Russian hackers reportedly used a barrage of “fake news” items to distract and confuse voters in the 2016 U.S. presidential election—crowding out genuine information that could better guide their decisions.
Data security analysts are already familiar with a similar tactic used in cyberattacks against businesses. Hackers have been known to launch large-scale decoy attacks to distract and overwhelm a victim, so they can slip in a more subtle and damaging exploit, says Vincent Weafer, vice president of McAfee Labs. Such sleight-of-hand and misdirection is making it harder for cybersecurity companies and their clients to focus on the worst threats, according to a McAfee Labs threat report published this week.
One type of cyberattack that can be used as such a smokescreen is the distributed denial of service (DDoS) exploit, in which the hacker harnesses thousands of computers to send messages to a website or service, which shuts down when it can’t cope with the onslaught.
A DDoS assault can be an end in itself, causing significant harm to a business such as domain name service provider Dyn, the victim of an October 2016 attack that also temporarily shut down or slowed access to its clients including Twitter, the New York Times, and Netflix. But a DDoS attack can also be a “noisy” crisis, intended just to attract a lot of attention and keep the victim occupied, Weafer says.
“The defender spends time focusing on it, even feels good about their efforts, while the hacker is launching a separate and more deadly attack,” Weafer says.
Separating the real danger signals from the noise is a critical task in cyberdefense, and it’s getting harder as attacks mount in both number and sophistication, Weafer says. That’s one of the issues addressed in the report he co-wrote, McAfee Labs Threats Report April 2017.
The sheer volume of cyberattacks alone is a challenge to businesses and their cybersecurity companies, Weafer says. Total malware attacks detected by McAfee Labs alone rose 24 percent in 2016 to 638 million, according to the McAfee report.
Those numbers have been climbing steadily ever since the 1990’s, Weafer says. But cyberattacks are now no longer the sole province of skilled—though malicious—programmers. Inventive hackers now make lucrative products out of their malware, selling it broadly to enable low-skilled people to mount damaging attacks amplified by automation. Hackers can hijack the connected devices of unwitting users—from laptops to poorly protected Internet of Things products—to multiply the effect of attacks such as DDoS exploits.
Cybercriminals have mimicked the technological inventions that have advanced the legitimate tech industry, such as Web-based software sold as a subscription, Weafer says. Just as businesses can buy software-as-a-service, criminals can buy “exploit-as-a-service,” he says.
Cyberdefenders are trying to filter and analyze a firehose of data from all these attacks, and find ways to react quickly enough to prevent the damage, rather than simply reconstructing what happened days or weeks later.
To that end, cybersecurity companies are collecting a lot more information about each attack, such as the size and other characteristics of malicious files, and the IP addresses they were sent from, Weafer says. But this also further expands the universe of data that threat intelligence systems need to sift through to set priorities for a response.
“It’s much, much more data coming across in real time,” Weafer says. While the signal-to-noise problem hasn’t been solved, that attack metadata provides the richness of detail needed by machine learning tools that can scan it for illuminating patterns, he says.
Hackers fortify themselves by sharing their tactics with fellow cyberattackers. Cyberdefenders have been trying to match that strategy by forming various threat intelligence sharing networks. For example, Santa Clara, CA-based McAfee (formerly part of Intel Security) joined with other companies to form the Cyber Threat Alliance in 2014. The other founders are Check Point, Cisco, Fortinet, Palo Alto Networks, and Symantec.
But hackers have other tricks up their sleeves to try to confound these cooperative cyberdefense networks, the McAfee report says:
“Disinformation and fake news are not new. Adversaries may file false threat reports to mislead or overwhelm threat intelligence systems.”
That burdens members of each network with the task of sorting out which attack reports are fake, to avoid sending them along to their threat intelligence sharing groups and slowing or muddling their analyses.
Human analysts aren’t keeping up with the task of triaging the deluge of threat data, to weed out fake or inconsequential data and develop high quality information to share with cyberdefense partners, McAfee says. The company concluded that further automation is needed to help humans pay attention to the most real or dangerous threats.
“Which are the true attacks?” Weafer says. “It’s not like finding a needle in a haystack; it’s like finding a needle inside of needles.”