What do data protection experts hope for? Report from the International Cybersecurity Congress

June 20-21, the International Congress on Cyber ​​Security was held in Moscow. At the end of the event, visitors could draw the following conclusions:

• digital illiteracy is spreading both among users and among cybercriminals themselves;
• the first ones continue to fall for phishing, open dangerous links, bring malicious programs to corporate networks from personal smartphones;
• among the latter, more and more newbies who are chasing easy money without immersion in technology - have downloaded a botnet in a darkweb, set up automation and monitor the balance of the wallet;
• It remains for safeguards to rely on advanced analytics, without which it is very easy to overlook the threat in information noise.

The congress was held at the World Trade Center. The choice of the site is explained by the fact that it is one of the few objects with FSO approval for holding events with the highest ranks of the country. Visitors to the Congress could hear speeches by the Minister of Digital Development Konstantin Noskov, the head of the Central Bank of Elvira Nabiullina, the President of Sberbank German Gref. The international audience was represented by Huawei Director General in Russia Aiden Wu, retired Europol Director Jürgen Storbeck, President of Germany’s Cyber ​​Security Council Hans-Wilhelm Dünn, and other high-ranking experts.
')

Is the patient rather alive?

The organizers selected topics that were suitable for both general discussions and practical reports on technical issues. In most of the speeches, artificial intelligence was somehow mentioned - to the credit of the speakers, they often admitted that in the current incarnation this is more a “HYIP theme” than a really working technology stack. At the same time, today, without machine learning and Data Science, it is already difficult to imagine the protection of a large corporate infrastructure.

It is possible to detect an attack, on average, three months after penetrating the infrastructure.

Because according to one signature, 300,000 new malware will not be stopped every day (according to Kaspersky Lab data). And on average, cybersecurity takes three months to detect intruders on their network. During this time, hackers have time to become so entrenched in the infrastructure that they have to be driven three or four times. Cleaned the store - the malware returned through a vulnerable remote connection. Established network security - the criminals send a letter to the employee with a trojan, allegedly from a long-standing business partner, whom they also managed to compromise. And so to the victorious end, whoever as a result won.

A and B have built IB

On this basis, two parallel directions of information security are growing rapidly: ubiquitous control over the infrastructure based on cybersecurity centers (SOC) and the detection of malicious activity through anomalous behavior. Many speakers, for example, Trend Micro's Vice President for Asia-Pacific, Middle East and Africa, Dhanya Thakkar, urge administrators to assume that they have already been hacked — not to ignore suspicious events, no matter how insignificant they may seem.

IBM about a typical SOC creation project: “First, design a future service model, then implement it, and then deploy the necessary technical systems.”

Hence the growing popularity of SOC, which covers all parts of the infrastructure and promptly report the sudden activity of some forgotten router. As the director of IBM Security Systems in Europe, George Ratz (Gyorgy Racz), said, in recent years the professional community has developed a certain understanding of such control structures, realizing that it cannot be achieved by technical means of security alone. Today's SOCs bring a security service model to the company, allowing security systems to be integrated into existing processes.

With you my sword and my bow and my ax

Business exists in the context of personnel hunger - the market needs about 2 million information security professionals. This pushes companies to outsource the model. Even their own specialists of the corporation often prefer to bring in a separate legal entity - here you can remember and SberTech, and its own integrator Domodedovo Airport, and other examples. If you are not a giant in your industry, then you are more likely to contact someone like IBM to help you build your own security service. At the same time, a significant part of the budget will be spent on restructuring processes in order to launch information security in the format of corporate services.

The scandals with leaks from Facebook, Uber, the American credit bureau Equifax raised IT protection issues to the level of boards of directors. Therefore, CISO becomes a frequent participant from the meetings, and instead of a technological approach to security, companies use a business lens - to assess profitability, reduce risks, spread straw. Yes, and opposition to cybercriminals takes on an economic connotation - you need to make the attack unprofitable, so that the organization is not in principle interested in hackers.

There are nuances

All these changes did not pass by intruders who redirected efforts from corporations to private users. The numbers speak for themselves: according to BI.ZONE, in 2017-2018, the losses of Russian banks due to cyber attacks on their systems decreased by more than 10 times. On the other hand, social engineering incidents in the same banks increased from 13% in 2014 to 79% in 2018.

Criminals groped the weak link in the perimeter of corporate security, which turned out to be private users. When one of the speakers asked to raise the hands of all those who have specialized anti-virus software on the smartphone, three people from several dozens responded.

In 2018, private users participated in every fifth security incident, 80% of attacks on banks were carried out with the help of social engineering.

Modern users are spoiled by intuitive services that teach them to rate IT in terms of convenience. Security features that add a couple of extra steps are a distraction. As a result, the protected service loses to a competitor with more like buttons, and attachments to phishing emails open without reading. It is worth noting that the new generation does not show the digital literacy attributed to it - every year the victims of attacks grow younger, and the love of millennials for gadgets only expands the range of possible vulnerabilities.

Reaching out to a person

Security tools today are struggling with human laziness. Think about whether to open this file? Do I need to follow this link? Let this process sit in the sandbox, and once again you will appreciate everything. Machine learning tools constantly collect user behavior data to develop safe practices that do not cause unnecessary inconvenience.

But what to do with a client who convinces an antifraud specialist to resolve a suspicious transaction, although he is directly told that the addressee’s account was noticed in fraudulent transactions (a real BI.ZONE case)? How to protect users from intruders who can fake a call from the bank?

