Crims not spies dominate cybersecurity threats: Sophos CEO

Ransomware, the volume of customised malware, and its commercialisation are the biggest factors affecting cybersecurity today, says Kris Hagerman. Nation-state actors less so, at least for most organisations.
Written by Stilgherrian , Contributor

"We're fanboys of AI, but particularly deep learning and how it applies to cybersecurity," says Kris Hagerman, chief executive officer of Sophos. "With deep learning we can now basically process every single piece of malware on the planet."

Deep learning turns one of the cybercriminals' strengths into a weakness, Hagerman told ZDNet last month. A flood of malware variants is no longer a "huge tide that rolls in" to overwhelm threat research teams. Instead, it all adds to the dataset.

"Of course the bigger the dataset is, the better that deep learning performs," he said.

"Look, I will grant you that some of these things can be tossed around as buzzwords and be used indiscriminately. But in the case of cybersecurity, and in particular with the more advanced forms of neural networks and deep learning, it is a fundamental change in the landscape."

Hagerman's comments echo those of people like Simon Ractliffe, head of cybersecurity at Singtel Optus, who recently said the opportunities for AI are "just spectacular".

The volume and variety of malware and attacks continues to increase, but Hagerman said that's a "consistent" feature of the threat landscape. Other factors have had a greater effect on the way cyber defenders operate.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

One of those factors is the increased customisation and targeting of malware.

"We're seeing a growing percentage of malware that is unique to the targets that they are pursuing, and that speaks to the sophistication of the attackers, and the sophistication of the tools they are using to create the malware," Hagerman told ZDNet.

That sophistication isn't all about nation-state actors, however, despite the media attention they get.

"Nation-state activity is important. It's become another form of warfare, whether explicit or kind of sub rosa. But in the general scheme of things, in terms of the volume of malware activity, for a typical enterprise organisation it is dwarfed by commercial cybercrime," Hagerman said.

Another big factor is ransomware. Ransomware has been behind some of the most damaging cyber attacks of the last year, including NotPetya and WannaCry.

Must read: How US authorities tracked down the North Korean hacker behind WannaCry

"You will continue to see ransomware proliferate for two fundamental reasons. One, it is exceedingly effective as a business model, as a way to monetise a successful attack. The second reason ... is something that's not always appreciated, which is the confluence of ransomware and blockchain currencies," Hagerman said.

Bitcoin and other cryptocurrencies have "basically completed the last mile of the ransomware problem", which is cashing out.

A third factor is "almost the the flipside" of the first one, Hagerman said, which is "the commercialisation of advanced malware".

Once an advanced piece of malware has been used a few times against advanced organisations and loses its lustre, it can then be deployed into a secondary market, against organisations that might be less well protected.

"You can now literally go onto the web as an unsophisticated actor, not know how to write a line of computer code, and you can pay in bitcoin for ransomware as a service. You sign up, and it's pretty cheap, and it has even 24/7 support," he said.

"The more unique targeted sophisticated attacks you have on the front end, the more effective the commercialisation of those techniques will be on the back end."

Hagerman's final factor is Android as an attack vector. "We haven't quite seen yet the high profile attack that takes advantage of mobile operating systems, but it is certainly vulnerable to them."

Related Coverage

Alex Stamos: Pretty clear GRU's goal was to weaken a future Clinton presidency

Former Facebook CSO breaks down differences between fake news, GRU operations, and IRA troll farms

Symantec-secured website shutdown coming soon

In October, Chrome and Firefox users will be blocked from websites still using insecure Symantec/DigiCert TLS certificates. If you don't want to tick off your users, you need to replace these security certificates as soon as possible. Here's how to lock down your site properly.

DOJ to charge North Korean officer for Sony hack and WannaCry ransomware

After charging Chinese, Iranian, and Russian cyberspies, US prepares indictment against North Korean officer.

Why passwords are a terrible method of authentication (TechRepublic)

BioCatch's VP Frances Zelazny explains how biometric security could soon replace passwords.

Android Security Bulletin August 2018: What you need to know (TechRepublic)

With a good balance of critical and high vulnerabilities, the Android Security Bulletin offers a well-balanced diet of bugs.

Editorial standards