Saturday, August 22, 2015

Anatomy of a Modern Crime

Cross-posted with the lovely Lady Killers.

In prime time television, computer attacks are heralded by blinking red lights and audible alarms. Then there’s some clumsily written dialogue about breached firewalls, and the scene cuts to someone typing on a keyboard in a dark room where the only light comes from the glow of a computer screen. Eventually, the audience discovers this brilliant, evil hacker single-handedly compromised the main frame using a zero-day attack. In one day. While wearing a hoodie. Hackers always wear hoodies.
I’m here to save you from this trope.
Let’s start with the task of detecting computer attacks. The truth is any computer connected to the Internet is being attacked in small ways all the time. Despite the best efforts of everyone involved, legitimate ad networks host malicious ads, good websites end up hosting bad code, emails with evil attachments still make it through spam filters, and various global bad actors are scanning for weaknesses all the time. This is the first reason it is ridiculous when a computer attack triggers blinking red lights. If that were actually true, the blinking red lights would be on all the time.
The second reason it is ridiculous is that determining whether an attack represents a small annoyance or full-scale emergency requires a human analyst of some sort. The real story starts this way: someone looks at a screen and says ‘hey, that looks odd.’ Then they do some work. Then they do some more work. Then they talk to someone else. Then maybe, if their suspicions pan out, the news spreads up through various layers of management until someone decides what to do about the intrusion. If you’re lucky. In some cases, if it’s not costing the business too much money, they throw up their hands and do nothing. Comforting, isn’t it?
Okay, now about firewalls. I could write an entire blog post on how to correctly use the term firewall in fiction. In fact, I have. So let’s not rehash that. The real problem here is that most attacks, even the big ones that lead to massive data breaches, start with pedestrian tactics. The Target breach started with a malicious email. The criminals used that email to get someone to install a program that allowed them to get someone’s username and password. That username and password gave them access to an internal system on Target’s network. That was then used as a jumping off point for infecting the registers. Firewalls were never part of the equation.
And the criminals didn’t even have to write the code that infected the registers. The lone hacker single-handedly taking down a large network is a rare occurrence. And by rare, I mean vanishingly rare. The reality is that there’s a thriving black market for cybercriminals. Do you want to buy time on computers that someone else has already taken over for you? You can do that. Do you want to buy an exploit kit that will automate infecting large numbers of computers? You can do that too. Last year, the going price for the code that will mutate your evil program so it’s undetectable by 90% of anti-virus programs was two hundred dollars.
Okay. Now we can talk about zero-day attacks. They’re one of the coolest things in my field. A zero-day attack is an attack that has no available patch. That means your machine will be vulnerable to it, no matter what you do. Super scary, right? Sounds great for fiction. I hate to be the one to tell you this… but zero-day attacks are not the first choice for a criminal or even a spy agency. What’s really scary is that many computers, even at government agencies, can be compromised without resorting to fancy zero-day attacks. Patching reliably, on a large scale, is difficult. Most organizations fail. Your antagonist probably doesn’t need a zero-day attack to succeed, and wouldn’t try it first.
Why not? Zero-day attacks are powerful because they’re secret. The more they’re used, the less secret they are. Eventually, someone submits a sample to an anti-virus company. Or the breach is discovered and the email attachment gets analyzed, and then boom, your fancy zero-day is no longer your ace-in-the-hole. Zero-day attacks also raise the profile of an attacker. Sophisticated criminals don’t want to show their hand if they don’t have to. Better to use a common weapon, so their victims aren’t alerted to their presence. Zero-day attacks are typically reserved for high value targets when other attacks won’t work.
We should also talk about timing. Most attacks worthy of a novel take time. The target is studied. Scanned. Researched. And then, when the attacker has determined the best approach, compromised.
As for hoodies? Well, I can’t really fight that one. Computer geeks of all stripes tend to own hoodies. Course, most non-computer geeks do too. You can keep the hoodie.