Malware

EXPERT ADVICE

Navigating the New Cybercrime Threatscape, Part 3

Part 1 of this series discusses the history of cybercrime. Part 2 looks into common varieties of malware currently found in the wild.

With the constantly evolving Internet security threatscape, being able to actually get a grasp on the latest threats, let alone arm oneself against them, can seem overwhelming.

While there are seemingly limitless best practices in regard to cybersecurity, below are several that should help reduce the likelihood of becoming a victim of cybercrime.

The OODA Loop

As stated in previous entries to this series, cybercriminals have typically been on the inside edge when it comes to the race between cybercrime and cybersecurity. One of the strategies that has the potential to change this losing streak is called “OODA” — Observe, Orient, Decide and Act. This acronym was a revolutionary concept created by U.S Air Force Colonel John Boyd in the early 1960s.

Colonel Boyd observed that when two adversarial forces are maneuvering, there is a tendency for one side to be constantly outmaneuvered. One side is deciding and acting before the other side can make a move. When one party gets locked into only Observe/Orient and is unable to Decide and Act, they are at the complete and utter mercy of the other party.

OODA’s roots go back to the Vietnam War. The challenge was that too many American pilots were becoming casualties of poor air-to-air tactics against the smaller, more agile, and significantly less costly Russian MiG aircraft. When the U.S. Navy instituted TOPGUN to combat the MiG exchange ratio, its educational effort showed dramatic results. The exchange ratio increased nearly three times from just under 4:1 to 13:1, according to Benjamin Lambeth’s The Transformation of American Airpower.

It’s not a stretch to take these lessons learned in the air and transfer them to a different kind of battle — the one against cybercrime. First, let’s compare cybercrime and its victims to the scenario Colonel Boyd faced. Cybercriminals are inside corporate OODA loops every time they steal data. They are inside consumer’s OODA loop every time an online scam or phishing attempt works. Cybercriminals are global and often well-organized though their organizations tend to be smaller and more maneuverable than most corporations. Additionally, some criminals are sheltered by certain countries’ policies and laws, or lack thereof. Their thefts fuel their home country’s economy, and they aren’t prosecuted if the crime is beyond the border. Combined, all of these factors allow cybercriminals to gain an advantage and outmaneuver their victims.

Like TOPGUN education provided better decision-making skills for Navy pilots, you increase your resistance by becoming more aware of the real-world threats we face. Successful businesses employ OODA loop tactics against their competition. They are quicker off the start and are constantly crushing the market. With cybercrime, that’s where we all want to be, and hopefully some of you are there right now.

Antivirus Protection

If you look at where antivirus technology was versus where antivirus tech is today, one can see that the industry has grown and changed tremendously. In the past, there were static signatures which were somewhat easy to defeat over time, and they opened a “window of vulnerability” — the time from when an exploit was discovered to when a signature was created and globally distributed. Following static signatures was the heuristic analysis of applications. In the past, this method had been plagued with a high number of false positives (which can be as time-consuming and disruptive as having real malware on a system).

Fast-forward to today: Leveraging active/passive heuristics and static signatures for exceedingly high performance and detection with very low false-positive rates has proven to be a very successful combination. This is the best of both worlds and is able to scale with the ever-increasing prevalence of malware creation and distribution. Even with a technology such as whitelisting, there are pros and cons, and its implementation will have to be evaluated for a particular organization’s model. Whitelisting, while requiring fewer updates than traditional antivirus signatures, requires constant maintenance and querying of an ever-growing database of “allowed” applications, as well as their patches, updates and hotfixes, transferring the burden of analysis from antivirus companies’ malware researchers to system administrators. Once an application is determined to be legitimate, it is allowed to run on the host system. If the application in question is, instead, malicious, then effective (active) heuristic analysis will be able to determine the application’s intentions and flag it as malicious.

The Future of Antivirus

What we are seeing today is the convergence of several solutions into comprehensive security packages that address multiple security issues — including malware. Security/antivirus has historically been an after-thought in the development of applications and operating systems.

Today, application and operating system vendors are taking a more active role in securing their products — but we still have quite a distance to travel. With the amount of mergers and acquisitions over the last few years regarding antivirus vendors, one can clearly watch the antivirus landscape morph into different models and meta-solutions. I see antivirus not as dead or dying, but changing to meet the threat from vectors that were not viable at the beginning of the antivirus industry.

Best Practices

While none are a panacea for every cybercrime woe, there are some easy rules to follow to help ensure a good layer of online protection.

  • Use strong passwords. It’s a lot harder for a criminal to steal your information if they can’t get through the front door.
  • Keep systems updated and patched. This pertains to applications as well as operating systems and security software.
  • Become aware that risk from Internet-connected machines will never be 0%. The realistic goal is to reduce the risk to an acceptable level.
  • If you are sent a link or attachment (via email, instant message and so forth) verify with the sending party. It takes a moment to check — but it may take hours or days to clean an infected system.
  • Use a residential broadband gateway router between your computer and your broadband provider’s modem to break the direct link the Internet has to your home computer.
  • Periodically test your backups by restoring them.

While most of the above practices can also be applied to business computing, because of the increased amount of people involved (therefore decreased security), there are additional guidelines for businesses:

  • Simplify security for the end users. The more complex it is, the less inclined users are to using it.
  • Keep systems updated (patched). This includes applications as well as operating systems.
  • Partner with the government and academia.
  • Educate end users, and make this an ongoing process.
  • Inventory assets. Know what’s on your network.
  • Use business assets for business only. By doing this in conjunction with an effective policy (and enforcement), the risk level can be reduced dramatically.
  • Run network audits regularly (log files, anomalous traffic, etc.).
  • Hire a security firm to help secure your business.

With this basic outline in place, next week’s piece, the final one of the series, will look to what resources are available to guide you along the path to a safer online existence.


Jeff Debrosse is the North American research director at ESET


Navigating the New Cybercrime Threatscape, Part 1

Navigating the New Cybercrime Threatscape, Part 2

Navigating the New Cybercrime Threatscape, Part 4

3 Comments

  • "From its beginnings in 1978, spam messages, which began as mass mailings with the common goal of advertising.."

    You’re kidding me, right? Email was not available for mass consumption until the early to mid-90’s.

    SMTP wasn’t developed until the early 80’s. The only ’email’ available in 1978 was MAIL and MLFL which were FTP based (RFC 385). Exactly what ‘mailboxes’ could email be sent to , in mass quatities, in 1978?

  • I’m always delighted to see John Boyd’s ideas percolating into other fields, since I’m writing my dissertation on how his theories would apply to counter-insurgency. Note that the OODA Loop is both older and newer than you suggest. Boyd was a fighter pilot in the Korean War, though he came to it too late to become a shooter, let alone an ace. His later studies of fighter-plane performance proved that the American F-86 was inferior in almost every respect to the Russian-built MiG-15, EXCEPT THAT the Sabre had fully hydraulic controls, enabling its pilot to transition faster from one maneuver to another, and thus, eventually, to get on the tail of the MiG. This was the germ of Boyd’s eventualy theory of ‘fast transients’–the notion that tempo was the most important element in combat.

    In time this insight became the OODA Loop that you describe, but it was actually around 1982 that Boyd actually came up with the formal, four-step process of Observation > Orientation > Decision > Action. So it was the work of his professional lifetime, and he kept refining it almost until the day he died. Blue skies! — Dan Ford

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels