Information security innovation and the fast-paced threat landscape

Gary Warner recently became the Chief Threat Scientist at PhishMe. In this interview he talks about how his past positions prepared him for this new job title, information security innovation, the greatest challenges that we face in the current threat landscape, and more.

You were the founding president of the Birmingham chapter of the FBI’s InfraGard program and you’re still the Director of Research in Computer Forensics at the University of Alabama at Birmingham. How have these role prepared you for what you’re about to tackle as Chief Threat Scientist for PhishMe?
The FBI InfraGard program is often called a “Public-Private Information Sharing” organization. With more than 50,000 members representing all of the Critical Infrastructure sectors, I’ve had a chance to see the common vulnerabilities and security design flaws that are present in many different industries. I’ve also had the opportunity to realize that there are great differences in the “security personality” from one industry to another.

Some of these have given certain industries, such as Financial Services, great advantages in the area of cyber security. At the University, we have attempted to train students to be aware of the advantages and flaws of these different approaches, and share with our corporate partners things from other industries that are not being practiced in their own industry. This broad perspective has given me a great sense of what works, what doesn’t work, and where our greatest pain points remain.

What challenges do you expect to have due to a fast-paced threat landscape? What does current technology lack and what can we do to start staying a step ahead of the bad guys, not just scrambling to protect against increasingly complex and targeted scams?
The greatest challenges that we face in the current threat landscape are the ability of the adversary to quickly and easily evade our defenses. A quick and automated repackaging of the malware renders it undetectable to traditional anti-virus, and with millions of vulnerable web servers to choose from, shifting to new infrastructure is also quite simple, complicating the ability of traditional “black lists” to stop attacks. But even the most advanced cyberattacks rely on habit and convenience, and “connecting the dots” between the individual attacks to allow us to understand the overall campaign is still our greatest advantage.

Fortunately, most cyber attacks are still based on re-used code, and still have certain parts of the attacker’s infrastructure that are hard or expensive to change. Identifying these weak links is the key to making a difference.

Based on your experience, what areas of information security need the most innovation?
I often tell my students that cybercrime is not a technology problem, it is a societal problem. Criminals have made certain life choices and career choices based on a prevailing assumption that “nobody ever goes to jail for cybercrime.” Millions of frustrated victims know that the person that just stole the money from their bank account, or just hacked a website and stole their credit card and used it to buy a meal in another part of the world, are never going to be brought to justice. They want to help, but the tools and resources we’ve given them teach them that attempting to help is a waste of time. They file a report that they know in their heart will never do any good.

I’m interested in two areas of solutions:

• Big data-based machine learning: how can we teach computers to connect the dots that reveal that each of those tiny cybercrimes is actually part of a multi-million dollar criminal enterprise?
• Crowd-sourced cyber intelligence: how can we provide users with a simple-to-use method of putting the data about the attacks that THEY see into a place where they can be proud that they have made a difference by seeing their reports turn into defensive measures and investigative measures that change the world?

How do you expect the threat landscape to evolve in 2016? Any new attack vectors organizations should be on the lookout for?
It seems that criminals listen to the advice we give people about cybercrime and use it against us. The traditional wisdom that we hear was “I don’t click links or open attachments from people I don’t trust.” In 2015, the increase in attacks targeting email is primarily about abusing those trust relationships. In 2016, other forms of trust are going to be under attack. Passwords stored in browsers, especially on mobile devices and BYOD phones and tablets will be a big target.

This year we need to be encouraging the adoption of two-factor authentication and “unknown device” alerting as never before – including on internal systems. In another area of trust, a malware compromised workstation logs in to your corporate systems with the same power as the authorized user. Big data breaches are largely enabled by the concept that certain users should be allowed to “See Everything.” This needs to be reeled back to “See Only Some Things, or See Anything, but only at reasonable volumes.”

With increased reporting of suspicious activity, advances in threat analysis to enable better campaign identification, and raising our guard by challenging all of the “Trust” assumptions we make, we can make 2016 a safer year. I look forward to helping with that!