The Evolution of the Cyberattack: Then vs Now

[00:00:17.960] – Pufahl

So I think we both agree that today’s podcast has the potential to be pretty rambling. We’re going to talk about the evolution of cyber attacks, the evolution from, call it then. Then could be as far back in 1970 to now. Walking through a little bit what the history of viruses, malware, attack intentions were, things like that.

[00:00:51.950] – Pufahl

I know that you have some thoughts on how you want to start it. So why don’t we kick it off right there with a little bit of, I guess, we’ll call it malware timeline a virus sideline.

[00:01:02.580] – Steve

Sure. So I’ve been accused or accused of having a bit of a computer museum or graveyard in general. I like old things, the history-

[00:01:12.760] – Pufahl

Call it museum.

[00:01:13.860] – Steve

Museum. Yeah, that’s better. History matters, and everything that’s old is new again, and that’s especially true in technology. I think that the important thing to know is that while cultural awareness with the population at large of computer viruses and malware and things like that began maybe in the early ’90s, maybe with some films at the time, maybe as early as mid-’80s with… What’s that? Matthew Broderick movie?

[00:01:45.970] – Pufahl

That should roll off, right?

[00:01:48.160] – Steve

So I’m losing points here.

[00:01:50.350] – Pufahl

I’ll think of it. Yeah, you threw me when I wasn’t prepared for.

[00:01:55.140] – Steve

No, this is important. WarGames?

[00:01:59.330] – Pufahl

WarGames. Yeah, there you go, Matthew Broderick. That’s shameful. To everybody who listens to this like, how do they not know WarGames immediately?

[00:02:05.500] – Steve

So popular cultural awareness of things like viruses in general really started in the early ’90s, maybe as far back as mid-’80s with WarGames and other movies like Hackers. But the truth is that it goes back a lot further than that, especially in academia, where computers really had their first [inaudible 00:02:23] out into the real world. And to a lesser degree, certainly in military and similar.

[00:02:29.360] – Steve

At the beginning, viruses and malware were really just tricks played on colleagues through little toys. They didn’t really do anything. They were just curiosities.

[00:02:40.950] – Steve

They would do things like rename files or hide them on people, silly little things of that sort. And I’m not going to mention anything particular. It doesn’t matter.

[00:02:49.020] – Steve

Over time, it moved to inconvenience, tying up a computer so that others couldn’t use it. It’s not really malicious. It’s just a near intent.

[00:03:01.910] – Pufahl

So kind of an early denial of service.

[00:03:03.950] – Steve

Yeah, I mean before those terms were even invented. Thereafter, it was more of a pursuit of notoriety, especially in the the late ’80s, early ’90s. The specific example that some people might want to go out and take a peek at is the Morris worm. It’s something related to mass propagation of across systems.

[00:03:27.890] – Steve

Bottom line, it and things like it had to do with notoriety and awareness in the other areas of computing. They were really to make your name known by others. So people would create such things to stake a claim, to make noise, to develop a reputation.

[00:03:52.580] – Pufahl

So a technical claim? It’s demonstrating technical powers?

[00:03:57.870] – Steve

Powers. Yeah.

[00:03:57.870] – Pufahl

Okay.

[00:03:58.880] – Steve

Prestige in the technical realm of, I don’t know, civil disobedience or something to that effect.

[00:04:04.720] – Pufahl

So we really haven’t yet entered in your timeline, what we’ll call the real malice in a lot of ways?

[00:04:12.970] – Steve

Right.

[00:04:13.290] – Pufahl

So we talked a little bit about, hey, you’re experimenting in the computer world. You’ve done some stuff that probably manifests itself as inconvenient, maybe you’re demonstrating that you actually have expertise, but we haven’t entered probably what I’ll described as [inaudible 00:04:27], is it?

[00:04:29.160] – Steve

No, definitely not. So I would say that that really began [inaudible 00:04:33] in the ’90s with some earlier examples that aren’t super important. But the goal at the time was to encrypt a floppy so that you couldn’t use it because the owner decided that you were using their software inappropriately, or things of that sort. Propagation that would harm systems to make them unusable or turn documents into gibberish. But those were early attacks in the ’90s.

