Safety Detective’s Aviva Zacks got the unique chance to sit down with Samir Mody, VP of Threat Research at K7Computing, and asked him what the worst cyberthreat is today.
Safety Detective: How did you get into cybersecurity and what do you love about it?
Samir Mody: When I graduated from university, I got a job at a prominent cybersecurity company. I had no idea what cybersecurity was at that time. I knew about computer viruses, but I didn’t really know what a lab was.
Since joining the cybersecurity industry, I have realized that it is an evergreen one. It is a constant challenge because the technologies keep changing, and there are new platforms coming up all the time. We need to be able to cope with that and take on new challenges all the time.
Apart from that, there is also a very great incentive to protecting users across the world. That is something which is a source of great satisfaction for us when we walk into the lab.
And finally, as competitive people, we get to have two sets of competitors. We are the cyber defenders on one side, and we have to fight against the blackhat adversaries, which is where we try to make sure that we are one step ahead of them. And if they are ahead of us, then we get a chance to work out what they’re doing and determine how to trump them. In addition, we also must compete with other vendors in the cybersecurity space. We also try to get our research papers accepted at international cybersecurity conferences against stiff competition.
SD: How do K7 Computing products protect customers from cyberthreats?
SM: I’m going to just describe the typical life cycle of a cyberthreat. And I said “typical” because there are so many different versions, but I will explain to you one of the most common types of threat that you would find. Threats tend to come from the internet. For example, you might get an email with a link to a particular file or something like that and something is going to get downloaded from the internet onto your computer. Once it is downloaded, it is going to get executed on your computer. And once it’s executing, it is potentially going to do some bad stuff on your computer. So that is the typical “threat life cycle.” In terms of protection, we have what we call, a “layered detection approach” where we have lots of different “security layers.” For example, we have a Web Protection layer, which is going to block the threat at your browser level itself, the first line of defense. If the threat is not blocked at the Web Protection layer, next we have got the Scan Engine Protection layer. Real-time scanning, we call it. That means that if the threat has already hit your hard disk but it has not executed yet before it executes, it can be scrutinized, i.e. deeply examined, using a wide plethora of different types of technologies that we use to detect and block it before it can actually execute.
Most of the cyber threats are going to be stopped at one of these two layers, which I’ve just mentioned—Web Protection or Scan Engine Protection. In rare cases, if it is allowed to execute after that, meaning it is actually dynamically running on your own computer, then we have what we call our Host Intrusion Prevention System (HIPS), but in general, this is known as Behavioral Protection. If the threat is ransomware, we have got something called heuristic Anti-Ransomware detection which successfully blocks a wide range of different families of ransomware. In addition to that, we have various types of host intrusion prevention to prevent or to flag any type of suspicious behavior that an application is doing on the computer. Then we will quarantine that. And finally, there is also Firewall Protection in case the threat is trying to connect to a particular website, which is deemed to be suspicious.
SD: Do you sell to both end-users and companies?
SM: We have both end-user (consumers) and business customers (enterprises).
SD: How does your company compete with the larger antivirus companies like Norton or McAfee?
SM: We compete by being very smart in the way we automate things in order to achieve a scaled response to threats. We have our own researchers, of course, and we have a very stringent recruitment policy where we try to ensure that we have the smartest talent out there. We train them up from first principles so that they are really good at their jobs. And we have a very robust automated system so that we can cope with the volume of threats that are coming our way. Our clever researchers, experts, will deal with the stuff that the automation cannot deal with. In addition to that, we have got these automation systems that are intelligent systems. They are always being upgraded, looking at possibilities for machine learning/AI behind the scenes and other types of clever automation, which can be used to both add protection as well as do automated quality assurance (QA) on our data. In that way, we’re able to scale our response to the same level as those companies that you mentioned.
SD: What do you feel is the number one threat in cybersecurity?
SM: There is a term we use in the industry: PEBCAK, which stands for “Problem Exists Between Chair and Keyboard.” But seriously, I think one of the biggest threats is a lack of user awareness. The reason for this is that a lot of threats that enter your device make use of this lack of awareness among users. The bad guys just assume they can take advantage of your ignorance by using social engineering techniques, which are very convincing. Even something as simple as ensuring that your devices are patched for vulnerabilities using the latest security updates is not always adhered to. You should not be downloading applications from untrusted sources. You should not be clicking on links from unknown people on email or social networking platforms, etc. Most of the threats out there actually come via one of these kinds of areas. Even very sophisticated threats, what we call “Advanced Persistent Threats” or APTs, tend to use social engineering as their first attack vector. So, I would say that the lack of user awareness is the number one threat.
SD: In the last week alone, I’ve had three or four fake emails from what looks like legitimate sources, like Amazon and my bank, and I think that’s much worse of a threat.
SM: What you’re mentioning is actually just a spoofed email; if you look at what we call the MIME header. That means your email client will show you only what is human-friendly. But behind that data is a bit of data which shows what the whole email looks like right before it is rendered to you. You will probably find that the actual sender is not who you think.
That is part of the whole social engineering aspect that you can create an email that looks completely legitimate. You can pretend that it comes from Amazon or Microsoft or Google or your bank, and because you can use HTML in email, you can make it look good, which would convince the user that the email actually comes from that source.
SD: How do you feel that the cybersecurity landscape is going to change in the next few years or so?
SM: People have been using the cloud for a long time. Instead of having a lot of applications running on your PC itself, you might see that a lot of your applications are running in the cloud whether it’s Google or Microsoft. That becomes another area where the attacks are going to increase because you are increasing the surface area for threats, and you’re trying to ensure, if you’re the bad guy, that you’re able to increase your opportunities for revenue. Ultimately, you’re out there to either steal money or secrets, or you’re doing a denial-of-service attack, all of which are there to disrupt something or to steal something.
In addition to that, there are new means for performing financial transactions which are irreversible and non-traceable. You may have heard about cryptocurrencies, and that’s been a preferred method for a long time for cyber thugs. The ransom payment to them, in typical ransomware campaigns, tends to expect cryptocurrency. The reason for that is two-fold. One is that it is anonymous—you have no idea who’s behind this and there is no way to trace who got the money. And the second is that it’s irreversible—earlier you had a credit card transaction that you were able to reverse because it was fraudulent. But if it’s cryptocurrency, that is not possible to do.
Since cryptocurrency is being used heavily these days, we also see Cryptomining malware, which is hiding on your system trying to mine cryptocurrencies by using resources like your electricity, your RAM, your CPU, and other activities, all of which make money for the bad guys.
In the future, all of these things that have traditionally happened on a PC will have been copied over to the smart devices in Internet of Things (IoT). A lot of these attacks already exist for smartphones. The modus operandi is very similar, but you have different types of devices. As long as the bad guys can use the same modus operandi on different systems, they will do exactly that.