Malware Behaviours in a Changing Cyberthreat Landscape
In late May 2021, PaCCS Communications Officer Kate McNeil sat down with Cardiff University’s Professor Omer Rana to discuss his work on Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape. This project was funded by the EPSRC.
Kate McNeil: Thank you for taking the time to speak with me today! Would you mind getting started by telling me a bit about your research background, and how this project came about?
Professor Omer Rana: I am a computer scientist, and my work has mainly focused on distributed computing. I became interested in cyberattacks which occur on systems, particularly as we move to greater reliance on cloud services online. While computer scientists often work in a very siloed environment, over the years I have learned that great impact can come from learning and working at the periphery of multiple areas. Multi-disciplinary, multi-perspective approaches often give a focus to a given problem in a way that leads to some really interesting outcomes. This project was my first go at applying a deep level of multidisciplinary to questions in cybersecurity.
What did this project entail?
We worked with people in law, computer science, social sciences, and the economic side of cybersecurity to explore a multi-perspective approach to cyberthreats – particularly how they affect users, and when users become victims of cybercrime. We were interested in understanding user behaviour in online services, particularly in cloud computing. One angle of our research focused on trying to understand the types of attacks which happen, while a second strand of our research – led by Professor David Wall – focused on the legal and social aspect of cybercrime. He explored why prosecution of cybercrimes is so rare, potential changes needed to the Computer Misuse Act, regulatory compliance, and the types of evidence that needs collecting in order to prosecute cybercrime cases.
Was there anything that particularly surprised you as you conducted this research?
One strand of our work involved obtaining data on cyberthreats coming onto a university campus, using cyberthreats at Cardiff University as our case study. We were shocked to discover that there were thousands of attacks happening in university environments over just a few days. Over a four-day period, there were roughly 40 000 cyberattacks on Cardiff University’s systems. The most common attacks in a university environment turned out to be on the Microsoft Remote Desktop protocol.
What were some of the outcomes of your research?
Our findings explored how, and to what extent, we should alert users of the risks and potential threats that they face online. We also created a software tool which collects data from campus-based environments in order to characterize this risk and applied a mathematical model which can now be used to assess risk signatures in campus environments.
What would you want policymakers to know about the findings of your work?
My colleague David has been drawing upon our findings to make a case to policymakers about how cybercrime can be better prosecuted, and the limitations that we presently face around the interface between people who commit cybercrimes, people who are victims of those crimes, and law enforcement. We have been exploring how the Computer Misuse Act might be extended to make it easier to prosecute some of the people committing cybercrimes. For people using online services, we need increased reliability and assurance that the law is there to protect them. From a policymaker’s perspective, more needs to be done to highlight to users how the law protects them online – this needs to be more visible and explicit to users. Secondly, we need to figure out how cloud service provides can better support legal prosecution services in order to bring justice where people have committed cybercrimes.
What are you working on now?
The Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape project led to two other funded projects, opening up this multidisciplinary cybersecurity focus for us. Recently, we have done a lot of work on cybersecurity in grid computing and cloud computing. During the pandemic, as workforces have gone remote, questions around cybersecurity for distributed systems have become particularly important.
With everyone using online services, we are interested in how that impacts users and providers. I am particularly interested in how to ensure a greater level of transparency for the users of cloud services, including how those services manage user data. Here at Cardiff for example, we have been outsourcing our email systems and internal services to third party companies like Microsoft Office, while individuals often share data with photo sharing sites like Flickr or Smugmug. When I give my data to a cloud service provider, the cloud service provider might share this data with a variety of other services which operate in the background – including advertising services and profiling services. As the user, I never know that that whole behind-the-scenes ecosystem of services exist, because I am only interacting with one website. So, I want to understand how we could expose those behind-the-scenes interactions, while exploring the concept of GDPR in the context of cloud services.
What is next for your work?
We are all connected to the Internet of Things. We have devices at home, and the number and types of things we can connect to online services are increasing. In the future, for example, we will have smart vehicles. Going forward, as our data is fragmented across more devices, we need to make it more explicit to the user as to who is using their data, the legal issues around what happens if someone misuses their data, and how users can tell which services to trust. I am also interested more broadly in risk-taking behaviours online, and why even where cyberthreats have been made explicit to the user, there are some people who will still go ahead and use unsafe sites. Why people are willing to take risks online which they would not take offline is fascinating to me.
You can learn more about Professor Rana’s work identifying cyber risk hotspots, including his work on a framework for measuring temporal variance in computer network risk, here.