Eight out of ten social engineering attacks are performed over the phone.

It is phone calls that become the main channel of harmful social engineering - in 2018, the share of such attacks rose from 27% to 83% percent, far ahead of SMS, social networks and email. Criminals create entire call centers for calling with offers to make money on the stock exchange or to receive money for participating in surveys. Many people find it difficult to take information critically when they are required to make immediate decisions, promising an impressive reward for it.

The latest trend is fraud with loyalty programs, which deprives the victim of the miles accumulated over the years, free liters of gasoline and other bonuses. Proven classics, paid subscription to unnecessary mobile services, also does not lose relevance. In one of the reports was an example of a user who lost 8 thousand rubles each day due to such services. When asked why he was not worried about the constantly fading balance, the man replied that he had blamed everything on the greed of his provider.

Non-russian hackers

Mobile devices blur the line between attacks on private and corporate users. For example, an employee may secretly search for a new job. He stumbles on the Internet on a service for preparing a resume, downloads an application or a document template to a smartphone. So the attackers who launched a false online resource get on a personal gadget, from where they can move to the corporate network.

As the speaker from Group-IB said, it was precisely such an operation conducted by the advanced Lazarus group, which is referred to as a division of North Korean intelligence. This is one of the most productive cybercriminals of recent years - on their account of theft from the central bank of Bangladesh and Taiwan's largest bank FEIB , attacks on the cryptocurrency industry, and even the Sony Pictures film company . APT-groupings (from the English advanced persistent threat, “steady advanced threat”), the number of which in recent years has grown to several dozen, are getting into the infrastructure seriously and for a long time, having previously studied all of its features and weaknesses. That is how they manage to find out about career throwing up of an employee who has access to the necessary information system.

Today, large organizations are threatened by 100-120 highly dangerous cyber-groups, every fifth attacking companies in Russia.

The head of the Kaspersky Lab's threat research department, Timur Biyachuev, estimated the number of the most formidable groups in 100-120 communities, and there are several hundred of them in total. Russian companies are threatened by about 20%. Much of the criminals, especially from the newly emerged groups, live in Southeast Asia.

APT communities can specifically create a software development company to cover up their activities or compromise ASUS’s global update service to reach several hundred of their goals. Experts constantly monitor such groups, collecting together scattered evidence to determine the corporate identity of each of them. Such intelligence (intelligence intelligence) remains the best preventive weapon against cybercrime.

Whose will you be?

As experts argue, criminals can easily change their tools and tactics, write new malware and discover new attack vectors. The same Lazarus in one of the campaigns put Russian-language words in the code in order to direct the investigation on the wrong track. However, the pattern of behavior itself is much more difficult to change, so experts can assume, by their characteristic features, who carried out this or that attack. Here, they are again assisted by big data technology and machine learning, which separate the wheat from the chaff in the information gathered by the monitoring.

The problem of attribution, or determining the identity of the attackers, the speakers of the congress spoke more than once or twice. Technological and legal issues are related to these tasks. Say, do criminals fall under the protection of personal data legislation? Of course, yes, which means you can only send information about campaign organizers in an impersonal form. This imposes some restrictions on the data exchange processes within the professional information security community.

Schoolchildren and hooligans, customers of underground hacker stores, also make it difficult to investigate incidents. The threshold of entry into the cybercrime industry has decreased to such an extent that the ranks of malicious actors tend to infinity - you can’t count them all.

Beautiful far

It is easy to fall into despair at the thought of employees who put a backdoor on the financial system with their own hands, but there are positive trends too. The growing popularity of open source increases the transparency of the software and simplifies the fight against injections of malicious code. Data Science Specialists create new algorithms that block unwanted actions when they are signs of malicious intent. Experts are trying to bring the mechanics of security systems closer to the work of the human brain, so that protective devices use intuition along with empirical methods. Deep learning technologies allow such systems to evolve independently on cyber attack models.

Skoltech: “Artificial intelligence is in fashion, and that's good. In fact, it is still a long time to go before him, and this is even better. ”

As Grigory Kabatiansky, Advisor to the Rector of the Skolkovo Institute of Science and Technology, reminded the audience, such developments cannot be called artificial intelligence. This AI can not only accept tasks from a person, but also set them independently. Before the advent of such systems, which will inevitably take their place among the shareholders of large corporations, a few more decades.

In the meantime, humanity is working with machine learning technologies and neural networks, which academics spoke about in the middle of the last century. Skoltech researchers use predictive modeling to work with the Internet of Things, mobile networks and wireless communications, medical and financial solutions. In some areas, advanced analytics are struggling with the threat of man-made disasters and network performance problems. In others, it suggests solutions to existing and hypothetical problems, solves problems such as detecting hidden messages in seemingly harmless carriers.

Training on cats

Igor Lyapunov, Vice-President for Information Security of Rostelecom PJSC, sees the fundamental problem of machine learning in information security in the lack of material for smart systems. Neural networks can be taught to recognize a cat by showing thousands of photos with this animal. Where to get thousands of cyber attacks to set them up as an example?

Today's proto-AI helps to search for traces of criminals in the darknet and analyze already detected malware. Antifraud, countering money laundering, partly the identification of vulnerabilities in the code - all this can also be done by automated means. The rest can be attributed to marketing projects of software developers, and in the next 5-10 years this will not change.