It’s that time of year again, when everyone comes out with their “best/worst” lists and predictions for the next year. These are usually fairly optimistic affairs because you can’t be in this business for any length of time and not retain some semblance of optimism (even if every moment of your workaday life has left you filled with cynicism).
Holding true to form however, I’m not going to leave you in a happy place this year.
Let’s face it: computer security, like war, is a bit of a racket. For all of the good intentions that exist amongst us, in the end nearly every decision made is a business decision. This is true both from the perspective of solution providers, who are all angling for that massive “enterprise” sale; as well as potential customers, who have been known to make buying decisions based on the hack-of-the-month. But what happens to that decision-making calculus when the victim of a hack can be made whole again for a fraction of the cost of an incident response? In the age of CryptoLocker, how soon before computer security industry collapses because crime not only pays, being a victim of crime makes more economic sense than spending for security?
Think about this for a minute: If I am a victim of CryptoLocker and if I act now, I can pay $300 to undo the mistake of clicking on a dodgy email attachment, and no one would be the wiser. $300 is about what a well-qualified computer forensics or incident response practitioner is going to change – if you’re lucky – for one hour of their time.
…and as a reminder: no amount of forensics knowledge of skill will get you out of a CryptoLocker jam…
This last point is important. Our own experience dealing with CryptoLocker cases over the past few months drives it home: the genius behind CryptoLocker is that it is – whether intentionally designed that way or not – the best lesson in computer security economics ever.
Unfortunately, victims are not learning the lesson. Too many of them refuse to pay the ransom. Usually it is based on moral grounds, but absent current backups from which to restore your data, paying the ransom is your only option. I know of cases where people would rather let their businesses flirt with failure, or surrender supposedly “priceless” memories in the form of family pictures, rather than part with $300.
Think about the computer security industry today. What are some of the major themes it is promulgating?
- “increase attacker costs”
- “Active Defense”
- “Find evil”
- “Assumption of breach”
How are computer criminals responding?
For starters, committing computer crime is always going to be cheaper than fighting it. The bad guys cooperate. They don’t care about jurisdictions or inter-agency politics. They appreciate and understand the value of time and money. I have no idea how much it cost to develop CryptoLocker, but I think it is safe to say that the people behind hit have probably made several orders of magnitude more than their initial investment.
Find evil? Every year the Verizon data breach report drives home the point that people are indeed finding evil…months after its landed.
Active Defense is not a bad idea, but who knows an organization – outside of the government - that actually wants to derive maximum value from an investment in Active Defense? If you’re going for attribution the end-goal should be some kind of legal or economic or political action. I’ve never dealt with a commercial concern that wanted to exercise that level of effort. They want the pain to stop, not to go to court.
Assumption of breach is probably the only thing that defenders are saying that makes sense, but what is being done about it? Back to the Verizon report: people aren’t just owned, they’re constantly owned. Our own experience supports Verizon’s findings, but customers keep making the same procurement decisions and vendors keep making the same “solutions.”
Here is the real problem going forward: what happens when the computer criminals decide to adopt the CryptoLocker model for all their activities? What am I talking about? I’m sure if we spent five minutes together we could come up with some better ideas, but here is what came off the top of my head:
- Wikiware. CryptoLocker in reverse. Pay me a minimal amount of money in a given time-frame or I’ll publish your sensitive or proprietary files online for everyone to see. Same problem as CryptoLocker: cops can’t help you, incident responders can’t help you, forensics can’t help you. Maybe it won’t be so bad because, you know, you can count on the good will and sense of fair play in your competitors…right?
- Creeperware. You’ve got selfies, you’ve got an…interesting…browser history, you’ve got a fetish (nothing wrong with that, you’re an adult). How much are you willing to pay to keep that out of the hands of your family? Friends? Employer?
- Mobware. Live in a country or community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door. Complicit in some kind of action that I find offensive or think you've gotten away with a crime? I’m going to go Steubenville on your ***.
In each of these cases the victim is faced with the same dilemma CryptoLocker victims face today, and again, no amount of security after-the-fact will help save the day.
What, if anything is going to save us from the future this ghost of computer security past has revealed?
The one thing we all know we can count on is legislation. Legislation to combat computer crime isn’t going away, but it’s going to become increasingly useless in a practical sense. The CFAA is a pretty blunt instrument, or at least it’s used that way today. But any attempt to refine it or come up with a more granular approach is going to run straight up against the legal version of Moore’s Law, which is to say by the time a new, well-crafted bill against CryptoLocker-like activity becomes law, CryptoLocker activity will become obsolete. But legislation is something we know how to do, so it’s what we do, rather than come up with something else.
As long as insurance companies are going to write data breach policies, there will always be a demand for some level of security. But breach policies will be a lot more like health insurance policies: we’ll write you a policy if you’re old, fat, smoke, drink too much, and skydive five days a week and swim with sharks on the weekends…but we won’t offer much coverage and it will be expensive. As long as that price is less than a SOC-worth of hardware and a platoon of people with a lot of letters after their name, people will pay it.
Perhaps the more important question is: do we deserve to be saved? Are you doing anything novel? Are you doing anything different? Or are you doing things ‘the way they’ve always been done’ or because ‘that’s policy?’ Some of you don’t have much of a choice: you’re law enforcement officers and you have a protocol you have to follow or you’re not doing your job. Nothing wrong with that except that crime fighting is radically outpaced by actual crime.
To the extent that we’re a community, we need to think about developing and promulgating some new, sound, ways of doing things if we’re going to remain relevent:
- Work at scale. In the U.S. we have the Marshals Service, which hunts fugitives. A lot of large police departments also have a fugitive squad. Normally they hunt people down one at a time, but every once in a while they hold a “stupid criminal contest” whereby they send a letter to the last known address of all the fugitives in their database telling them that they won a prize and come down to (innocuous office that is clearly not a police station) to collect. Of course the police are waiting behind closed doors because, surprisingly enough, some fugitives are dumb enough to show up. The digital world analog is botnet takedowns, which Microsoft and others have done. We need to do more at or near the same scale as the bad guys. That’s the only way you have any hope of raising attacker costs.
- Restoration, not Conviction. Most victims of computer crime don’t want to prosecute. They don’t want to involve Law Enforcement because cops get points for arrests and prosecutions; businesses get points for making money. I’m not saying one is better than the other, I’m saying tactics, techniques and procedures (and tools) need to start reflecting that reality. If you’re a cop and you have to be involved in a case and it has to be worked a certain way then by all means do your thing, but everyone else: are you really doing right by your customers if you are driving them towards a LE-approach when all they want you to do is to make the pain go away and get back to business? That may mean less revenue for you, but are you about security or are you about money? Which leads me to my last point…
- Retire a problem. You've heard the phrase: “if you’re so smart how come you’re not rich?” Well I have a variation on that phrase: “if you’re such an expert how come you haven’t solved something?” Now not every computer security problem can be solved, but there are problems that can be minimized or trivialized. Even if you could outright “solve” a computer security problem, what then? Its not like we're going to run out of them? There is nothing wrong with making a living, but there is also no shortage of opportunity as long as you don’t mind killing one cash cow in order to milk another.
Happy New Year everyone. ;-)