Behind the strategies and solutions needed to counter today’s
cyber threats are—dedicated cybersecurity researchers. They spend
their lives dissecting code and analyzing incident reports to
discover how to stop the bad guys.
But what drives these specialists? To understand the motivations
for why these cybersecurity pros do what they do, we decided to
talk with cybersecurity analysts from around the world.
To get viewpoints from across Europe, Asia, and the Americas, we
recently spoke with a team of researchers from Acronis’ global
network of Cyber Protection Operations Centers (CPOCs):
Candid Wüest, VP of Cyber Protection Research who
is based in Switzerland; Alexander Ivanyuk, Senior
Director, Product, and Technology Positioning, who is based in
Singapore; and two Cybersecurity Analysts, Topher
Tebow and Blake Collins, who are both
based in the U.S.
The conversation yielded some interesting insights into their
views of the world, how they approach cyber threat analysis, and
what risks stand out as the greatest challenges facing the
cybersecurity field today.
As a security analyst, what drives you to do this kind
of work?
While the individual motivations for why these cybersecurity
researchers do what they do varied from person to person (as they
would in any industry), two traits were front and center: a love of
problem-solving and a desire to be the good guys.
Wüest explained, “I am a curious person who likes puzzles and
challenges. Hence, tracking cyberattacks and finding ways to
disrupt their process efficiently is fascinating to me.”
Collins echoed that sentiment, saying, “Malware is fascinating
to me as it can be a bit of a puzzle. How did it get there, what is
it doing, and who is responsible? Digging into obfuscated code,
understanding, and reversing it is so satisfying. Plus, when you
remove a threat, there’s a sense of making the world better.”
That drive to make the digital world a safer place was also
shared by others. Tebow explained, “In some ways, writing detection
rules, or reporting a new C2 server, feels like vigilante justice.
I may not always be Batman, but it still feels incredible to be
Alfred — supporting the effort to take down criminals.”
Wüest recognizes that making the internet a safer place for
everyone has an actual impact. “It is disturbing to see that some
cyberattacks[1]
have destroyed lives in the real world. Therefore I would like to
make my contribution to improve the situation.”
Their efforts to solve problems and prevent attacks are
definitely needed. While 75% of companies[2]
report having all of the recommended security measures in place,
more than half saw unexpected downtime due to data loss last
year.
What’s the biggest surprise that you’ve come across
during your career as a security analyst?
Even after a combined 55 years in cybersecurity, these
researchers still find surprises in their daily work.
From a technical perspective, Collins says, “the sheer volume of
malware that exists surprises me. If you follow cybersecurity news,
you have a general idea that malware is everywhere, causing
problems. But behind the scenes, you begin to appreciate how
astonishingly high the number of malware variants is.”
Just as daunting, added Wüest, is how long it takes to change
bad habits. “As an industry, we still fight a lot with old problem
concepts like SQL injections, weak default passwords, or
unencrypted sensitive data. There are solutions for these issues,
but they’re not applied as widely as they should be. Even when
there’s a huge privacy scandal, there’s an initial outcry, but
people quickly fall back into their old habits.”
Those habits, unfortunately, can lead to something worse —
apathy. “The biggest surprise is complacency among cybersecurity
professionals,” said Tebow. “It’s astounding to me how often I’ve
encountered a ‘this is just how it is’ attitude. I would love to
see a larger number of professionals get excited for the challenge
of taking down cybercriminals, even celebrating the little wins
along the way.”
What trends or techniques have you found to be most
effective in identifying or countering new
cyberthreats?
Given the flood of new threats, which is constantly increasing
now that attackers are using automation and AI/ML optimizations,
Wüest is a proponent of threat-agnostic protection solutions.
“Instead of trying to identify the 4 million new malware samples
that appear every week, focus on protecting your data from any
unwanted tampering or encryption, regardless of what the malware
looks like. Smart behavior monitoring that goes beyond the
processes’ context can be an effective weapon against modern
cyberthreats.”
As the head of cyber protection research, he adds that user
entity behavior analytics (UEBA) combined with Zero Trust, Secure
Access Service Edge (SASE), and multi-factor authentication (MFA)
is promising, especially given today’s
work-from-anywhere-with-anything reality — but he cautioned that
there’s no silver bullet.
“An integrated approach across silos with efficient automation
and visibility is key, but so is the importance of the basics —
such as strong authentication and patch management — which too many
organizations still overlook.”
Ivanyuk agreed, saying “the use of behavioral heuristics and
proper AI/ML models is critical to identifying incursions, but
simple things like MFA and role-based management, backed by
constant vulnerability assessments and patch management, are
surprisingly effective at preventing attacks.”
