Q&A: Juniper's Kevin Walker on data manipulation, ransomware threats

Threat actors are moving beyond basic data theft and finding new ways to wreak havoc on users and organizations, such as data manipulation, according to Juniper Networks' Kevin Walker.

Walker, security chief technology and strategy officer at Juniper Networks Inc., based in Sunnyvale, Calif., said most cybercriminals are only scratching the surface of what can be done with sensitive enterprise and user data, but warned that some are becoming more creative and sophisticated with their attacks. And one such method Walker said he's started to see is manipulating data in small, easy-to-miss, yet crucial instances for strategic or financial gain.

Walker spoke with SearchSecurity at RSA Conference 2017 about a number of topics, from software-defined networking security to a new threat leveraging the internet of things (IoT). In part one of the conversation, Walker discussed Juniper's Software-Defined Secure Network (SDSN) platform and the growing role of machine learning in security.

In part two, he talked about today's threat landscape and the risk of more mature ransomware and data manipulation attacks. For the audio version of the interview, listen to this episode of the Risk & Repeat podcast.

Editor's note: This interview has been edited for clarity and length.

On the subject of threats, what are you seeing today, not just with SDSN, but the entire landscape? What is at the top of the priority list right now? 

Kevin Walker: That's hard to say, because, again, I'm looking at it industrywide. Obviously, we've heard waves of ransomware are continuing to increase. They're very, very difficult to prevent, but we're getting better because the malware detection's getting more deliberate for ransomware. So, that's the one at the top of the list.

But with ransomware, are you finding examples of where it's spreading across an entire organization, or is it still very localized to a small set of users or individual users? 

Walker: No, it's not spreading across entire companies, but this is the trick. It usually happens at the consumer level. But then, the consumer becomes an employee and brings it into the organization. And here's the thing that I'm more concerned about: We're starting to see more evidence of this now -- not widespread, but more evidence of manipulation of data, rather than theft of data. We're starting to see more of that now. And it's one that's serious because we trust in the bits.

I'll use this as an example because it's one that knows this threat well: [secure payment vendor] Infintech. All I need to do is change a decimal -- not even a decimal; I just need to change a digit. It's simple as that. It doesn't have to be a gross case of data manipulation where anyone will see it. In fact, it's just the opposite. It's often extraordinarily subtle. But I, as the attacker who knows that, I can make decisions based on that manipulated data and monetize it. That's a scary proposition.

Now, the other, more theoretical extreme is one where medical records are intentionally corrupted. Why? There are lots of reasons. It could be political, it could be espionage, or it could be for some type of later monetization where the attacker says, 'I'll undo it if you keep paying me.' Those are things that scare me. And I've been saying this for probably 15 years publicly. That's what scares me more about cybersecurity -- not malware. It's that kind of data manipulation, because we put an over-index on trust in some of our data without really validating that data.

Recently, there's been research about ransomware attacks sort of evolving into extortion attacks. Instead of encrypting and holding data hostage, the attackers threaten to expose the data and demand continuous payments to keep the data private. It's not the same thing as data manipulation, but it's a different approach.

Walker: Let's talk about that for a second. I don't think ransomware, as an attack mechanism, has matured. If you are hit with ransomware, who knows where epoch was? In other words, when did I, the attacker, first have you? When you go back to your backup, it may also be equally infected.

And so, we don't know because you don't know when that epoch was with the infection. It goes back to my original point of the integrity of the data to begin with. How do you know the data hasn't been manipulated? The scary part of ransomware is when they get mature. Then, it becomes, 'You're [going to] pay me monthly to unlock you. Not once.' If you think about it, they have a very great Opex [operating expense] model there if it's done well.

I think, at the end of the day, we have to take a planetwide view analogy a lot, because if I can see that in Jakarta, for example, a new variant of ransomware, now, I can just let my entire community know. Not with an alert, not with an update, not with an email -- their ecosystem is automatically updated like antivirus software typically is. Then, I think we have a much better fighting chance. And we can also reduce the noise level, so we can actually hear the real hard problems, like the true APTs [advanced persistent threats] and the zero-days.

But if you're a large enterprise that's a high-value target, you can't get to all of them, can you?

Walker: My position on that is to kind of bifurcate it. If there is an entity that is committed to getting to you, they are going get to you. They're just going to. There are so many different avenues they can use. But that attack against that entity doesn't scale [to other businesses]. That's the good news. That's something that we have to rely upon. If we can figure out enough variance or differences in our network, if you will, then it's a benefit. But right now, we can't do that for all the other noise. That's the rationale in getting the noise down. And so we have more to work with, and it makes it easier to find emerging threats. 

What about the malicious activity we're seeing with IoT devices? From your perspective as a networking company, how big of an issue is that? And what do you do about it? 

Walker: It's interesting. I live in the South Bay [San Francisco]. I spent time with venture capitalists, as well as hedge funds, and I have friends in that community. And at least once every week or two, there's a conversation next to me about some security IoT startup ideas. And I say, 'Just shut up.' Now, that's me speaking, not Juniper. They're missing the point. It's an upstream problem. It's a consumer SMB problem, which is massive, because that's where all these [compromised] devices are.

But to detect IoT malware is an inflow problem, in my perspective. And the other aspect is the C&Cs [command and control] could have been easily intercepted and dropped from the routing tables because we already have peer-reviewed tables.

On that point, if you're a service provider, and you see this surge of traffic coming in, which you should see, and it's coming from strange IP addresses...

Walker: Well, what's strange? That's the problem. If you're an ISP [internet service provider], then all traffic is just in the mix. But I think you're on to something. There's no silver bullet here. That's why I said I think it's bifurcated, at least -- maybe even four or five different ways. I think it still goes down to the payload.

In this case, Dyn attack was partly attributed to Mirai, which, by the way, was well-known. It was extraordinarily well-known. So, it goes back to our SDSN stories. We're saying, 'If you see this [activity] in the wires, just drop it.' There's no positive reason for having Conficker or Mirai traffic. There's no reason for having any of those on your network, unless you're a research organization. And then it's in a quarantine area anyway.

Last question: Are you concerned about potential government intervention or regulation for IoT devices to prevent these sort of widespread threats?

Walker: As far as the industry at large goes, it's not so much concern as it is acceptance of the reality that there will probably be some legislative actions. Well, there are already legislative activities in play. And I don't know where the needle is on that. But government regulation still won't solve the problem. Strong passwords -- and these are my final words -- do not solve the problem, because they can be scraped anyway.