Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Articles Q&A on the Book Cybersecurity Threats, Malware Trends and Strategies

Q&A on the Book Cybersecurity Threats, Malware Trends and Strategies

Key Takeaways

  • There are five ways organizations get initially compromised; organizations’ cybersecurity strategies should address them all:
    • Vulnerabilities
    • Misconfigurations
    • Stolen credentials
    • Social engineering
    • Insider threat
  • Vulnerability disclosures have been at historic highs over the past three years
  • The credibility of threat intelligence relies on its sources of data, time periods, and other context
  • Intrusion reconstructions can help security teams determine how their strategy is performing
  • Automation can be a cybersecurity talent amplifier for start-ups and smaller organizations

The book Cybersecurity Threats, Malware Trends and Strategies by Tim Rains provides a overview of the threat landscape over a twenty year period. It provides insights and solutions that can be used to develop an effective cybersecurity strategy and improve vulnerability management.   

InfoQ readers can download an extract from Cybersecurity Threats, Malware Trends and Strategies.

InfoQ interviewed Tim Rains about how organizations get compromised, how security and compliance groups can work together, the main trends in vulnerabilities, kinds of malware and how companies defend themselves against malware threats, how to verify the quality of threat intelligence data and reports, mitigating phishing attacks, how machine learning and artificial intelligence help to deal with internet threats, strategies for cybersecurity, how a DevOps or DevSecOps approach supports cybersecurity, implementing the Intrusion Kill Chain framework, what small companies can do when it comes to preventing and recovering from cyber-attacks.

InfoQ: Why did you write this book?

Tim Rains: There is a lot of fear, uncertainty, and doubt propagated in the industry about cybersecurity threats and mitigations. I’ve been fortunate in my career to have had the opportunity to learn from some great subject matter experts and chief information security officers (CISOs) of very large and mature organizations. I wanted to share some of the things I’ve learned, along with some new research about threats, that I think will help CISOs and security teams put things into perspective. Finally, most organizations do not have a cybersecurity strategy. This puts them at a disadvantage versus their adversaries. This book focuses on cybersecurity strategies in a way that tries to level the playing field, or better yet, tilt it in favor of CISOs.      

InfoQ: For whom is this book intended?

Rains: I wrote this book for CISOs, aspiring CISOs, and senior security team members. I tried to provide a mix of new research and interesting technical content, along with some senior management insights to help technical leaders bridge to the altitude that many CISOs work at. Hopefully it helps some CISOs be better CISOs and gives aspiring CISOs a head start in the right direction. I hope it will also provide senior security team members with some insights into the challenges that come with being a CISO, because being a great technologist and security subject matter expert is typically very different from being in a senior management role.

InfoQ: How do organizations initially get compromised? What are the biggest risks?

Rains: This is an important aspect of the book. Many CISOs and security teams I’ve talked to over the years believed that there is a large and growing number of ways that attackers can compromise environments. But the data show us this isn’t true - attackers have always used the same five ways to initially compromise environments:

  1. Unpatched vulnerabilities
  2. Security misconfigurations
  3. Weak, leaked, stolen credentials
  4. Social engineering
  5. Insider threat

Focusing on the fundamentals that mitigate these risks will pay the biggest dividends for most CISOs and their organizations. After an IT environment is initially compromised, there are all sorts of techniques, tactics and procedures attackers have at their disposal to move laterally, stay persistent, and pursue their goals – but it all starts with one or more of the five ways organizations get initially compromised.

InfoQ: How can security and compliance groups work together?

Rains: Understanding that Security and Compliance are different but complementary disciplines can help align these groups’ efforts. I’ve seen some organizations pretend these disciplines are the same, but this tends to lead to suboptimal outcomes. Compliance groups typically focus on determining whether security controls meet regulated, industry or internal security standards. These standards typically represent a necessary, but insufficient bar for protecting, detecting, and responding to threats; these are the things Security teams focus on. But when they work well together, their combined efforts can be more effective than either by themselves. I tried to explore this dynamic a bit in the book.

