Making the unknown known What you need to know about targeted attacks and mitigating the threat to your business
Making theunknown known
What you need to know abouttargeted attacks and mitigatingthe threat to your business
What you need to know about targeted attacks and mitigating the threat to your business
The threat landscape is, not surprisingly, continuing to evolve. It was hardly believable even two or
three years ago that there could be anything as potentially disruptive and unsettling as millions of
networked, compromised computers under the remote control of cybercriminals. Yet there is, and
it’s a more insidious and pervasive threat than anything seen before, replacing the mass “spray and
pray” approach seen commonly in botnet-based campaigns.
We hear more and more talk about targeted attacks, sometimes
called Advanced Persistent Threats (APTs). These are commonly
orchestrated by cybercriminals targeting specific organisations
with bespoke malware, designed to install itself within company
networks. Often the malware evades traditional security solutions
and stays hidden until the cybercriminals find and steal the
data they are looking for. The most common motivation behind
these types of attacks is financial gain.
Concerns for this type of cyber attacks are increasingly finding
the way onto the CSO’s agenda, gaining more attention every
time a big case hits the headlines. RSAi, Googleii, Lockheed
Martiniii and Symanteciv are just a handful of the companies
that have been affected so far. If it’s happening to firms with
the security expertise and budget of these organisations then
it seems very sensible for everyone to start thinking about
ways of mitigating the threat. In fact, according to recent
research conducted by Quocirca across 100 medium to large
organisations in the UK, over 70% admitted to having been
the victim of a targeted attackv. According to another study by
the Ponemon Institute, an alarming 67% of organisations feel
their current security measures are not enough to stop such a
sophisticated cyber attackvi.
2
“According to recent research by Quocirca across medium to large organisations in the UK, over 70% admitted to having been the victim of a targeted attack.”
What are we talking about?
It probably helps to begin with some definitions. What we are talking about are laser-focused, targeted
attacks aimed at stealing your organisation’s most valuable information – whether that’s personal
information like passwords, credit card details, customer details, commercial secrets or other IP.
Usually, but not exclusively, the threat arrives in the form of a
spear-phishing email. Elaborate social engineering techniques
will tempt a member of your staff or employees in your supply
chain to open a malicious attachment or click on a malicious
link. It should be noted that much of this malware exploits zero
day or unpatched vulnerabilities. Once inside, the malware will
enable the cybercriminals to communicate with that device via
a command and control server for more instructions. They will
use the compromised device to creep stealthily around inside
the network, evading detection and escalating privileges until
they find the data they are looking for.
Targeted attacks often stay under the radar of conventional
detection tools for months or years on end, and requires a
new approach to security to fully combat. A recent Verizon
data breach reportvii showed that 83% of all businesses that
discovered targeted attacks did so after weeks or months of
it being within the network. The majority, 54% of businesses
took months to discover the hidden malware. Due to the one-off
nature of the attacks and that often new malware is
specifically developed to breach defences and stay hidden
once inside the network, traditional solutions that rely on
matches to previously seen malware will usually fail to spot
the danger. Even heuristic based technology can be circumvented
by ensuring that the new malware is significantly different
from anything released before.
Some have questioned the use of the word ‘advanced’ to
describe these attacks given that they often use fairly basic
malware components to expose known system vulnerabilities.
However, this is not always the case and there have been
instances of determined attackers using polymorphic or encrypted
malware specially crafted to exploit zero day flaws in order
to penetrate the network. The careful planning that goes into
such attacks, the combination of multiple attack methodologies
and sophisticated obfuscation techniques make them a
formidable prospect.
3
“83% of all businesses that discovered targeted attacks did so after weeks or months of it being within the network.”
The preserve of state-sponsored hackers?
APT’s were traditionally and most commonly associated with state-sponsored cyber espionage activity
from various sources, with the threat from East Asia particularly well documented. Stuxnetviii, which
was reportedly developed by the Americans and/or Israelis was used to target Iranian nuclear facilities
and is a prime example of an APT or targeted attack.
These targeted attacks probably first came to public prominence
when Google revealed in January 2010 that it had been the
victim of one such attack – dubbed Operation Auroraix – which
also affected a number of multinational information security,
defence and other firms including Symanteciv, Sonyx, Epsilonxi
and Morgan Stanleyxii. It’s recently been revealed that the
team behind Aurora has been prolific in using zero day
exploits to attack a range of other targets since, swapping
malicious email attachments for compromised web sites as
the primary infection channel.
There have been several more high profile discoveries in verticals
such as shipping, engineering, aerospace and even not-for
profits. The Night Dragonxiii attacks targeted global energy
firms, while one connected attack on cryptography firm RSA
Security was believed to have been launched to give the hackers
the security keys they needed to go after an RSA customer,
defence contractor Lockheed Martinxiv. This tactic – of going
after targets in a supply chain with the ultimate aim of cracking
a bigger prize – is common to targeted attacks, broadening
the sweep of firms out there which are potentially at risk.
