Watch out for 'lower, slower and distributed' crime, warns Just Eat CISO

Cyber crime isn't all about speed: infiltrators are slowing down to avoid detection

As well as bigger, faster ‘Blitzkrieg'-style attacks, cyber criminals are increasingly adopting a slow-and-steady approach to hacking, as they work to avoid detection and remain on the network for long periods, says Just Eat CISO Kevin Fielder.

"We're all seeing ‘bigger, faster, more' in terms of DDoS, password-guessing, credential-checking, those kind of things; all of the standard web attacks, just more of them and more distributed…[but] as people start to detect things like account takeover attempts, the criminals are starting to be even more distributed and even slower, so ‘bigger, faster, more' but also ‘lower, slower, more distributed'."

Some examples of low and slow attacks include snowshoe spam (with a large but light footprint); malvertising; and botnets, which can sit on a device undetected for months or years

Criminals are increasingly using distributed botnets to make credential-based attacks, which are then sold on the dark web; a trend spotted in 2015. Because the nets are checking a huge number of sites, automated security struggles to spot them:

"You'll have people using these botnets...checking the same set of credentials across a bunch of sites quite slowly; so you'll only see the same machine once every minute or two, so it's very hard to detect...but it'll be busy because it's trying the same email and password across Just Eat, Atos, Spotify, Amazon, wherever. [The botnet owner] can then use that or sell it."

I'm not a big fan of ‘insider threat' - most of the people who work for you are trusted

Then, of course, there is the problem of insider threat - although Fielder prefers ‘people risk', arguing that most people who compromise your security internally aren't acting maliciously.

"With a huge complex environment there's always [the element of] how you manage your own colleagues and the people who have access to it… People can make mistakes, or work around security [in an attempt to] do the right thing.

"[In] that balance of security, usability and culture, how do you provide security that people will work with, rather than trying to work around to get their job done?"

Countering crime

There are as many approaches to combat cyber crime as there are attacks to defend against. Fielder acknowledges their importance, but for him the fight starts at a more basic level: you need to be able to see your opponent to hit him.

"I'm a huge fan of visibility and monitoring underpinning nearly everything, so [the counter is] understanding your environment and getting that visibility across it; understanding what is normal and then starting to look for things outside of that.

"That, for me, is the key; it's monitoring as much as you can of everything and then using...machine learning, AI and those kinds of things to start building patterns and looking for anomalies."

Understand the environment, monitor the environment and look for anomalies and changes

If there's one thing that IT leaders are known for, it's investing in shiny new technology - sometimes unnecessarily. Fielder warned that simply throwing buzzwords at a problem is often not the right approach.

"You don't necessarily need super-fast AI. Most attacks are going to try and make unapproved systems changes or to exfiltrate data...so you look for systems talking to things that they don't normally talk to, or transferring larger volumes of data than normal, or processes changing what they're doing or the files they're accessing. Those kind of things you can set up rules for; they don't have to be super-advanced machine learning kinds of things.

"Understand the environment, monitor the environment and look for anomalies and changes, and obviously augment it with intel and knowledge… If you already know what a lot of the CNC servers and botnets look like in terms of their IP ranges and so on, you can easily spot something that's bad even before they've necessarily broken the threshold of data transfer volume."

Fielder recently spoke at online summit PeepSec. Register and listen to his interview here.