Will security ever surpass cybercriminal sophistication?

David Ellis, Director of Forensic Investigations
By: David Ellis
In my 27 years of law enforcement and forensic investigations, I’ve seen the gamut of criminal techniques. The cleverness of hacker methods has been on a steady incline for the past 10 years. I’ve seen their sophistication levels rise, and watched security’s attempts to follow.

In the past year, a trend has emerged that both intrigues and alarms me.

What a forensic investigation used to look like

Most of the breaches I investigated in 2008 were extremely messy. Hackers would get into the system, rip out a bunch of card data, and leave evidence of their data burglary everywhere. In essence, broken windows, documents strewn across the floor, overturned chairs, jewelry stolen – the whole Hollywood theft scene.

Now, hackers cover their tracks

Over the years, hacker takedowns by law enforcement proved that having the Pacific (or Atlantic) Ocean between a hacker and his targets didn’t necessarily insulate him from arrest, so hackers became smarter.

In 2014, hackers take their time to do a better job of intentionally avoiding detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and often leave few traces. They run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software. Forensic investigators still manage to find evidence of breaches, but the remnants of evidence are much smaller and require a more detailed examination to locate.

Instead of the obvious overturned coffee table and wide-open filing cabinet hacking methods of 2008, today’s hackers are making the extra effort to conceal their activities.


What can we learn from this trend?

Hackers are getting smarter than our automated detection tools. They’re developing new ways to hack faster than we can create ways to defend against them. It’s a fact of life that security will always follow the vulnerabilities. We will always be behind hackers because development is limited by personnel, budgets, time, regulation, etc. A hacker’s only limitation is his brain capacity.

Hackers can spend weeks, months, or years trying to defeat security controls that, at the time they were developed, were amply secure. When a system is successfully exploited, developers go back to the drawing board to produce a fix. Unfortunately, I don’t see this pattern changing anytime soon.

Sure, some may believe their new product is impervious to attack. I imagine the folks that developed WEP encryption probably thought that as well.


Don’t worry. The sky isn’t falling

As always, hackers typically first go after the weakest link in the chain. Weak links exposed to secretive hacking methods lead to longer time spans between initial breach and detection, which means more compromised credit cards and higher fines. Observe PCI DSS regulations, and follow other security tips to avoid being the weakest link.

If you liked this post, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.
Wednesday, June 11, 2014