“RSA Security revealed that the targeted attack behind the loss of itssecurity key data cost it at least $66m.”
4
The sleeping menace
Targeted attacks are displaying ever more sophisticated techniques to escape detection too. It’s no
surprise that in the Ponemon Institute research, the majority (56%) of respondents said they discovered
data breaches purely by accident – most current security systems are simply not capable of spotting
these new threats.
One targeted attack uncovered by Trend Micro recently,
dubbed IXESHE, revealed that the command and control
system used by hackers was actually located inside the
compromised host networkxvi. The attackers put the control
ecosystem on a ‘sleep cycle’ meaning there was no tell-tale
connection with an outside IP address which could have
alerted investigators – instead such connectivity happened
only very occasionally and for short periods.
Other sophisticated techniques attackers are using to evade
detection include patching systems once they have been
penetrated. This not only hides their route into a network but
ensures rival malware writers can’t interfere and piggy-back
on their efforts. An even more disruptive technique to throw
off security researchers includes malware equipped with host
identity-based encryption. This effectively encrypts modules
of the malware with keys based on information taken from the
victim’s machine, preventing researchers from running and
analysing the malware easily in their labs.
5
Examples of targeted attack campaigns
Targeted attack campaign Victims
Stuxnet Iraniannuclearfacilities
Aurora Google,Symantec,Morgan,Stanley,Epsilon
NightDragon Globalenergyfirms
Connectedattackonsupplychain RSASecurity,LockheedMartin
IXESHE EastAsiangovernments,electronicsmanufacturers,telecommunicationscompanies
PlayStationNetwork Sony
Why should you care?
It’s pretty obvious that targeted attacks are here to stay. For every Aurora, Stuxnet or IXESHE, there are
likely scores of other targeted attack campaigns that have so far gone undetected. More worryingly,
it has become clear that they are no longer the preserve of state-sponsored cybercriminals looking for
specific strategic military or other information to help their governments.
Verizon estimated that among its global clients in 2011 there
were 855 data loss incidents and a staggering 174 million
compromised records – the second highest data loss total
since it began recording such statistics in 2004xvii. It revealed
that targeted attacks were not as common as opportunistic
attacks, comprising just 16% of total breaches, but were far
more effective, representing 63% of compromised records.
Financially motivated cybercriminals now have the capabilities
to launch such attacks – with the end goal of either selling
your organisation’s most valuable data on, blackmailing,
extorting money from you or your suppliers, or even using
information gleaned from an attack to work their way up
the supply chain to a bigger prize. The problem is that once
inside, there is only limited technology available to prevent
financially motivated attackers from having a good look
around to see if there is any other data or IP they might be
able to sell on the digital black market.
The cost of such breaches remains difficult to calculate, and
many firms which have been hit are still investigating the
true extent of their loss. Ponemon declared in a March 2012
study The Impact of Cybercrime on Businesses that the aver-
age cost impact of targeted attacks is $214,000, which goes
mainly on “forensic investigation, investments in technology
and brand recovery costs”.
The loss of any valuable IP would obviously have an
immeasurable financial impact on a firm planning on coming
to market with a disruptive, differentiating product or service.
If the breach became public knowledge or involved customer
data then there is also likely to be a knock-on effect on
customer confidence and the overall brand, as well as large
fines imposed by regulators for loss of customer data. This is
true of all companies but especially those in service industries
where any evidence to suggest your back-end infrastructure
is not as robust as it should be could lead to a haemorrhaging
of customers.
Sony, for example, found out to its cost when it was hit by a
series of attacks in 2011 that online customer loyalty can be
a fickle thingxviii. The data breaches relating to 75m+ users of
its PlayStation Network, which cost the Japanese electronics
giant in excess of $170m, even led one disgruntled customer
to sue the firm for not taking “reasonable care to protect,
encrypt, and secure the private and sensitive data of its users”.
In addition, in January 2013 the Information Commissioner’s
Office (IOC) in the UK fined Sony an additional £250,000 for
its failure to protect the PlayStation Network customer dataxix .
“The data breaches relating to 75m+ users of Sony’s PlayStation Network cost the Japanese electronics giant in excess of $170m.”
6
Is what you have already enough?
Traditional approaches to security still rely for the most part on detecting and repelling attacks at the
network edge and traditional endpoints.
The problem with this new breed of targeted attacks – as has
been discovered by firms like Google and RSA with no shortage
of funds to throw at information security – is that if the attacker
wants to infiltrate your network badly enough, they will find
a way. A member of staff tricked into opening a malware
infected attachment that takes advantage of an unknown, or
zero day vulnerability is all it takes. This is especially apparent
in new target areas like smartphones that often have been
neglected when it comes to security protection.
