You are viewing a single comment's thread from:

RE: You’ve Been Warned Big Business. Ransomware is Coming for You!

in #security8 years ago

As threats continue to mount, how can businesses ignore what is coming? Seriously, the Petya and WannaCry malware impacted large organizations and important public services (like hospitals). Cybercriminals are becoming very bold. I see no end in sight to this trend.

Sort:  

It's the automation threat that I fear most. It's not impossible to imagine that some computer genius or perhaps a state sponsored entity could create a completely autonomous Ransomware threat. Even if all the money gathered were given away to random people in a lottery it would be just as threatening to businesses.

So it's not so much that the focus has to be on "cybercriminals" in the traditional sense because the criminal could be the AI itself and the writers of the software could be anonymous or worse could be an intelligence agency deliberately creating an unstoppable weapon.

Governments are going to continue funding these unstoppable weapons and if there is a leak then those techniques can be used for any purpose by any entity. While decentralization is great in some ways, it also introduces risk in other ways. It makes attribution nearly impossible, and automation removes the human element. The humans might only exist on the edges and the profit from Ransom networks might be funneled into legitimate areas in entirely automated fashion as well, and how would we stop that?

Yes, AI is coming to the world of cybersecurity. We are already seeing it being used on both sides to a limited extent. It is what we will all be talking about in the next few years. It holds unimaginable risks and opportunities!

Attribution has and will always be a problem, unless you are meeting someone you know face-to-face. It is especially difficult when trading bits/bytes over networks never designed for security (everything has been bolted on to the Internet). But that does not mean all is lost. This is chess game. There are limitations and each side can maneuver. Don't discount what will be possible in the future. I don't ever expect a total 'win' by either side, but the game will get more intense and there are so many surprises ahead. It will be a bumpy and exciting ride!

Business learn when it hits their bottom line or customers shift to competitors. It is coming. People's expectations around security, privacy, and safety are evolving and becoming less tolerant of insecure service and product providers. Change is in the wind. Those businesses who adapt early will have an advantage.

Adapting is going to be very hard because the rate of change is increasing beyond where the human brain can keep up. Yes we can use simulations, we can model, but the defense is centralized while the offensive decentralized, and the knowledge on the defense is locked up in silos and not shared.

Yet the offensive is sharing the knowledge almost immediately. So once one group invents a new kind of Ransomware the code is almost always shared or it's reverse engineered. The defenses against it also aren't so easy to automate compared to the offense. From what I can see it's easy to automate the attacks, the weapons, and the weapons themselves can learn and evolve. The defense I suppose we can assume is not going to be able to keep up and so how can disaster recovery be robust enough so that when a company is successfully attacked it isn't completely bankrupted?

If absolute security is assumed impossible and companies admit the defensive capabilities are limited then companies can figure out ways to reduce the costs of defense and recovery. Lower cost defense and recovery I think is the best case win because I don't see the defense completely stopping Ransomware or rendering it completely ineffective for similar reasons social engineering cannot be rendered completely ineffective.

Outstanding insights (you have spent some time understanding the landscape, I am impressed!)

So a few thoughts to build on what you are saying....

Yes, the offense (attackers) are traditionally much better at sharing and collaborating. But two factors are shifting the equation a little bit. First, defenders are starting (yes, just starting) to share and collaborate more. For example look at nomoreransom.com where top security competitors are working together to publish free anti-ransomware recovery tools. Second, we will see the emerging top tier threats, nation-state players, have more of a role in cyber attacks and they traditionally DON'T like to share their toys. That puts downward pressure on collaboration by the most well funded offensive attackers.

Offense and Defense are becoming more automated. That is just the nature of cyber. We will all be talking about AI attacks/defense in the next few years as it will be the pivotal area of research. Tech is just the tool. Those who find a way to use the tools first and to the greatest effect, gain a significant advantage.

Skip the notion of absolute security. It is a marketing dream, not reality. In the real world we don't want to be impervious to attack (zero risk) as that would be far too expensive, unacceptably encumbering, and likely technically impossible anyways. That is not the goal. The real objective is to understand, attain, and sustain an 'optimal' level of security. This is where the costs, risks, and usability impacts are in the right balance for the organization. Risk is okay if it is understood, managed to the right level, and accepted by those responsible.