“We analyse in excess of a million different objects every day in the lab”
SPONSORED – David Emm, a leading member of Kaspersky Lab’s Global Research & Analysis Team (GReAT) and has worked in the anti-malware industry since 1990.
We joined him to talk machine learning, “moat and castle” security and the current threat landscape.
David, let’s start with the threat environment. What are the main threats out there at the moment? What people need to be aware of?
For individuals the main attacks are typically speculative attacks or those based on scanning for known vulnerabilities: banking Trojans; general purpose spyware; cryptocurrency mining which hijacks your CPU.
Cybercriminals are after direct ways of monetising their behaviour: obviously one way to do that is by getting access to your bank. So, bank attacks are highly prevalent. With ransomware there has been a switch more towards specific targeting aimed at businesses. As an individual I might not like to see my family photos and files disappear, but I’m not necessarily going to pay cash to get them back.
For businesses obviously the impact is much greater.
What are the typical vectors you see for these targeted attacks?
Attackers develop malware of varying degrees of sophistication; and seek to exploit any vulnerabilities that they can identify in widely used applications – including, given the increase in working from home during the COVID-19 pandemic – remote desktop protocol (RDP) attacks. That said, social engineering remains the main method cybercriminals use to compromise computers.
When it comes to phishing, I think it’s noteworthy that while awareness has grown, unfortunately there’s still a grey area between what’s legitimate and what’s fake: you can get correspondence from legitimate organisations that actually looks pretty much like a phishing email. That overlap doesn’t help.
We need to be trying to cut off the flow higher up and encourage an environment in which if it is unsolicited, you are not expected to click on it.
How is machine learning helping Kaspersky?
It’s critical. Up until about 2003, most malware was vandalism. From the point at which it could be monetised, we saw a massive ramping up in numbers. Without machine learning our industry generally would drown in the volume.
We analyse in excess of a million different objects every day in the lab. Probably 99.9% of those we auto-analyse. Being able to do this kind of analysis at scale is hugely important. But so is the expertise of our malware experts, whose job it is to design these systems and ensure that the algorithms used to analyse code remain sharp.
What do you say to the people who believe that endpoint detection is a dying art, because it’s never going to keep up with the flurry of attacks out there — that we need to fundamentally rethink a sort of moat and castle approach?
The idea of antivirus in one form or another being dead goes back a long time. I can remember people saying, “oh, yeah, well, once we get Windows NT, that’ll kill off malware”. Instead, it simply changed the malware that attackers used.
On the other hand, despite the name ‘antivirus’, the technologies used to protect endpoints have developed out of all recognition from what was used even 10 years ago to protect endpoints. The ability to analyse code in a way that doesn’t require a signature and the ability to respond to any anomalous activity on the network is becoming more and more important; endpoint protection is just as important in this as the analysis of email or network traffic.
So there is still very much a need for endpoint detection. In that sense, the endpoints become ‘listeners’, which feed information into your broader system. They become your eyes and ears that collectively give you an overall picture of what’s going on and therefore the ability to detect anything that shouldn’t be there and respond to it.
What do you think differentiates Kaspersky?
I think it’s our ability to analyse and detect threats at a very deep level and, of course, the technology that is informed by that expertise.
In terms of the threat intelligence capability that we offer, that’s really critical. Look at the quality of the technical reports we put out, the quality of the Inidicators of Compromise (IoCs), YARA rules and other technical data that we offer. Technical expertise is at a premium when we’re looking specifically at dealing with some of the new types of threats where a signature doesn’t exist; the ability to see whether it’s trying to exploit a vulnerability on the system, even if you’ve never seen it; or to analyse it in a sandbox to determine how it behaves.
There’s a reason we consistently top independent threat detection rankings.