Hackers set the pace in security

Kevin Townsend 11 Sep 2019

Criminals get a head start, but we can chase them down with laws, industry tools, and consumer protection

In cybersecurity, the bad guys almost always have a head start on the good guys. There are several reasons for this, but basically security is fundamentally reactive, and there is asymmetry in the battle.

Firstly, security reacts to stop attacks and plug the gaps so they cannot reoccur. But security does not know how or where or with what the next attack will occur. Security companies are continuously trying to second-guess future attacks to make them harder for the criminals, but attacks are unknown quantities until they happen. By the time people, businesses and security firms have come to terms with one type of attack, the criminals have moved on to a new modus operandi.

Secondly, there is asymmetry between attackers and defenders. Every computer is faced with thousands of criminals and criminal groups, ranging from elite nation-state hackers to organized crime to wannabe hackers using crime-as-a-service hired tools. The defender must beat every one of the attackers, while only one attacker needs to beat the defender.

Attacker’s tools

There are three primary tools that assist the attacker: zero-day vulnerabilities, the dark web, and the optimism bias.

Zero-days: All software has bugs. Bugs often translate into vulnerabilities. A zero-day vulnerability is one that has been found but not yet patched (fixed) by the vendor.

Criminals find and exploit zero-day vulnerabilities. There is no defense against a zero-day attack beyond detecting the attack and mitigating it as quickly as possible after it has happened.

The dark web: The dark web is a criminal playground. It is called “dark” because it cannot be accessed via standard browsers, and therefore cannot be easily seen. It is augmented by end-to-end encrypted chats between criminals, and buyers and sellers of criminal cyber assets.

Criminals share and sell information on the dark web. This ranges from hacking tutorials to malware to access to systems. It includes millions of stolen user credentials (so it's worth checking to see if your own credentials are included).

The optimism bias: The optimism bias is thought to be a biological survival instinct. It’s what makes us believe that, although bad things happen, they won’t happen to us. In times of conflict, it enables individuals to become heroes against the odds. In times of peace, it leads to a false sense of security which, in turn, leads to laziness.

Although we know that there are thousands of hackers hacking into computers everywhere, every day, we don’t think they’ll target us. And even if they do, they won’t get in. The optimism bias leads us to believe we don’t need to take any special steps to protect ourselves – so we tend not to. 

Redressing the balance

While we may never prevent the incidence of successful attacks, at home or in business, we can and must limit their success. We have three weapons: legislative regulations, mitigations through the security industry, and our own preparedness and incident response.

Legislation: The primary purpose of legislative and organizational regulation is to force businesses to counter the optimism bias and properly defend their systems.

A secondary – and, it must be said, not very successful – purpose is to punish cybercriminals who get caught as a deterrent to others.

This is augmented by the good advice that comes from security firms like Avast, and from government organizations. These offer best practice strategies on how to make the attackers' task more difficult.

Security industry: The security industry exists to protect computers and computer systems. While it is nearly impossible for it to get ahead of the attackers, it does a very good job at staying close behind. As soon as a new attack is detected in one place, the industry develops defenses to prevent it happening elsewhere. For that reason, it is important to use available security tools, and to make sure they are always up to date.

Artificial intelligence is part of security’s future, but supervised machine learning is still ultimately following the existing behavior of the attacker. True AI, in the form of neural networks designed to behave like the human brain, are being developed. This could lead to defenses “thinking” in the same way as the attackers think, and consequently blocking attacks before they even occur.

Incident response: Incident response is a relatively new concept based on the acceptance that you cannot prevent being hacked. Since you cannot stop it (although this doesn't mean you shouldn’t try), you have to detect an attack as early as possible, and take the necessary steps to contain it and eliminate it.

Business has multiple options to achieve this, from network behavioral analysis for detection, to privileged credential management and segmentation to contain it.

Home computers must largely rely on their anti-malware defenses to detect and block malicious activity. The best ones, such as Avast, are very good at this – but others are not foolproof. Consider a new ransomware introduced via a zero-day vulnerability – here the damage is done before it can be stopped.

For malware such as ransomware, incident response has a slightly different meaning. The key is in being prepared for it to happen, which means having backups of all important and sensitive files stored, preferably offline.

Fighting back

So, if we cannot stop the hackers, does that mean there's no point in trying? Absolutely not. If we don't do everything we can to protect our computers, there would be many more victims. The question is, what can we do?

A good principle to start from is to follow the old physical policing concept of crime prevention through environmental design. The principle was developed for new building design. If you design a building that is difficult for burglars to break into, they won't even try – they'll simply move on to an easier target.

The same applies to computers and computer systems – make it hard and costly for the attacker so that his return on investment in attacking you is so low that it is not worth his time. It doesn't always work with high value business targets that are attacked by highly resourced nation-state or criminal gangs, but it almost always works with opportunistic attackers. Most home computer attackers fall into this category.

You have two primary weapons at your disposal: security tools and your own behavior. The tools are important because of the effort put in by security firms to keep up with the attackers. While they can never guarantee to protect everything all the time, they will stop the vast majority of attacks. We have already described the most important of these tools in the post, The Eight Essentials of Secure Computing. Start with good, mainstream anti-malware.

But there are no tools to protect you against your own behavior. This is where the optimism bias is at its most dangerous. If you let down your guard because you don't think you are a target, just clicking on one malicious link can be all it takes.

This involves an understanding of all your connected devices – any one of which could provide an entry point for hackers – and an awareness of how you might be attacked.

The evolution of the smart home is introducing a multitude of connected devices. Anything that communicates with the internet can be hacked via the internet – and anything that is controlled via an app can be hacked via the app. The difficulty here is that we don’t think of Alexa or even our smart fridge as potential entry-points for hackers – but they are, and they need to be defended. We looked at the danger from smart devices here.

Beyond using security tools to defend our computers, we also need to avoid our own careless behaviors. Phishing is, and is likely to remain, the primary root cause behind many hacks. Criminals are expert social engineers and excellent at persuading us to click malicious links or open malicious attachments. No security tool can stop an attack that we invite onto our computers.

This needs self-discipline to stop and think before any click. 

We’re not going to stop hackers or prevent hacking. The attackers will always get a head start. But if we are properly prepared and in the right position, we can stay so close behind that their opportunity to get into our own computers and phones is minimized.

The Avast Blog’s Viewpoint articles represent the opinions of the authors, and do not necessarily reflect company views.

--> -->