To make those kinds of automated solutions possible, Collins
says that having the ability to distill commonly malicious behavior
or code down to a simple rule or signature has served him well.
“These types of detections allow you to cast a wide net that can
bring in new, undetected malware for analysis.”
Tebow noted that trend analysis is an effective technique as
well. When researching cryptojacking malware, he decided to examine
general cryptocurrency trends. “I found that spikes and dips in
cryptojacking followed the rise and fall in cryptocurrency value.
This gave us a 24-48 hour headstart on defending against the next
wave of attacks, and knowing which cryptocurrency to look for.”
Have there been any incidents where the sophistication
of the attack has surprised you — or even impressed
you?
While Ivanyuk points to classics like the Stuxnet attack and the
recent SolarWinds hack as good examples, Collins notes it’s not
always the sophistication of an attack that’s impressive.
“I’m always impressed with the exploits that malicious actors
can find,” he said. “A few years ago there was a bug in PHP7 that
allowed RCE that was surprisingly easy to use by passing a
parameter with a payload in a web address. Sometimes, the simpler
the exploit, the more impressive it is.”
Wüest, who was part of the team that conducted one of the first
deep Stuxnet analyses, said some ransomware attackers took an
interesting approach by using an unprotected backup cloud
console.
“They stole sensitive data by creating a new backup to a cloud
location under their control. Then they used the backup software to
restore the malware to critical workloads inside the organization.
It was an impressive use of living-off-the-land techniques, turning
the victim’s own trusted infrastructure against them.”
Can you rank the security threats you’re most concerned
about and explain why?
All four of these cybersecurity researchers agreed that
ransomware remains the greatest security threat today —
particularly given the pivot from simple data encryption to data
exfiltration.
“Targeted ransomware is top of my list because the double
extortion schema, where data is stolen and workloads are encrypted,
can be very profitable for the attackers,” said Wüest. “With ransom
demands reaching 50 million dollars, there is no reason for
cybercriminals to stop. The applied techniques have long been
merged with APT methods such as living off the land or exploitation
of exposed services like the Exchange ProxyLogon vulnerability,
making it more difficult to reliably detect.”
During the past 15 months, the Acronis CPOC analysts found
evidence that more than 1,600 companies around the world had their
data leaked following a ransomware attack, which is why they’ve
dubbed 2021 “The Year of Extortion.”
“It is to a point that I hesitate to even call them ransomware
gangs anymore,” added Tebow. “I’ve started referring to them as
extortion gangs. Data exfiltration and the threat to release
anything sensitive has become a primary method of extortion, to
which they add increasing ransom demands after an initial time
frame and threatening additional attacks, like a DDoS, if the
ransom is not paid.”
“Ransomware lets them get money in untraceable cryptocurrencies,
whereas stealing money via online banking increases the chances
they’ll be caught later,” explained Ivanyuk. “The problem is that
ransomware continues to work well, especially since individuals and
companies continue to be uninformed about ransomware.”
In fact, a recent Acronis survey of IT users and IT pros around
the world revealed 25% of users[3]
didn’t know what ransomware is.
Beyond ransomware, the four researchers all expect to see an
increase in supply-chain attacks like the SolarWinds breach. “There
are many variations of these attacks, from compromising a software
vendor to injecting code in an open-source code repository,” said
Wüest
“Due to the nature of the trust chain, it can be nearly
impossible to identify such a manipulation till it’s too late, as
it’s downloaded on demand from a trusted source and verified by the
official digital certificate. Such attacks are not trivial to
create but will continue to increase in the future, as they are
successful even with well-protected targets.”
Tebow added that there was one more risk that anyone in
cybersecurity should keep in focus — whether they’re a researcher
or are on the front lines.
“I see the desire of analysts and organizations to ‘do it on
their own’ as a tremendous threat,” he warned. “If we maintain the
old-school siloed method of fighting cybercrime, we have no hope of
defeating cybercriminals. It’s only by working together that we
stand a chance of winning any large battles against
cybercriminals.”
About the Acronis Cyber Protection Operations
Centers: Acronis maintains a global network of Cyber
Protection Operations Centers, with locations in Singapore,
Arizona, and Switzerland that enable the CPOC analysts to use a
follow-the-sun approach for 24-hour operations. Analysts detect,
analyze, and prepare responses to new risks to data, from the
latest cyberattacks to natural catastrophes. The insights gathered
are used to issue threat alerts to protect customer environments
and aid the company’s development of its cyber protection
solutions.
References
- ^
cyberattacks
(www.acronis.com) - ^
75% of
companies (www.acronis.com) - ^
25% of
users (www.acronis.com)