The Security Revolution Will Be Automated
Information security teams have the largely thankless responsibility of simultaneously keeping pace with trends in enterprise computing as well as the latest innovations from criminals and attackers.
Beneficial megatrends such as the rise of cloud and mobile computing are relatively obvious because they bring value to the enterprise and their employees in form of reduced costs and the promise of improved productivity. Over the past few years, most security teams have put considerable effort into adapting to these massive changes in the enterprise.
However, progress happens for the bad guys too. As we build more accessible, scalable, and efficient computing models, we likewise open ourselves up to attacks that are likewise more accessible, scalable and efficient. This is the realm of automated attacks. In the same way that automation has transformed traditional industries, automation is transforming the economy of cyber attackers, and rewriting the rules of enterprise risk in the process.
Automated attacks are cheap, tireless, and can target virtually any functionality that we expose to our end-users. Because of their reach, these attacks become both highly probable and enormous in scale. This makes understanding automated threats essential in order to understand IT and enterprise risk.
Automated Threats are Inevitable Threats
When it comes to threats, automation does much more than simply churn out malicious widgets. The cost of any action that can be automated quickly drops to near zero, and without the overhead of incremental costs, attackers are free to run their attacks as broadly as possible. Given enough time, an attacker can sit back and let his scripts slowly find, test, and attack every available target on the Internet.
This near-universal reach has a powerful and often underappreciated impact on enterprise risk. While the latest and greatest targeted attack may make the most headlines, the latest and greatest automated attack is far and away more likely to actually hit your enterprise. In fact, researchers have recently performed an economic analysis of the competition between automated and targeted attacks, and concluded that “all users should protect against scalable attacks first. Compromise is almost certain if (the target) fails to address the scalable attacks that reach everyone”. So given that an automated attack is almost certain to land on your doorstep, it’s important to know what they do and what the impact could be.
Automation Grows Up
Traditionally, automated attacks were thought of as simple, relatively dumb attacks that are easily mitigated. For instance, spam, while certainly a nuisance, is rarely the item that keeps a CISO lying awake at night. However, malicious automation has gotten considerably more sophisticated and shows no sign of slowing.
Beyond simply churning out spam and phishing emails, automation has become a critical component of longer multi-stage attacks. Botnets have been employed to capture login credentials that attackers can use later to commit fraud. Scanners and crawlers will scour sites for vulnerabilities that can be exploited later on. Stolen credit card numbers are tested for validity in order to ensure a high price on the black market. Stolen usernames and passwords are tested en masse to break into additional sites. Virtually without fail, cybercrime depends on automation to either find a target, attack it, or process the spoils of the attack.
Even these advancements pale in comparison to modern fully automated attacks. These attacks can learn and automate the full flow of a particular application. Banking malware has led the way in these attacks, but the trend has rapidly spread to all types of applications. For example, instead of simply stealing a victim’s username and password, modern banking malware can fully automate the transfer of funds between accounts while an infected user is logged in to his account. Virtually any functionality in a web application can be potentially automated in the same way. This sort of attack can enable everything from ticket scalpers, to bank fraud, to data breaches from SaaS applications. In short, any functionality that is exposed to users can be potentially automated for the attacker’s gain.
The Web Provides Fuel for Automation
In the past few years, malicious automation has has become both more common and more sophisticated. This trend is tied back to the other major trends of web and mobile-based computing. Virtually all applications today can be accessed via a browser, and in many cases is the default or only way of accessing the application. Mobile applications are increasingly built on HTML5 and other web technologies in order to simplify compatibility across a variety of mobile device manufacturers.
These same web technologies are inherently vulnerable to automation, and have given rise to a new breed of scripted attacks. In its simplest form, the problem boils down to the fact that web front-ends typically must remain exposed to the untrusted Internet, and the source code (web markup) is readily visible to anyone who wants to look. This combination is the ideal breeding ground for automation - an application that is both always accessible and comes with a blueprint showing how the application works. This is the combination that should be concerning to those who manage enterprise risk. Almost all of our applications are migrating to the web, and these applications are almost certain to be hit by automated attacks.
Where We Go From Here
Automation is one of the things computers do incredibly well, so it should be no surprise that automated threats are highly successful. However, the goal isn’t to create yet another IT boogeyman. Automation is not a single tactic or technique to be addressed by a silver bullet. Major technology trends often demand a strategic response from security, and the combination of web, mobility, and automation is just such a case. These trends are directly interwoven, and it’s not incidental that our newly acquired ability to work and communicate from anywhere opens a similar risk of abuse using the same channels. While controlling automation is not the only answer that is needed, it is the enabler that is quietly fueling modern attacks. Building a better understanding of automation and how it can be stopped seems like a good place to start.