The nature of cybercrime has changed. In the early days of personal computing, in the 1980s, malware threats such as the infamous Brain virus were distributed via floppy disks and could be easily localized and dealt with. However, with the advent of the internet, cybercrime became a massively distributed phenomenon. Since then, the methods of attack have become increasingly widespread and sophisticated. One particularly sinister aspect that is difficult to counter is the highly personal nature of cyber threats today.
The modern age of cybercrime: How our behavior is being used against us
Cybercrime only really got closer to us when we started using email and the internet. The internet was like a big open book for cyber criminals. All they had to do was create an email, attach malware to it and send it out indiscriminately and en masse, even using other people’s email address lists. It was foreseeable that someone would open the attachment. This activated an automatically executable program code – and voilà, the malware infection was complete. This type of attempted mass infection reached its peak in the 1990s with the “Melissa” email worm. The downside of this tactic is that it becomes obsolete quite quickly. Humans have a tendency to learn things, and over the years we have learned to distrust email attachments to the same extent that we have installed efficient spam filters. As a result, cyber criminals have had to step up their game.
The rules of the game have changed. The approach is now much more personal since cyber criminals use “social engineering” as their weapon of choice. Social engineering turns our behavior against ourselves. It uses psychological tricks to trick us into doing things we shouldn’t do, such as opening attachments or clicking on links in potentially suspicious emails. This type of behavioral manipulation is nothing new. Con artists have been doing it since the dawn of human history. It is therefore not surprising that cyber criminals are now also using it.
Spear phishing is one of the most successful social engineering methods and has been responsible for some of the most spectacular cyber attacks in recent years. Spear phishers use the same old tricks as the early hackers, but now the focus is on the target. Spear phishers first get to know the “target audience”. They observe which websites their targets trust. They find out who their line managers are and they fabricate emails with the right logos and signatures to give the impression that the mail in the inbox is actually from the boss. Thanks to this level of personalization, spear phishing is very successful. It is estimated that 91% of cyber attacks today are initiated by spear phishing emails. The open rate is 70% compared to only 3% for non-personalized mass phishing emails. Personalization works, and it makes it much harder to distinguish between legitimate and fraudulent.
Fighting back with the same weapons
Just as the cyber criminals have changed their tactics by targeting our behavior, we too can use the same methodology and apply our knowledge of expected behavior to detect and avert cyber threats. Traditional security tools – let’s call them “Security 1.0” – represent antivirus and firewall methods for dealing with cyber threats. We still need these systems. Many of the architectures that form the basis of these Security 1.0 tools have been updated to address new threats. However, they don’t go far enough in that our own technology is being used to attack us – due to the ever more complex attack surface and increasingly clever tactics. One example of this is the Advanced Persistent Threat (APT) increasingly used by hackers.
APT wears a cloak of invisibility, so to speak. It often remains on a server for months. It is designed to work in secret. Once infiltrated, hackers use command-and-control communication (C&C) to update the malware. C&C is difficult to detect because it blends inconspicuously with normal Internet traffic and thus remains hidden from conventional tools such as antivirus programs. APTs are a real bane for organizations and are becoming an increasingly popular method of “siphoning” data over time. A recent example of an APT deployment is the Carbanak malware. It damaged over 100 banks and is said to have helped the hackers gain around 1 billion US dollars. The malware was originally installed via spear phishing emails. Next generation security tools – Security 2.0 – are currently taking a much more sophisticated approach to these stealth attacks based on behavioral manipulation. These new tools use behavioral analysis.
But what exactly does behavioral analysis mean in the context of security? Behavioral analysis is a technique that uses profiles of known behavior and expected usage patterns to detect anomalies or deviations. These can indicate impending cyber attacks or ongoing infections.
Depending on the product used, various methods are available for behavioral analysis. These include
- Security information and threat knowledge. The level of knowledge about the predominant types of attack and the mechanisms by which these attacks are triggered is high. Security companies create profiles of attack vectors and malware cases. These profiles are used to predict the next steps and detect threats.
- Profile analysis. If you want to understand changes in behavior, you first have to understand the behavior. Behavioral analysis works by analyzing normal behavior patterns. A simple example, known as credential behavioral monitoring, would be the application of user-specific questions to a login attempt that looks like a brute force approach (exhaustion method) or that originates from an unusual location. An implementation example could be that a monitored user who is found to be genuine is asked personal control questions instead of blocking the account – which is both annoying and can lead to DOS attacks. If the questions are answered correctly, the user can log in. Another example is the analysis of a specific action, let’s say a database query. When extracting data, malware shows a completely different profile to that created by human action.
- Monitoring, analysis and detection. This includes the basic behavioral expectation in a network. This means knowing what is normal for this network. For example, which sites are trusted, or how files are accessed, or the types of access to servers and external sites, etc. You can use profile analysis as a basis for monitoring and detecting potential cyber attacks. Data traffic behavior is one of the areas that provides you with a lot of information and allows early detection of deviations (anomalies). It is also useful in the defense against botnets, which are usually difficult to detect.
Does behavioral analysis also help against cybercrime?
As with any arms race, both sides have to keep turning the spiral in order to win the next battle. Cybercrime is no different. As we design sophisticated tools like behavioral analysis to combat social engineering and sophisticated stealth malware, cyber criminals in turn develop malware that comes across as normal human behavior when using technology. Currently, behavioral analysis provides us with a more intelligent and deliberate method for dealing with complex cyber attacks. Combined with traditional security tools and web security mitigation techniques, they form an important part of our new security arsenal. However, we should never become complacent, as the next big attack technology is just around the corner – this time perhaps in the form of gamification techniques that draw us into our own malware infection.