One of the greatest parts about attending Inform[ED] was being introduced to the different perspectives and aspects that go into cybersecurity. You realize very quickly how cybersecurity isn’t as simple as firewalls and computer viruses, but is truly an ongoing evolutionary battle between cybercriminals and security entities that are fighting to get one step ahead of the other. One of the panel speakers I was fortunate to interview was Brian Rexroad, Vice President of security platforms at AT&T. Mr. Rexroad took some time and offered his insight on the techniques cybersecurity firms use to detect impending or active threats, how they manage around “gray areas” involving customer privacy, and more.

WDD: From your experiences, what (if any) are some for the early recognizable signs of an attempted or impending large-scale network attack (think Mirai, Ukraine, Finland incidents)?

Rexroad: The early indications we try to pick up on for something like Mirai (which propagates by scanning for targetable devices), involve trying to find in the flow activity of the network—characteristics that point to devices scanning the Internet for vulnerabilities. We’ll try to determine if the reasons another device is scanning an Internet network are legitimate, since there are multiple companies that scan for security, consumer, and other service-related purposes. Statistically speaking, when you start to see increases in a number of sources that are doing scanning with particular patterns, it’s probably an indication that a botnet is building up. So that’s what we try to look for, which is a network-level indicator.

There are other ways to build botnets. You can use search engine services like Google to research devices that have specific vulnerabilities rather than search the Internet for them. We also try to look for characteristics or behaviors are coming from something we’ve identified as a building botnet. The most obvious ones are indications of DDoS attacks, which you can see in a network’s behavioral activities. We have tooling to be able to detect anomalies on the network. For something like DDoS attacks, we use arbor networks, which we’ve equipped to analyze full data and use to the capabilities they have. We’ve supplemented that with some of our own capabilities we’ve built from the ground up like an internally-developed platform we used to try and find early indications of security-related events.

WDD: What different approaches do ISPs make in mitigating and preventing cyberattacks on IoT devices compared to conventional desktop/laptop computers?

Rexroad: I tend to go back and determine what defines an IoT device. I like to make a distinction more in terms of the problems it (the IoT device) creates or solves from a networking point of view, and to what extent they’ve taken security into account. A real problematic IoT device is one that gets flooded out into the market without updating capabilities, one that you plug it into the network and has default a password that could easily be compromised, and also uses universal plug-and-play to expose itself to the Internet because it’s convenient. The categories you put these IoT devices into really make a big difference. When we see a customer with a problem for example, we try to give them helpful information. Part of the problem with some of these devices winds up being that the device shouldn’t be connected to the network in the first place.

WDD: In the ISP field with AT&T, what are some particular types of malware and cyberattacks you look out for that aren’t necessarily a threat in other industry fields?

Rexroad: I don’t know if I really have a clear answer to this question, but I will start by saying that AT&T’s branches and services expand beyond ISP. The first order of business for anything we provide, is to make sure the infrastructure supporting those services has good integrity from a security standpoint. We try to provide a quality service, and what things might impact the service we provide to customers is something we determine. The first thing that comes to mind is something that might clog the network and have a derogatory impact on customers. How that manifests in a mobility environment might not be the same as how it manifests in the Internet backbone environment.

We focus on these factors because if we have customers that are impacted by attacks like Mirai or DDoS, it’s more than likely going to have an impact on their status as a subscriber to our service, and misconstrue their experience and opinion of the company. We’re clearly motivated to do things that are right by our customers. From a global perspective, we have programs like ThreatTrack, which enables us to share information on what we know about some of these things (cyber threats) that are developing with people who have an interest or opportunity to try and do something about that. We’ll even share some of our information (to a certain extent because of customer privacy laws) with law enforcement agencies like the FBI, who in turn will look into looming threats we perceive as concerning like they did with the Mirai incident.

WDD: How do you navigate through some of the “gray areas” where security conflicts with instances like privacy issues for customers?

Rexroad: The first thing we try to do is minimize how invasive our analyses are. Most of our analysis reviews the flow level in the network, which looks at a detailed record of the source and destination addresses, port protocol, account of how many bytes and packets are conveyed, along with the times these transactions start and end. Our analytical methods contain some information about the fact that a transaction occurred but it doesn’t give you any content associated with those transactions. Doing that level of flow analysis reveals behavioral patterns in the network. Those are good starting points for being able to analyze any anomalies and use that as a means to help direct efforts to very specific areas where activity looks suspicious. The second is that a lot of data is collected exclusively and specifically for security analysis. It’s a matter of making sure what we’re doing is for the good of the customers.

WDD: Considering how the methodology of cybercriminals continuously evolves, what are some previously-effective cybersecurity defenses and methods that new cybercriminal evolution has made irrelevant or obsolete?

Rexroad: One of the things I’m very thankful for is when Microsoft went from voluntary to automatic updates. If you look at the big security issues back in the early-mid 2000s, they all trace back to Windows computers. Not because they were the only ones around (they were predominant but not the exclusive model), but because Microsoft reverted to automatic software updates. You have to basically change the configuration so you will give it (computer) permission to do updates. That has made a tremendous improvement in the security of computers. That’s why I keep emphasizing you won’t be able to anticipate what all the problems are on these IoT devices, but if you can change and fix them upon discovery, you can move on in a happier way.