In recent years, high-profile attacks on not just the Iranian government but also the U.S. government have taken place using software that, like Flame, was able to waltz straight past signature-based software. Many technically sophisticated U.S. companies—including Google and the computer security firm RSA—have been targeted in similar ways, albeit with less expensive malware, for their corporate secrets. Smaller companies are also routinely compromised, experts say.
Some experts and companies now say it’s time to demote antivirus-style protection. “It’s still an integral part [of malware defense], but it’s not going to be the only thing,” says Nicolas Christin, a researcher at Carnegie Mellon University. “We need to move away from trying to build Maginot lines that look bulletproof but are actually easy to get around.”
Both Christin and several leading security startups are working on new defense strategies to make attacks more difficult, and even enable those who are targeted to fight back.
“The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable,” says Dmitri Alperovitch, chief technology officer and cofounder of CrowdStrike, a startup in California founded by veterans of the antivirus industry that has received $26 million in investment funding. “We need to focus on the shooter, not the gun—the tactics, the human parts of the operation, are the least scalable.”
CrowdStrike isn’t ready to go public with details of its technology, but Alperovitch says the company plans to offer a kind of intelligent warning system that can spot even completely novel attacks and trace their origins.
This type of approach is possible, says Alperovitch, because, although an attacker could easily tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would still have the same goal: to access and extract valuable data. The company says its technology will rest on “big data,” possibly meaning it will analyze large amounts of data related to many traces of activity on a customer’s system to figure out which could be from an infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and business models of cyber attackers, says that makes sense. “The human costs of these sophisticated attacks are the one of the largest,” he says. Foiling an attack is no longer a matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of people. “You need experts in their field that can also collaborate with others, and they are rare,” says Christin. Defense software that can close off the most common tactics makes it even harder for attackers, he says.