To celebrate the 25th anniversary of Trustwave, we wanted to look back at how our profession has changed – specifically in regard to the evolution of threats, attacks and scams. As the leader of the renowned Trustwave SpiderLabs global security research team, Ziv Mador was the perfect person to interview for this topic. Find his full perspective below:
Q: How long have you been involved with cybersecurity?
Ziv: 24 years – soon to be 25! I joined the Microsoft R&D team in the summer of 1996. After I got my master’s degree, I started working on security related projects right away – so my entire career has really revolved around cybersecurity, although we didn’t use that term back then.
I started by joining a team that developed enterprise firewall products, then moved to Redmond and joined the Microsoft anti-malware team. That’s how I got exposed to this fascinating world of cybercrime – and I saw how upset organizations and people got as cybercriminals figured out how to exploit the early versions of Windows, which was being attacked by worms like Blaster, Slammer and Code Red. I was there when the famous Trustworthy Computing Memo was sent to all Microsoft employees, which really helped spur the development of the cybersecurity industry: looking for vulnerabilities, educating developers and collaborating with governments, developing testing standards, and all the many things we needed to figure out back then.
Q: What are some of the biggest security developments of the past 25 years, in your opinion?
Ziv: Well, let’s start with the cybercriminals, because they evolved first. Firms like Trustwave evolved in response, in a sense. 25 years ago, the biggest threats were spam, simple phishing and very simple malware. There were hardly any targeted attacks.
Even when people did develop malware, it really was kind of like the “garage workshop” version of malware – people were mostly trying to develop proofs of concept. If there was a vulnerability in Windows or other products, they wanted to develop code that would exploit it, but those exploits often were not reliable. Blaster used to crash so often that it was a warning sign of an infected computer. And because it was crashing so much, it was self-defeating.
The change in modern times is tremendous; malware currently is very reliable and very well constructed. Cybercriminals even distribute documents that show how to build malware. Cybercriminals now run robust and scalable operations for distributing malware and have figured out many ways to monetize their activities. It has become a very profitable illicit industry
Q: What’s the most memorable event you’ve been personally involved in?
Ziv: For me, it was the Conficker worm, from 2008. That was really a game-changer for the industry. I was part of the Microsoft team that responded to it. It’s not the only worm I’ve ever worked on, but the way the industry responded – and the potential that we all saw for something really bad to happen – was unique.
Conficker was the fastest spreading exploit ever, at the time. So, we created a working group, which included many security vendors from the industry, and we worked together on weekly and sometimes daily phone calls to discuss the malware and all of its evolutions. The exploit was using a Domain Generation Algorithm (DGA) to register a new domain every day – so the infected computers were constantly shifting to a new target, and that made it very hard to take down. But by working together we managed to decrypt the algorithm and started holding the URLs with registrars, so that when traffic was sent to those URLs, it was actually under our control. That helped us disrupt the botnets ability to do real harm, but also allowed us to collect telemetry. Eventually, the criminals completely abandoned the botnet.
Q: Over its history, what research items from Trustwave SpiderLabs do you think have been the most significant?
Ziv: We’ve had many accomplishments, and some really interesting findings. SpiderLabs grew organically from about 5 people in 2005, to over 250 people today, and our capabilities have grown tremendously. Some of our most significant accomplishments, in my mind, have been:
- The finding of enormous databases for sale on criminal forums ahead of the 2020 U.S. election, containing personally identifying information on almost every voter and almost every consumer in the United States and several other countries.
- The GoldenSpy finding, which was a new malware family embedded in tax payment software that a Chinese bank required foreign corporations to install.
- COVID-19 scams, which included stimulus payment schemes and used a variety of social engineering techniques, among other techniques.
- In early 2019, we found government sites outside of the United States that had been hacked.
- Beginning in 2015, we found multiple instances of exploit kits that were being used to develop malware, including Angler, Blackhole and others.
- In 2016, we found an unknown zero day exploit for Windows for sale on the Dark Web for $90,000.
- Carbanak was a massive cybergang that targeted banks, and was responsible for the “billion dollar bank hack.”
- Cherry Picker was a targeted point of sale (POS) malware that we were the first to discover.
- Pony was a massive password stealer that we foiled.
- In 2012, the Zeus trojan banker process was thoroughly analyzed.
Learn more about the 25 year history of Trustwave and how we have become a global leader in threat detection and response.