InfoQ: What are the main trends in vulnerabilities and how does the software industry adapt itself to deal with those trends?

Rains: I looked at 20 years of vulnerability disclosure trends. The number of vulnerabilities in the National Vulnerability Database (NVD) increased 128% between 2016 and 2017, and a 157% between 2016 and 2018. In 2016 vulnerability management teams were managing 18 new vulnerabilities per day on average, and that average increased to 40 in 2017 and 45 in 2018; in 2019 they had to manage 33 new vulnerabilities every day. Multiply this number by hundreds or thousands of distributed assets on networks and you begin to get the sense of how challenging vulnerability management has become, just from the sheer volume. Reducing the number of new vulnerabilities in software and hardware will help front line vulnerability management teams that have been overwhelmed with high volumes of the past few years. Reducing the severity of those vulnerabilities and making them hard or impossible to exploit will also be helpful for vulnerability management teams, as this will give them more time to test and patch their environments.

InfoQ: What kinds of malware exist and what threats do they pose?

Rains: Antimalware labs categorize malware threats. Typical categories include different types of Trojans, worms, exploits, backdoors, spyware, password stealers, viruses, ransomware, and potentially unwanted software. In addition, purveyors of malware have, for many years, been developing blended threats that have characteristics of multiple malware categories. Some of these threats, like Trojans, rely on social engineering to trick users and administrators into making poor trust decisions that typically end with them installing malware on their own systems. Many worms are designed to use a combination of unpatched vulnerabilities, security misconfigurations, and weak passwords to spread. Some of these threats pose a low risk to enterprises, while others can be very high.

For example, the data show us that ransomware has historically been one of the least prevalent categories of malware, meaning it’s less likely for systems to encounter it. But when systems do encounter it, its impact can be catastrophic, making it a classical low probability, high impact threat, that enterprises must prepare for.

Other threats can be more benign. However, the data show us that over the decades attackers have evolved from being mostly benevolent, motivated by notoriety, to being quite malevolent, motivated by profit, hacktivism, economic espionage, military espionage, or information warfare via cultural manipulation. Data have become more valuable than gold or oil, attracting all sorts of adversaries who develop custom malware fit for their purposes.      

InfoQ: How can companies defend themselves against malware threats?

Rains:  For a while there seemed to be some debate in the industry as to the efficacy of antimalware solutions. But frankly, any CISO who doesn’t run antimalware software in their environment is being negligent. If you run antimalware software, it won’t protect systems from all malware, but it will protect them from the millions of threats that get processed by antimalware labs every week. If you don’t run it, then you don’t get protected from any of those threats. Of course, there are a bunch of other controls that can help, but the key is the research and response capabilities that a world class antimalware lab can provide.

InfoQ: How can we verify the quality of threat intelligence data and reports?

Rains: After publishing what was arguably one of the best threat intelligence reports in the industry (the Microsoft Security Intelligence Report) for nearly a decade, I learned a few tips about what makes threat intelligence consumable and credible. Understanding the sources of data is critical. If you don’t know the source of the data and its characteristics, you can’t trust the intelligence because you don’t have enough context. For example, data from a low volume online tool that’s only offered in one specific language might not be useful to a broad or global audience. Understanding the specific times and dates related to the data is also mandatory. Otherwise, how can you tell whether a 25% increase or decrease in a specific measure is good or bad? If it’s over a long enough period, it might be immaterial. Also, always be on the lookout for hype. One of my favorite examples: "75% of all attacks during this period happened this way ..." The only way someone could identify what happened in 75% of all attacks is if they could see 100% of ALL attacks, right? I don’t know anyone who is omniscient, so these types of claims are credibility destroyers. Understanding data sources, time periods, and other context can help you spot hype.  

InfoQ: What can be done to mitigate phishing attacks?

