In a nondescript high-rise overlooking central Prague are the headquarters of Avast, one of the world’s largest security firms. The company’s analysts are located towards the top of the building and enjoy not just spectacular views across the Czech capital, but also a unique insight into the global threat landscape.
Avast’s consumer antivirus product is the world’s most popular, and protects some 400 million customers in dozens of countries, providing a rich pool of real-time data about cyber attacks for its analysts to mine.
Like most days in recent months, the analyst team’s so-called “NASA screens” (pictured) are showing heightened activity in Ukraine on the day NS Tech visits. The country’s infrastructure has suffered a series of strikes in recent years, but data from Avast’s consumer antivirus product suggests it isn’t just Ukrainian officials who are paying the price of heightened tensions in cyber space.
Ukrainian citizens appear to be particularly vulnerable to cyber attacks too and they aren’t alone. Nearly half of British businesses suffered an attack last year, while tens of millions of phishing emails were delivered to the inboxes of unsuspecting victims every day.
Sign up to Emerging Threats, our weekly cyber security newsletter
Ondrej Vlcek is the president of Avast’s consumer business. He joined the company as a developer in the early nineties and was tasked with building the company’s first Windows solution. “It was really a totally different game then, mainly because of the underlying motivations of the bad actors,” says Vlcek. “It was all about bragging rights and showing friends that you can do something that others can’t.”
At the time, Vlcek and his colleagues were seeing two or three new PC viruses emerge each week. Now, there are between 300,000 and 500,000 a day. Avast observes up to 3.5m new malware variants over the course of a typical week: an increase of more than one hundred million per cent.
In the late nineties, widespread adoption of the internet transformed the nature of the cyber threat. “The internet brought the ability to basically do everything online,” says Vlcek. “We saw the threats become much bigger. Cyber criminals were using the internet to do whatever they wanted to do.”
The web provided a platform for attackers to distribute malware at unprecedented speed. In the early 2000s, millions of people were affected by worms such as Nimda, which spread through a range of channels and caused huge traffic slowdowns. These attacks were “a major driver for the security industry as a whole”, Vlcek recalls.
But as software manufacturers cracked down on vulnerabilities in their operating systems, the number of computer worms dwindled. “Attacks became much less visible, in the sense that there would be fewer global outbreaks,” says Vlcek.
At the same time, however, they became increasingly disruptive. “Two things happened. One, there were many more attacks. Not a single one of them would be of the size of the previous attacks, but there would be thousands of times more of them. The long tail would be really long,” Vlcek adds. “Second, they became much more dangerous when it came to financial losses. They were more targeted in terms of going after money, and anything that can be monetised, such as the stealing of credit cards.”
In recent years, cryptocurrency has transformed the security landscape yet again. “The introduction of bitcoin meant the bad guys finally had a way to collect money from their victims,” says Vlcek. “Ransomware hit the mainstream population three or four years ago. It’s been more than doubling every year since.”
In 2017, major malware outbreaks made a comeback. The WannaCry and NotPetya viruses spread through organisations around the world at a speed rarely seen since the early 2000s. But Vlcek notes that these attacks were largely anomalous. “WannaCry was the biggest ransomware outbreak ever,” says Vlcek. “But that was a bit different in that it was really enabled by the EternalBlue vulnerability.”
EternalBlue is a Windows exploit that was developed by the NSA, stolen by hackers and recycled in both the WannaCry and NotPetya ransomware campaigns, which have since been attributed by the UK government to North Korea and Russia respectively. “That whole dynamic of the NSA being hacked, their secret materials being leaked and somehow then abused by the bad guys, is very unique,” says Vlcek. “But I think all of the experts agree that WannaCry was actually very poorly written.”
If cyber security has been transformed twice already – first by the internet itself, and then by bitcoin – what’s next?
In recent months, Avast’s threat researchers have been analysing how cyber criminals are starting to leverage artificial intelligence. Vlcek reveals that the analyst team has observed instances in which attackers have used machine learning to tailor the language of a phishing email to a particular person. “These attacks were traditionally very difficult and expensive to conduct,” says Vlcek. “But you can now lower the bar when it comes to the expense and difficulty of doing these targeted attacks.”
Avast’s threat team is also concerned about the rise of deep attacks, which it says “use AI-generated content to evade AI security controls”. In a predictions note for 2019, the team said it had “seen examples of adversarial AI deliberately confounding the smartest object detection algorithms, such as fooling an algorithm into thinking that a stop sign was a 45-mph speed limit sign”.
“In 2019, we expect to see DeepAttacks deployed more commonly in an attempt to evade both human detection and smart defences,” the team stated.
The proliferation of the internet of things (IoT) is another major concern for Vlcek. By 2020, IHS predicts that more than 30 billion devices will be connected to the internet. During the following five years, that figure is expected to double again.
“Whenever I see all of these smart home devices being so vulnerable, it really reminds me of the early nineties on the PC,” says Vlcek. “It feels like these guys have no clue what they’re doing. Fundamentally, it’s a business model problem because many of these companies that are now throwing these devices to the market have no real expertise in software whatsoever.”
Over the last year, California has banned default passwords for connected devices, and the UK government has rolled out a voluntary code of practice for IoT manufacturers. The European Union is also drafting legislation aimed at boosting IoT security. “IoT is not a problem that only one party can solve,” says Vlcek. “It’s not a problem that the vendors themselves can solve. It’s not a problem the security industry can solve. It requires a concerted effort of all of the parties involved.”
“Regulators play an important role,” he adds. “The main role they play is to really push the vendors into action because the consumers don’t necessarily care, so they aren’t pushed by the market. It won’t solve the problem altogether, but it will certainly help to raise the bar.”