Ahead of his talk at RSA Conference 2017 next week, we chatted to Mark Loman, Sophos’s Director of Engineering for next-generation tech.
Mark gave us a preview of his talk, which you can catch on Tuesday, February 14 from 3:45-4:30 pm in room 132, Moscone North.
He will be delving into how nation-state attackers craft their attack code to evade the most advanced security products.
Q: Why did you choose to talk about exploits?
Loman: Many security vendors use phrases like “protection against zero-days” and “exploit attacks“, but actually, they’re making promises they can’t keep. They only make them so analysts don’t leave them out. But the security industry is already seen to be failing and false claims only make that worse. They don’t see the wood for the trees. So I chose my topic to show real-world existing attack schemes, why protection methods fail and show new defensive technology that is more capable.
Q: We’ve seen a lot of cases where exploits target zero-day vulnerabilities. Some vendors fix them quickly. Others sit on the flaws for longer than they should. How do we get a better patch response time from them?
In my talk I’ll be showing that attackers have been silently leveraging vulnerabilities for years without being detected. Even when they are detected, I don’t see software companies improving their response time for patching vulnerabilities. Patching software and sending out an update takes time. Even when the update is available, organizations don’t patch immediately or automatically out of fear they’ll break business operations. As is the case with Adobe Flash Player, this software is dropped industry-wide because it is vulnerable beyond repair – even though several mitigation techniques have been added in the last two years.
Microsoft is adding exploit mitigations to Windows 10 and its development tools, so software developers can opt in and automatically leverage these capabilities. But it will take many, many years before organizations have deployed a new operating system and before all applications they use have better built-in protection against exploitation. But by then, skilled attackers will have found new techniques.
Q: What’s the single most important topic people should be discussing next week?
I think hardening of systems – PCs and IoT devices – is the topic to discuss. The RSA conference is about security, but the companies that should work most on security are not the ones who are there.
All software developers and device manufacturers should put security first. They should think about potential abuse of products in every step of the product design and development process. Since this requires a change in mindset, change is not coming in the foreseeable future. That is why, with Intercept X, Sophos introduces new technology to shield both outdated and up-to-date internet-facing software against vulnerability exploits on endpoints – no need to wait for new operating systems or software updates.
Q: One of your slides looks at the proliferation of exploit kits, including Magnitude EK and Bizarro Sundown EK. Some kits — like Angler and Nuclear — have shut down. Is it that we’re getting better at finding and stopping these, or is it just that they are treated as disposable tools by the bad guys, since it’s so easy to build a new kit?
The Russian gang behind the Angler exploit kit got careless with their Lurk banking Trojan, attacking fellow Russians, and got arrested by the Russians. For a time it was a mystery why the Angler exploit kit disappeared but it became clear that the demise of the kit was an unexpected side-effect with the arrest of the Lurk gang.
But cybercriminals in one country can disrupt system on the other side of the planet, while law enforcement is limited to local jurisdiction and agreements with other countries. It takes a lot of effort to take out criminals in another country. The information security industry and law enforcement have joint successes but with the increasing amount of malware and attacks on the web every day, it is clear there is still a lot to be done.
Q: You use Fancy Bear as an example of an attack operation with Russian ties, and it comes as there’s a lot of speculation and finger-pointing over Russian involvement in attacking America. Is Russia getting enough focus from the security community, too much or not enough?
Attribution is a big problem in information security. It is very hard to come up with the evidence when attacks are staged from hacked computers from other people, often in different countries. Keeping an eye on attacks, their targets and logging the associated details and samples will eventually result in good confidence where attackers are coming from.
There are not many in the security community who know when they deal with a nation-state attack, so sharing every bit of information publicly will result in more confident attribution to help hold even a foreign government accountable.
Catch Mark and the rest of the team at Booth 3201 for demos, giveaways and plenty of security advice. And, don’t forget to register for a FREE expo pass.