The victim notification conundrum

There’s an interesting dynamic emerging in the wake of so many large-scale data breaches and cyber-attacks: we’re becoming more accustomed to being victims. Malware is lurking all around us, from the app store to the email notification.

This is not to say that we’re growing more complacent. But, the needle hasn’t really moved much in terms of adoption of basic cyber hygiene practices like employing strong passwords, turning on two-factor authentication and taking other basic defensive measures.

I think it has a lot to do with the shock factor. There have been enough household names breached and enough social media and gaming sites attacked, that while we consciously register the latest headlines, we’re starting to do so with a fair degree of resignation. It’s getting to be we no longer trust when a company says it hasn’t been a victim of a breach.

Taking stock of the gap

We’ve known for some time bad actors are evolving, becoming more agile and adept – but, at the risk of stating the obvious – we don’t seem to grasp the fact that the gap between their capabilities and our ability to thwart them only seems to be widening.

Since 2016, when Mirai first reared its ugly head, the number of IoT botnets has more than doubled – and they’re increasingly showing a level of refinement, scale and impact previously reserved for nation state hackers.

Mirai is now easily tailored to specific attacks and campaigns for the commodity attacker – anyone with an agenda and the funds to put behind it.

In many ways, 2017 was a tipping point for ransomware. Whereas previously, bad guys were focused on getting a reputation, in the last year they’re now focusing on collecting revenue from victims more than ever before.

Unfortunately, this evolution in cybercrime is coinciding with the propensity for victims to pay. We’re seeing nothing short of an explosion in the rates of people paying cyber extortion from ransomware.

Fear isn’t the driver for this behavior; victims are paying to reduce the nuisance factor. Having neglected to develop a back-up strategy beforehand, they just want the malware to go away so they can get back to work.

The problem: This doesn’t help us in the battle to protect the internet. And bad actors know this. In fact, they’ve come to count on it.

Who can you believe?

One highly successful mechanism for delivering malware has thankfully come under much greater scrutiny from the general public: the victim notification alert.

We’ve all seen the antivirus scams, website pop-up alerts and well-tailored spear phishing emails – and we’re becoming more wary, if not adept, at discerning which notices are genuine and which are not. As consumers and employees, we’re less inclined to click that link or download that patch without further examination – though people still do.

Ironically, this makes the task of legitimate victim notification much more difficult. It’s one thing to tell a customer they’ve been breached. With customers, there are trusted paths through which to communicate – even if some of them warrant greater scrutiny. Businesses can send notifications in a variety of ways, and customers can generally feel comfortable they’re coming from a trusted source.

It’s another thing altogether to notify someone who isn’t your customer. How do you notify someone you don’t have a relationship with that they’re a victim without it looking like a phishing attack?

Building a new trust infrastructure

The internet is inundated with compromised machines which are, at best, infected with nefarious software and, at worst, working as part of a malicious botnet. As one of the largest global IP backbones, CenturyLink is tracking 178 million of these compromised machines and roughly 60,000 new victims each day. These are individual desktops and servers representing consumers and businesses who’ve fallen prey to malware. Some of them are customers; many of them are not.

The industry is facing a new challenge in our aim of protecting the internet against bad actors: how are we going to create a trust infrastructure with millions of people around the world who could do something about it, if only they knew how?

It’s not going to be easy. We’ll have to communicate with victims in such a way that they can independently verify what we’re telling them, without hyperlinks or attachments that can be spoofed or infected.

If providers and consumers work together to solve this problem, we can dramatically increase the security of the internet – and close the evolution gap between bad actors and the rest of us.

I’ve said it before, but it bears repeating: it takes a village to protect the internet. Now is the time for the security ecosystem to take stronger action to identify and address compromised computers – sharing lists of known compromises and simply observing the problem is not enough. We must work diligently to correct, repair or remove those systems to improve the security of the internet and make it more difficult – and more expensive – for the bad guys to operate. Then we’ll start to have the upper hand.