[00:05:03.870] – Pufahl

So is it fair to say, though, and I’m going to throw out a term that you may or may not by getting to yet, the idea of activism where people had maybe political, or politically motivated is under a socialist [crosstalk 00:05:16].

[00:05:17.060] – Steve

Hack the planet in Hackers, the movie.

[00:05:19.610] – Pufahl

Yeah, I mean, that’s what it was.

[00:05:20.910] – Steve

Absolutely.

[00:05:21.600] – Pufahl

There was a period of time where DMCA, the copyright infringement act, if some of the viruses, if I recall, would go through and rename or delete MP3s.

[00:05:32.990] – Steve

Right. Absolutely.

[00:05:34.410] – Pufahl

And get the music stolen or pirate the music. So there are definitely activities around, if you want to call this, you can call it the social good where people actually had an agenda and they’re trying to exercise what they believe to be their right to do the right thing.

[00:05:47.470] – Steve

Information wants to be free is common phrase used in that realm. And it’s true. It was the goal of many early activists before that was a real term of art and people throw around to expose information, to publicize stuff that was secret, to make things like copyrighted music available for all, to make expensive things available to those without means.

[00:06:13.020] – Steve

Those were really some of the early efforts of malware and viruses. Now were things occurring at the same time that were legitimately malicious? Absolutely. But they were more narrow.

[00:06:27.240] – Steve

We’re talking in the realm of industrial espionage, nation state warfare, that sort of thing. And then everyone suddenly had computers everywhere.

[00:06:36.040] – Steve

The late ’90s really made the breadth of available systems on the Internet at large and some companies in general worth attacking for motives other than pure public amusement.

[00:06:51.050] – Pufahl

So on your timeline now, we’ll say we’re entering the modern age to a degree, in late ’90s?

[00:06:59.250] – Steve

No, it’s not certainly late ’90s. But I think that everyone that really has a memory of this time in terms of inconvenience might remember the early worms, 2000, 2003, in that time frame when computer systems that were on the network without firewalls exposed to the Internet could be brought down in an afternoon across the entire planet because of some vulnerability. And that’s when true capability to disrupt and true capability to cause harm actually really manifest.

[00:07:35.830] – Pufahl

So maybe just for posterity sake, we’ll throw out some of the big names, the big guns back there in the late ’90s. Certainly, the Melissa worm was one that I feel like anybody who maybe 40 or more might remember.

[00:07:56.430] – Pufahl

The I love you virus, I think was a really interesting one because I think it’s so clearly took advantage of the people aspect of this, encouraging people to click on attachments, who doesn’t want love, I suppose? But that’s what it was.

[00:08:18.710] – Steve

If infecting millions of systems.

[00:08:20.950] – Pufahl

[crosstalk 00:08:20] real transition to that social engineering and encouraging the population to essentially be part of your attack. That might not be the first one, I think, is probably very recognizable.

[00:08:33.570] – Steve

Other examples were the [inaudible 00:08:36] virus, which spread via email and send using all the contacts that you had in your inbox. And that’s when we talk about true legal action being taken against some of the creators. That specific example resulted in believe in the community service or jail time.

[00:08:56.550] – Steve

That’s when we’re in a different realm where it’s criminalized, we have actual laws on the books that are taking action against such activity. And it’s, I wouldn’t say the inflection point, but certainly around the time where criminal elements started to use these techniques and these tools to affect businesses, to acquire data, to impact or otherwise stop business from occurring.

[00:09:24.950] – Pufahl

But still not really heavily targeted. So when you talk about a virus that would utilize your address book to basically propagate, try send itself out, not hugely targeted. You don’t really know who you’re getting. So it’s very opportunistic-

[00:09:39.360] – Steve

Broad net drive by type of text. Absolutely.

[00:09:42.170] – Pufahl

So disruptive for sure, but not where we are today, right?

[00:09:47.800] – Steve

Right. Exactly. And I would say that was largely the case for a few more years. The Blaster worm was something that might be recalled. It had to do with about Windows vulnerability at the time and also spread internationally very quickly.

[00:10:01.900] – Pufahl

And Windows got a real bad rap through all this, for sure. It has been that platform that everybody was exploiting and without fairly accounting for the fact that it probably was 90 percent of the computing base at the time.

