Cyberthreats: Microsoft’s Tim Rains on Putting Old Wine in New Bottles

The second in our four-part series on cyberthreats explores emerging trends in malware

You can’t teach an old dog new tricks, or so the saying goes – but maybe you don’t need to. Malware writers are evolving less dynamically than you might think, explained Tim Rains, chief security advisor for worldwide cybersecurity and data protection at Microsoft.

Rains works extensively with Microsoft research to track emerging cyberthreats. In this, the second of a four-part series on how cyberthreats are evolving over time, he explained that attackers are typically sticking to four basic techniques:

• Social engineering
  If an attacker can convince you to click on a malicious link or run an infected file as administrator, then they’ve achieved their mission. Often, the biggest security flaw is the one between the user’s ears.
• Weak passwords
  Sometimes, attackers may not need malware at all. If they can guess your password then that may get them the foothold in your system that they need. They don’t necessarily need to guess it, either. Cross-site scripting or man in the middle attacks are effective ways to gain access.

• Misconfigured systems
  Systems configured with security loopholes (such as computers allowed to run in administrative mode, for example) are a haven for attackers.

• Unpatched vulnerabilities
  Unpatched systems is one of the most common infection vectors, said Rains.

Rains argued that attackers tend to take the path of least resistance, going back to the techniques that are tried and true. He calls this putting ‘old wine in new bottles’.

Patching systems would go a long way towards eradicating these problems altogether, Rains suggested, based on the fact that the attack cycle is speeding up. Before 2014, it could take weeks or even months for a newly discovered vulnerability to be weaponised as an exploit and placed into a commercial exploit kit. At the start of 2014, the average length of time between a new vulnerability announcement and an exploit was around 30 days.

By the end of last year, he was regularly seeing airtight gaps between vulnerability announcements and the inclusion of exploits for them in commercial kits. Welcome to the age of the commercially-sold zero-day.

Attackers are evolving in some ways, though, particularly in the types of software vulnerability they exploit. To see the full Sector interview, check out the video below.

And check out Tim Rains’ presentation, Exploitation Trends: From Potential Risk to Actual Risk, below.

Interested in finding out more? The SecTor security conference takes place at Metro Toronto Convention Centre in downtown Toronto on October 18-19 2016, with a training day on October 17.