Better cybersecurity hinges on understanding actual risks and addressing the right problems
By Zeljka Zorz
SANS Technology Institute’s Internet Storm Center (ISC) has been a valuable warning service and source of critical cyber threat information to internet users, organizations and security practitioners for nearly two decades. Dr. Johannes Ullrich, the man whose site (DShield.org) became the basis of a SANS project (Incident.org) that later became the Internet Storm Center, has been leading the effort from the start.
Old and new attack trends
“Initially, the Internet Storm Center mostly dealt with firewall logs. In the early days (2000-2008 or so), firewall logs helped us understand the spread of worms like Leaves, Nimda, Blaster, and others,” he told Help Net Security. “But as soon as home computers started to either use built-in firewalls, or take advantage of home router/firewall combos that are very common today, we saw how things shifted. Instead of actively scanning for systems, attackers tricked users into running the code for them. This lead to the never ending ways of malicious websites and emails that are still dominating.” More recently, they witnessed the shift from data theft to data encryption by ransomware, as attackers discovered that the person willing to pay most for the data is the original owner.
In addition to this major trend, Dr. Ullrich says that it has become obvious over the years that old attacks and vulnerabilities never quite disappear. “I think that the vast majority of attacks, even advanced attacks, only use a small handful of actual vulnerabilities, but it’s actually very difficult to obtain real good data to support or reject this thesis. There are a lot of studies that look at different pieces of the puzzle, but it’s hard to find out how it all fits together.“ He also thinks that some very “noisy” attacks are very much overrated and that companies spent a lot of effort and money on defending against attacks that would never have been successful. One of the hard parts in defense is to accurately determine the actual risk posed by a particular attack.
Understanding risks and finding solutions
One thing that’s definitely not overrated? Application control.
“I think it’s one of the most important techniques that has finally made it to the mainstream. Having users execute arbitrary applications is probably one of the most common weaknesses. And yes, a lot of users hate the restrictions, but I find limiting the ‘zoo’ of allowed applications significantly reduces risks,” he explained. “This is not a new idea. Microsoft has made this a standard optional feature in all currently supported versions of Windows and Apple has to some extent ‘mastered’ this with their mobile device app stores. But it is one of those simple and maybe a bit boring techniques that can always use more attention.” In the end, though, some of the risks may be a bit overhyped, and it’s important to understand that there is no perfect security.
“In cybersecurity, just like in ‘real world’ security, it is important to understand risks. Just like a shop owner may have a discount table outside the store, well knowing that some of the items may be stolen, and a locked cabinet in the back with high value items, in cyber security we still have to learn how to accurately determine risk and how to spend the right amount of effort on the right problems. The goal isn’t to prevent every breach, but to limit the impact of a breach.”
Getting talented people into cybersecurity
In parallel with working on the Internet Storm Center, Dr. Ullrich became more involved in teaching SANS courses. He started out teaching the Intrusion Detection class – which is the class he still enjoys teaching the most – and added various other classes along the way. He was also involved in SANS’s effort to establish a graduate school, and the work he has done with the Internet Storm Center has also become part of the graduate schools research program that he’s heading up now as Dean of Research. With all that in mind, I wondered what his take is on how to attract more young people into the cybersecurity field? “There has been a lot of progress in the creation of gamified exercises to better identify talent and interest them in cybersecurity,” he noted.
“Cybersecurity is less about the knowledge of specific tools and techniques, but more about a talent to understand complex technological relationships and persevere in solving hard challenges.”
He also stressed that cybersecurity is a field that changes always and quickly.
“I think if you ‘sell’ cybersecurity as a field that offers you a set of challenging, never ending and changing puzzles, you likely address the right crowd. This is not a field where you learn once and ‘stick with it’ (does such a field still exist?). To excel, you also have to be a bit of a risk taker and you can’t always wait for instructions,” he concluded.