Sam Coleman

Getting a bad reputation? IP reputation is the answer

In Blog post by Sam Coleman

As Clavister launches its new IP reputation feed, powered by Webroot®, we caught up with Chad Bacher, SVP of Product Strategy and Technology Alliances at Webroot to get his views on the new cyber realities and why keeping a healthy network starts from the outside as much as inside.

DeCrypted News: You’ve mentioned that the threat from cyberthreats— for the first time in years — is decreasing. Can you elaborate on the reasons why it’s decreasing and is it temporary? 

Chad Bacher: For the first time, we witnessed a minor year-over-year decrease in the volume of malware. In part, the decline can be attributed to the increased security awareness, but it also reflects changes in cybercriminal tactics. We observed a drastic increase in malicious website encounters and significant changes to the malicious IP landscape, as well as an overall decrease in the average lifespan of phishing sites. These observations are evidence of a highly reactive threat landscape that adapts at a moment’s notice to changes in the ways users try to protect themselves.

DN: How does AI play a role in your threat prevention? 

CB: AI is critical to Webroot. The threat landscape is escalating at such a high rate that humans can no longer keep up. Automation is critical if we are to stay ahead of threats.

Both Machine Learning and AI are integral components of our threat intelligence platform. They enable a high detection rate over time despite ever-changing threats. We capture millions of data objects — from URL, files, and mobile applications — and then automatically analyze and classify these objects. For example, we classify approximately one million undetermined file executables per day to determine whether they are a zero-day threat, malware or benign.

Webroot’s machine learning algorithms and mathematical models are unique and protected by multiple patents. Webroot currently has over 80 patents protecting the Webroot Threat Intelligence Platform and BrightCloud Threat Intelligence Services, and 12-15 new patents are typically awarded to the team annually.

DN: Having said that, you’ve identified that ransomware is on the rise. How does your offering address this and what do you think development will be? 

CB: From phishing emails to macros to exploit kits to Ransomware as a Service (RaaS), Ransomware will continue to grow on all fronts.

Webroot treats ransomware the same as we treat any other malware. We leverage behavioral analysis and AI to look for indicators of ransomware. We don’t just look at files. We have a layered approach that looks at URLs, IPs and files to provide overall protection. This approach helps stop risky user behavior at a variety of levels ranging from malicious websites to compromised files. Additionally, we offer a unique capability called Journaling and Rollback. This feature tracks the changes unknown files make on a user’s device and, if they are determined to be malicious, the feature can remove the malicious file and unwind all system changes associated with it.

Unfortunately, there isn’t a silver bullet for detecting and stopping ransomware 100 percent of the time. Users need to stay vigilant and practice safe cyber behaviors.

DN: Why does the US house the most malicious IPs in the world? Having said that, why has it dropped 40% in the last few years? 

CB: The U.S. hosts the most malicious IP addresses because 55 percent of all registered IP addresses are registered in the U.S. Cybercriminals host sites in the US because many companies will blanket blacklist anything hosted in foreign countries, such as Russia and China. Hackers also know attacks hosted local to their target are more likely to succeed. Spam is also a major distribution method, and most spam originates in the US.

The sharp drop in the past year is because attackers are spreading their focus across more markets. Other countries have seen substantial growth in terms of malicious IPs hosted. For example, in one year India and Vietnam went from less than a one percent share to an almost ten percent share. This increased focus on developing nations is probably due to lack of sophisticated security and the ease with which targets are compromised.

DN: The rise of malicious apps is a concern of Webroot. What are your insights into this problem? 

CB: Mobile devices are in the crosshairs for cybercrime. The rise in mobile malware (malicious apps) is a result of mobile platforms becoming more and more prevalent. Most users in the US are at far less risk than those in developing markets, especially in Asia, because many Android devices in these markets are older and unable to handle security updates. 

Additionally, Google Play isn’t available which has led to dozens of 3rd-party markets which are hotspots for infection. Google is doing a good job of continuing to focus on Android security, but everyone needs to play their part.

However, in my mind, the biggest threat is to user privacy. There are many legitimate apps that collect and share user data with third parties unbeknown to the user. Many users don’t have a view into this activity that puts them at risk. More private information available means more data for cybercriminals to mine.