where the group Anonymous broke into the security firm HBGary. According to accounts, they were able to access the company's email server using a technical attack, but hit a wall (a firewall to be specific) when they tried to get remote root access to a server that hosts, a popular site devoted to the subject of rootkits that was founded by Greg Hoglund, HBGary's CEO.

After a few back and forths, the administrator dropped defenses and created a remote access doorway for attackers to walk through. There's good reason that the rootkit administrator fell for it. It was sent from Hoglund's real email account. It used the same phrasing Hoglund typically uses. It also included “convincers” – old and current passwords gleaned from the technical attack to add an extra layer of believability. The truth is, the communication was incredibly convincing and it gets to the heart of our current security dilemma: How can we help people make good trust decisions?

“It is time for us to come together and get creative...”

Trust, it turns out, is difficult to define. The old indicators of a phish, like terrible misspellings or demand for your Social Security number, are giving way to personalized or contextually believable emails. The availability of information online about employees and companies makes it easier than ever to identify at-risk employees, create compelling and tailored phishing attacks, and then take residence on an internal network. Even if an email isn't signed or doesn't come from an address in the corporate domain, the addition of a phrase like, “The VPN was down so I'm sending this from my Gmail account,” can make many emails plausible.

As an industry, it is time for us to come together and get creative at solving one of the most under-addressed issues in information security: good intentioned but overly trusting insiders. It won't just be a technical solution, but it'll require us to re-examine the process of how people make trust choices. It's a theme that you'll see gain more attention from sessions at industry-wide events and small dinners among security professionals. In my own discussions with friends and colleagues, some enterprises have been thinking about these problems for a long time and deploying educational or technical safety net solutions with varied levels of success. We need to be more open as an industry in talking about what works and what doesn't – and then drive innovation. The past few months of attacks have told us that we can't defer real, industry-wide progress on this issue much longer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.