Rains: Phishing attacks rely on social engineering to trick victims into disclosing confidential information, like credentials. It sounds old fashioned, but enterprises can use people, process and technology to mitigate these attacks. Training people to be aware and look for these attacks can be very effective. Complementing this with technology like multi-factor authentication (MFA) can be very effective at mitigating phishing attacks focused on stealing credentials. Anti-phishing services that block email and URLs from botnets and known compromised and/or malicious infrastructure can be effective when they work properly. Processes that impose extra steps for riskier or higher value activities can also add valuable friction into such social engineering attacks.       

InfoQ: How does machine learning and artificial intelligence help to deal with internet threats?

Rains: Attackers have always tried to hide their illicit activities among legitimate user activities, legitimate system processes and legitimate network traffic, to blend in. They rely on large volumes of network traffic, busy systems, and incredibly large, verbose log files to hide in plain sight. This is where machine learning and artificial intelligence systems can help – churning through massive amounts of data very quickly to identify indicators of compromise. Using systems like these is rapidly becoming compulsory for security teams, especially those that are chronically understaffed.

InfoQ: What strategies can be used for cybersecurity and how effective are they?

Rains: Over the past two or three decades I’ve seen CISOs of a bunch organizations try a bunch of cybersecurity strategies. In the book, I discuss the pros and cons of a bunch of them, including:

  • Protect and Recover Strategy
  • Endpoint Protection Strategy
  • Physical Control & Security Clearances as a Strategy
  • Compliance as a Security Strategy
  • Application-Centric Strategy
  • Identity-Centric Strategy
  • Data-Centric Strategy
  • Attack-Centric Strategy

They all have virtues and shortcomings. In some cases, using a combination of strategies can help overcome shortcomings and work quite well. The key is being honest about how well they mitigate the five ways that organizations get initially compromised. You don’t want to use a strategy that doesn’t help you with these. I provide readers with a scoring system they can use to score whatever cybersecurity strategy they are considering.  

InfoQ: How does a DevOps or DevSecOps approach support cybersecurity?

Rains: One of the traditional challenges that comes with traditional approaches to development and operations is some level of confusion when it comes to security. Which aspects are developers managing and which are operations staff expected to manage? If developers and operations staff don’t talk to each other about these responsibilities, history has shown us that it leads to poor security outcomes. One of the things DevOps can help address is this much better integration and coordination between developers and operations on security.

InfoQ: What's your advice for implementing the Intrusion Kill Chain framework?

Rains: Whether your organization decides to use an Intrusion Kill Chain approach or not, intrusion reconstructions for failed, partially successful and fully successful intrusion attempts can show you where things are working as expected and where they aren’t. Determining where and how attackers were stopped is critical in understanding all the mitigations that failed and need attention. Intrusion reconstructions will help you understand how your cybersecurity strategy is performing – the Intrusion Kill Chain is perfectly suited for this.

InfoQ: Nowadays there are many small companies like start-ups or sole proprietors. What can they do when it comes to preventing and recovering from cyber-attacks?

Rains: On-premises security has turned out to be incredibly difficult to sustain over time. The challenge smaller organizations tend to have is security expertise and manpower is typically in short supply. Looking for "cybersecurity talent amplifiers" can be very positive. What I mean by this is investing in automation can help offset a lack of security expertise and manpower. Getting machines to do the work instead of humans can help mitigate many risks, leaving fewer risks for humans to manage. I mentioned ML/AI systems earlier – this is a great example. Use systems that help protect, detect, and respond using automation. The most exciting and promising systems I’ve seen that do this are in the cloud, because that’s really the only place such systems can scale and still be affordable for smaller organizations. Not having complex legacy environments to try to secure is a huge advantage for startups and smaller organizations. My advice is to invest in the future, not the past; someone once said, "The future is already here, it’s just unevenly distributed."

About the Book Author

Tim Rains is an internationally recognized cybersecurity advisor, spokesperson, and author. Rains has held the most senior cybersecurity advisor roles at both Amazon Web Services and Microsoft. He has experience across multiple disciplines including people management, engineering, product management, marketing communications, and business development.

Rate this Article