Correlating and Escalating Cyber

On September 20th, CNet reported on a new wave of malware called ´Mirage´, embedded in PDF´s that were distributed through spear-phishing attacks against a multitude of targets, such as a Philippine oil company, a Taiwanese military organization and a Canadian energy firm. The attackers´ target set also included firms in Brazil, Israel, Egypt and Nigeria. Their report was based on the findings of Silas Cutler, a security researcher at Dell CTU. The researchers declined to comment on the origins of this new malware, but as we´ve seen before the characteristics of this digital crimewave are a dead match to the likes we´ve encountered during Night Dragon, Operation Aurora and pretty much everything we´ve seen coming out of China the last decade. Call me old-fashioned, but when I read attack characteristics such as these, I feel confident that a talk with the PRC is warranted:

  • Widespread – broad targeting of an entire industry, aiming for commercially sensitive data;
  • Not extremely sophisticated, just adequate to get in;
  • Supporting command and control network is highly active;
  • Attacks seem well-prepared and highly organized;
  • Some of the malware is made by the Honker Union (a well-known Chinese hacker group);
  • Command and control IP address belonging to China, as did three others that have been used in the Sin Digoo affair earlier;

Looking at this pretty much confirms that those talks US Secretary of Defense Leon Panetta had with the Chinese recently about exactly these kinds of cyber-attacks, had little effect. Considering how much American debt is held by the Chinese, you would have to ask yourself just how hard a line the US can draw against such practices, but other countries would probably do well to start talking more sternly through the diplomatic channel with China. Make no mistake: the economic damages of these attacks are so high that involvement is definitely required at the state level.

Getting out of Dodge first
So here we have a rather clear-cut case of attacker correlation which, as ever, is done pretty much after the fact by an international firm who investigated the malware. My question is: How do you deal with this as a nation, as it happens?

This one question breaks down into a number of smaller issues. First off, you´d have to establish at least somewhat formally who defends what network. And let’s be fair: if you´re a democracy, it’s unlikely to be just one entity. The second issue you have to tackle is detecting the actual attack as it happens. Some network administrators will be able to, others won´t. To be of any use on a national level, defenses on all networks should probably be somewhat similar. At least quality-wise, you´d need them to be similar otherwise you wouldn´t be able to determine the whole scope of each outbreak, even after the fact.  This begs the question as to how wise or desirable it would be to regulate information security measures in some way. In many companies, information security is still seen only as an expense and not as a requirement, even though we can cite countless examples of companies being severely damaged by successful cyber-attacks.

So let’s assume we know who defends every network, and assuming they can all detect a new wave of malware as they happen. Then what? This information is usually kept a secret (or ignored, but that’s another matter entirely) and no signals are exiting these defending parties. When is the last time you called your government after a major cyber-attack hit your company? If you can answer that question, you´re really in a minority and most likely operating in a heavily regulated industry such as Finance or Healthcare. The rest is pretty much left to fend for itself. Attacked entities need a local place to send information about these attacks. I would argue that for governments to be able to correlate various cyber-attacks, it must first have a central authority to which each entity can report attacks on their networks and systems. I haven´t heard of any country having this, but a while back a couple of my friends here in the Netherlands started talking about the lack of such an authority. This was thought up during a brainstorming session at the Dutch MoD and initially dubbed a Security Operation Center (SOC). Even though I feel this name is somewhat ambiguous, let’s keep it for now. Given its national scope, we should probably stick to the CERT naming convention and call it GOVSOC.

Alright, then what?
At the risk of becoming repetitive, let’s assume for now that such a GOVSOC is formed and operational. You´d then need to devise thresholds and escalation paths, along with policies to deal with all eventualities. You´d also need some pretty good agreements with law enforcement, the military and civil government. All three of these parties need some kind of mandate to be able to act on information. It would also need to be covered how each of these parties will act on given information. In case of an actual cyber-attack wave being detected, it would first need to be established on whether there is nation-state involvement or if it´s cybercrime. In case of nation-state involvement, what would you want your government to do? Even when you´re certain who did what, what are thresholds to acting on it? How big must the damage be before diplomatic relations deteriorate? Is this affected by how much you engage in these activities yourself?

Maybe I’m wrong, and I sure hope I am, but I haven´t heard of any country getting to this point yet. Many have been debating these and similar questions, but how about some action? For instance, in the Netherlands the National Cyber Security Center (NCSC) seems like a great candidate to embed that GOVSOC function in. Its government, but it’s a public-private collaboration. If you know of any such developments in your country, please share it with me.

