How analytics can protect you from Amy Schumer (malware)

Columnist Rob Enderle writes that the only thing that can stop a bad guy using analytics to spread celebrity-based malware is a good guy using analytics to stop malware.

amy schumer
Kevork Djansezian/Reuters

This was interesting in so many ways, this week McAfee issued a report showing how malware delivery using compromised websites and gaming Google search analytics has suddenly become a lot smarter. What these criminals are doing is they are watching trends and then positioning their assets against the trends to the sites that pop to the top when you are searching on celebrities.

[ Related: Most dangerous cyber celebrities of 2016 ]

This is as brilliant as it is nefarious. It suggests that analytics is now being used aggressively as a tool to successfully spread malware and as a result suggests that analytics needs to be used as a defense.

Let me explain.

The Amy Schumer attack

Let’s call this the Amy Schumer attack if, for no other reason, it makes what otherwise is a terrifying trend sound less terrifying. This attack lends itself to a new generation of bots and analytics. Those analytics coupled with trends, likely pulled from Google Analytics, are analyzed and when a spike is observed a website is created, populated with click bait, and infected with malware to deliver increasingly destructive payloads to unsuspecting users.

Because the sites are fluid, a reactive strategy of identifying the hostile websites will always not only lag the threat it will largely be ineffective because once the related system notices that traffic growth reverses it can simply create another site bypassing the corrective action. Now, because this is done by increasingly intelligent systems not only will this nullify the typical defense, the new sites will increasingly be compelling to users until the trend peters out or a critical mass of users are infected and learn to no longer search that term.

Given how users learn, in some extreme cases, the result could eventually be a level of damage across an increasing number of companies that repeatedly sets and breaks records. This approach could easily make the recent Yahoo breach of 500 million users seem trivial in comparison.

The analytics defense

The only defense that makes sense to me is to use these same analytics to anticipate and block these high-profile searches so that they can’t be used to inject malware. This means proactively identifying search terms that are non-work related and using similar automaton either scanning and actively blocking malware loaded sites before employees hit them, blocking searches that use the related terms, and sharing information on this between companies so the criminal(s) aren’t facing one company, but a collective of firms. Granted this would likely be best implemented by Google and Bing if only to preserve the integrity of their tools and to perhaps prevent a possible block of them should a massive breach result in a more draconian response.  

McAfee suggests user training but this alone has never been that effective largely because users make mistakes, they forget their training or miss it, and there is a general belief that exposures like this happens to others. Granted, if they are hit there is a chance they’ll get fired but, given the size of the exposure, that fired employee may be following the CIO out the door. I don’t think training users to defend against an attack with this kind of power and scale will be effective any more than I think that training users to use good behavior in the face of a pandemic will stop it.

Good (analytics) vs. evil (analytics)

It may well be that the only way to stop a bad guy using analytics is with a good guy using analytics. In this case, it is a valid defense because the attack happens at computer speed and uses analytics and eventually deep learning to become more effective. In short we are seeing weaponized analytics and deep learning being born. To defend against this increasingly capable tool we need an equally or even more effective defense and that suggests an analytics/deep learning defense that is shared across companies so the resources on defense massively exceed the resources on the attack.   Given this will likely jump to hostile states pretty quickly, this also suggests active participation by government cyberdefense organizations so the next war, which is likely to be largely technology based, can effectively be defended against.  

Suddenly Amy Schumer isn’t so funny.

Copyright © 2016 IDG Communications, Inc.

7 secrets of successful remote IT teams