[00:10:13.400] – Steve

And I would say this time frame is when antivirus was generally accepted to be a required tool to protect system. Certainly, Norton was around for the better part of 15 or 20 years at that time frame. So it wasn’t new, but everyone was, everyone meaning lay people, people at home with new computers who are helping their kids do homework, that’s what everyone was affected.

[00:10:38.140] – Pufahl

Well, you’re huge to be reliant on a tool like Norton. I mean, I can remember being in scenarios where Blaster or one of these things came out, and the conversation among the IT people was, is there a definition for it, or is there a way to get a definition?

[00:10:54.030] – Pufahl

So you’re really reliant on those tools to detect and hopefully clean. I think more likely they could clean it back then than some of the things you see now.

[00:11:02.760] – Steve

But you’re getting into the cat and mouse game of this entire reality. Those tools are driven by known issues, and if they don’t encounter it, they don’t know how to protect against it, to find it, to clean up after it.

[00:11:16.570] – Steve

And today, that’s not the case. We use tools that are behaviorally oriented to detect anomalies that aren’t encountered before. But in the bad old days, that was not the case. And it certainly took a great amount of time to get the proper data and visibility into systems to improve those tools. So it took a long time.

[00:11:39.410] – Pufahl

So we talked a little bit, in the timeline, there is what we call the benign phase. I’m breaking these up into eras. The benign phase, maybe the activism phase to some degree.

[00:11:54.820] – Steve

And they’re parallel threads. They’re not necessarily sequential.

[00:11:58.380] – Pufahl

For sure Yeah, but in the evolution of this. And then we probably talked a little bit and hear about disruption, but I feel like we’re really in… We’ve moved past disruption nowadays and much more into the extortion side of it, the fasted extortion side.

[00:12:17.410] – Steve

And I’d say that was the tail end of the 2000s when we really started to see that shift. Obviously, there were many examples prior to that with individual companies being held ransom or had demands placed upon them because of some attack via virus.

[00:12:32.830] – Steve

But the truth is that the shift to what we now call ransomware maybe begin in the late 2000s. At the end of the day, it’s a question of profit motive. It’s a question of this entire realm shifting towards money. And prior to, the better part of the period we’re talking about prior to it was political messaging. It was making a statement or just seeing what would happen. Curiosity and the malicious sort.

[00:13:06.060] – Steve

I think that extortion in general, especially today with ransomware, is the goal. And if not simply destroying a perceived enemy of the people or an enemy of a state, or you name it, that’s what happens.

[00:13:21.720] – Steve

I mean, we could use Stuxnet, the more industrialized peonage type issues. We’ve made reference to that and supply chain, stuff that we talked about a couple episodes ago. It’s an element in this overall timeline, but it’s a cul-de-sac. It’s a parallel path, and it certainly doesn’t affect everybody.

[00:13:43.190] – Pufahl

But we certainly see much more targeted or focus attacks, no question about that.

[00:13:49.500] – Steve

Yeah, there’s four thoughts in the attackers approach.

[00:13:52.490] – Pufahl

And I think we’ve spoken a little bit about it being a business. That office environment with structure to the attack, thoughts behind who they want to attack, thought about the data or the outcome.

[00:14:04.870] – Pufahl

What strikes me, though, through this is, in what? Ten minutes here we walk through 50 years of the virus history pretty quickly. There are certainly elements, though, of the attacks that are largely the same. So I think they all leverage or focus on people.

[00:14:30.110] – Pufahl

There’s a huge social engineering quality to some of the first attacks where we talked about I love you as a social engineering pieces. There’s examples of it way before that.

[00:14:41.860] – Pufahl

Email remains a really successful delivery mechanism for these. Maybe the payload is a little bit different, but the idea of enticing somebody to take action on your behalf remains really effective.

[00:14:57.120] – Steve

At the beginning, people were the creators of these tools. They were doing so for fun or reputational reasons. They shifted to using… I forgot that part. But people being the common thread, ultimately because they were the creators to begin with, but then they became the targets themselves. Email phishing, those are the example.

[00:15:25.200] – Steve

The reason for it is simple. Defensive tools became better, systems are better protected, but the common thread between everything is the fact that people, their behavior, their perception of threat is vulnerable, and no technology can really protect against that.