Security Awareness and Why Things Aren’t Improving

Earlier this week news broke of Google’s interruption of a large-scale phishing expedition, which alluded to some state involvement of China. This inspired a host of experts to write about it and J Oquendo’s article on InfoSecIsland inspired me to write mine. In his article mr. Oquendo asserts that its remarkable (read: stupid) that US officials still seem to be using commercial email services such as GMail for exchange of security sensitive and sometimes mission-critical information, instead of using the available high-security services offered by the US Government that they should be using. In this day and age, with a nearly constant barrage of security breaches in the news, people don’t seem to be getting any more aware of security issues.

In the area of User Security Awareness, things aren’t improving at the pace they should. The Internet (and related technology) is not New anymore. While the usage of internet technology has grown exponentially over the last decade, its users have not grown much wiser in terms of security. Largely this is because the common online populace simply does not see the danger in having their online identities compromised; its too abstract a notion for most people. Until the very real and practical downside of getting compromised hits them on the nose, they won’t care. There is a whole industry revolving around protecting you and recovering you from identity theft, and that is both a blessing and a warning. The many problems a person can experience from being a victim of Identity Fraud can take years to resolve. Years during which you are most likely to have bad credit (even when the bank knows you’ve been victimized!) or even be in debt for thousands of dollars for purchases you have never made. Living through such an experience is probably a real eye-opener, but we can hardly put everyone through such an ordeal just for security’s sake.

Provided all your friends would actually listen to sage advice, what would you even tell them? (more…)

Monetary Value per System Owned – The Evolution of Endpoint Attacks

Endpoint Security remains the name of the gameRecently some people working for a client of mine expressed the sentiment that they felt that their business wasn’t a target for an actual hacker (as opposed to automated attacks). This despite the fact that they had been attacked on two different occasions in a manner that indicated it was the same (thankfully clueless) attacker. Also, the company in question is doing business in a field that seems especially ripe for the proverbial plucking; a lot of money is being made by virtually every player there. One would think that security would be a bigger issue for these folks, but apparently the message hasn’t fully landed everywhere.

This got me thinking about endpoint security and how incredibly understated (and often underestimated) the need for security is on these machines. In many companies it is the largest group of machines in the network, owned and operated by the least technically skilled and security-ignorant users in the company, yet most companies consider the protection of these systems as an afterthought. “Just install AV, Jimmy. That’ll do!” they say, and turn back to tweaking their firewalls (if you’re lucky).

At the same time, an attacker simply lures the gullible users to a specially crafted malicious website or sends out a mass mailing of an infected PDF. Despite having been told thousands of times before not to open attachments from people you don’t know (or that you don’t expect), you just know that someone will do it anyway. And really, all it takes is a single user to take leave of their senses to create a backdoor into your network. I would also like to point out, because this thought seems to float around a lot, that no amount of Group Policy settings will change the outcome. What you need is user sensibility and proper endpoint protection.

Considering the above point and observing the evolution of the purpose behind botnet malware, it becomes clear that the shift is financially motivated. A few years ago botnets were used mostly for DDOS purposes, but ever since there has been a change towards monetary gain. From basic DDOS, the botnets were deployed to make money through click-advertisement programs and surfing behavior studies. After that came the stealing of financial information, often leading to credit card fraud, and identity theft. Currently we’re seeing the re-emergence of ransomware, where user data is being held hostage until the user pays a certain amount before a deadline. If they don’t pay, their data is lost forever.

The criminals involved (often organized crime) seem to be refining their strategy. Where they once made relatively small amounts with a large number of systems they now aim to make a larger amount per system. Essentially they realized that there is a Monetary Value per Owned System, and by becoming more efficient they are raising that value per system to maximize profits.

This idea swam around in my head for a while. What would I do to make the most money? If the idea is to squeeze the most cash out of each system, then we should be looking for the systems that have the most potential cash to be stolen. For me, this ruled out the average internet user. You’d have to be very lucky to stumble onto a rich and clueless target, there just aren’t that many around. Also, how would you know that your target is actually wealthy?

The answer was simple: Companies. Companies usually have deeper pockets than the average internet user and the ways to exploit them are myriad: extortion, data theft, corporate espionage, credit card fraud; you name it. There’s another upside to this approach: most companies deploy their workstations through imaging. That often means that if one workstation is vulnerable to a certain attack, chances are good that the other workstations in the network are too. More targets mean more potential access to the information I’d want. Also, in most cases the users of said workstations are a lot less motivated to be secure; its not their workstation and its not their money.

Following this logic, the future of corporate security looks grim. Workstations are a hell of a lot more tempting a target than any server; they are easier to crack and there’s a lot more of them. Administrators need to realize that attackers (both real and automated) won’t attack the shield you hold up, but rather go after the target behind the shield in any way possible. This means that the hard-shell/soft-interior methodology in securing a network is dead, and actually has been so for quite some time.

Endpoint protection will remain the name of the game, and what software vendors are doing right now isn’t working. Its a failing approach, something that’s becoming increasingly obvious with each new report of a major breach. A change needs to be made before Organized Crime realizes its full potential.