[00:15:42.940] – Pufahl

And they know that. There’s no question about it that even with good training, even with good technology in place, the opportunity exists for these to be really successful for the foreseeable future.

[00:16:02.660] – Steve

You don’t need a piece of malware if someone willingly gives up their password and allows you to impersonate them.

[00:16:09.880] – Pufahl

What we read earlier, I think, you have 20-25 percent of security incidents that originate as a result of just credential theft, whether that is somebody providing credentials or maybe a little more of a technical technique.

[00:16:25.390] – Steve

Yeah, 20 percent of all breaches are initiated in some sort of credential release, 80 percent themselves being associated with identity theft. They’re sober in numbers.

[00:16:38.730] – Pufahl

Yeah. I don’t know there’s any likelihood of that improving in the near term.

[00:16:45.940] – Steve

As technologies improve and detection methods improve as well, the only thing left are people. And therefore that’s the shift of all these attacks. And that will remain the case no matter how good these technologies become.

[00:16:59.040] – Pufahl

The interesting part, I think is that transition from experimental to intentional. And I think that is something I feel like we really just want… I really personally want to drive home, which is we have conversations all the time and people feel is unlikely that they individually or they as their business would be victims of these types of attacks.

[00:17:31.160] – Pufahl

One in reality, the motivation is different than it used to be, and financial is a big component of it. But certainly, there’s some social components to it potentially as well.

[00:17:41.520] – Pufahl

But I think everybody represents an opportunity at this point. There’s a lot of money in this hacking, I don’t love that term necessarily, but there’s a lot of money there. And I think as long as there’s a lot of money, people are paying ransoms or people aren’t doing the appropriate thing proactively, we’re going to see this stuff exist.

[00:18:00.750] – Steve

Yeah. Absolutely. It’s never ending, ultimately.

[00:18:05.050] – Pufahl

Anything you wanted to end with? I think we could spend a lot of time on [inaudible 00:18:08] this stuff.

[00:18:10.010] – Steve

Yeah, it’s really complex territory. I mean, the people who are creating viruses in the early ’90s, today are often finding bugs, as opposed to creating malware.

[00:18:18.830] – Steve

And just like anything else, there’s a double edged sword to if of the want to cry ransomware kill switch. It was triggered by one of those researchers because he recognized a bug in that ransomware and used it against it to liberate many PCs from that infection.

[00:18:35.710] – Steve

Is that ethical? Is it beneficial? These are debatable things. And without a doubt, a lot of suffering and potential harm was saved by using that framework to stop the propagation of the platform.

[00:18:52.380] – Steve

But the skills, the people involved, again, returning to people being the common thread. The people need to be there. And if their efforts are redirected towards good, will be better off.

[00:19:06.280] – Pufahl

So that’s a nice way to end. It’s always nice to end positively. And I think that idea that there is an outlet for those who have the intellectual curiosity to explore how things work and where the vulnerabilities might be, bug bounties exist. Your companies pay talented people to identify weaknesses so they can fix them.

[00:19:27.330] – Steve

I know several people who make their living doing that.

[00:19:29.610] – Pufahl

Yeah. So that’s one way. And even if you do it simply as nothing more than an intellectual exercise, most companies appreciate, if you let them know you don’t want to do the opposite of that and just make them public without giving a company an opportunity to fix a mistake that they had.

[00:19:48.280] – Steve

Responsible disclosure of vulnerabilities in general. That’s a subject for another day. And I think we should discuss it actually, because it impacts how we triage issues. But without a doubt, that’s important as well.

[00:19:59.460] – Pufahl

So maybe a future episode on responsible disclosure. I think that actually is not a bad idea at all. But with that, I think we spend a little bit of time. But we covered 50 years in 15 minutes.

[00:20:11.340] – Pufahl

If anybody does want to hear maybe some more information or explore some of the stuff in more depth, maybe, let us know, we’re always happy for input or suggestions. Reach out at Vancord security on Twitter and we’ll incorporate comments or questions if we can. But with that, as always, thanks for listening. And we hope you got some value out of this.

[00:20:36.240] – Speaker 

Stay vigilant. Stay resilient. This has been CyberSound.