If the malware has never been seen before, signature match
or reputation is non-existent, many current systems are
unlikely to stop it. For example, the ground-breaking Stuxnet
attack famously took advantage of an unprecedented four
zero day vulnerabilities to achieve its goal of infiltrating Iran’s
nuclear program.
It’s not that your existing security infrastructure is suddenly
irrelevant, as it still protects you from high volume, generic,
spray-and-pray malware. However, it does need to be
enhanced to take into account this new threat. Defence
strategies need to change to pay more attention to what goes
on inside the network as well as outside. It may have become
something of a cliché in security circles but a multi-layered
approach really is the best approach to dealing with this very
modern threat. Also useful is technology that can help identify
strange behaviour not only on endpoint devices, on the internet
connection, but also inside the network.
7
“Defence strategies need to change to pay more attention to what goes on inside the network as well as outside.”
8
Finally, firms need to ramp up their real-time threat
management capabilities with the aim of attaining greater
situational awareness of what’s going on inside their perimeter.
File integrity monitoring and network monitoring tools are
also important here – they could give you vital clues as to
whether your perimeter has already been breached.
Investing in security systems which tap the power of Big Data
analytics to correlate elements of global cybercrime activity
with unusual behaviour inside the network, could also provide
vital clues to a breach. Even though the malware used may
be new, the way it behaves may not be new, and therefore the
power of the masses certainly helps. Also, let’s not forget the
role of the much maligned system administrators here either.
They should be trained to spot and contain this new threat,
decommissioning machines or hosts before they are used to
compromise other systems within the network.
For those who are still unsure whether to enhance their existing
security to cope with this insidious new threat, insurance
companies in the US are already offering the possibility of
reduced insurance premiums for customers who install certain
cyber attack defence products – creating a compelling
financial argument for putting in place security designed to
combat targeted attacks.
In short, the focus of security needs to adjust to the reality that
these highly sophisticated, virtually undetectable attacks are
widespread and very difficult to stop. The best response is to
maintain a high degree of visibility and awareness of network
traffic and behaviours so that anything unusual will be spotted
immediately. Ditto, staff at all levels of the organisation must
be trained and regularly reminded to be on their constant
guard for social engineering schemes. And all of this, of
course, in addition to traditional defences. Sharing of threats
and their analysis with the whole company once detected also
helps with education. It shows how it was done and highlights
the reality of the situation to the whole organisation.
Defence in depth
At a technical level, this means traditional tools such as endpoint protection – including on any mobile
devices which can access the network – messaging and web security for servers and the gateway. Your
servers also need to be secured, whether on-premise, virtualised or cloud-hosted.
8
99
What should I do?
What are the potential risks if I don’t act now?
Nextsteps
1 Assumeyouhavebeenbreached.
2 Drawupastrategicbattleplan–whatnewtechnologiesandprocesseswillberequiredtohelpidentifytargetedattacks.
3 Investinnetworkbasedtrafficmonitoringandanalysissolutionstohelpmaketheunknownknown.Consider
onethatcancombinetraditionalendpoint,messagingandwebsecuritywithreal-timethreatmanagement
capabilitiestogivegreaterprotectionandinsightintonetworkactivity.
4 Educateyourstaffandtheneducatethemagain.Itisvitaltopreventtheattackersgainingthatinitialfoothold.
Itonlytakesoneclickofamousetocomeunstuck.
5 PrimeyourITstaff.Thefocusneedstoshiftawayfromdefendingatthenetworkedge.Theyneedtobeon
constantlookoutforunusualactivityinsidethenetwork.
Potentialrisks
1 Finesfromregulatorsenforcedduetodatalossasinsufficientmeasureswereinplacetoprotectcustomerdata.
2 Customerlossandbranddamageduetodataloss.
3 LossofcompetitiveadvantageasIntellectualPropertymaybelosttothecompetition.
4 Blackmailorextortionbycybercriminals.
5 Continuousuncertaintyaboutwhetherornotyournetworkhasbeenbreachedandifyourdataissafe.
10
The truth behind targeted attacks, Advanced Persistent
Threats or whatever you want to call this new wave of
sophisticated cyber attacks, is that they are a very real issue
for firms of all sizes, not merely those in military, government
or critical infrastructure-related industries.
Yet, they are not impossible to combat, with the right tools,
training and approach. Traditional defences must be bolstered
by more internal network monitoring and rule-based event
correlation so that in the event of a breach, the hidden menace
can be identified before it has a chance to exfiltrate vital
data. Employees need to be trained and re-trained in cyber
vigilance at all levels of the organisation and IT administrators
properly briefed.
The threat may be insidious, resilient and highly targeted but
our response can also be advanced, persistent and crafted
to turn up the discomfort level so that the attackers have no
choice but to flee.
Turning up the discomfort level
There is no doubt that the threat landscape has taken another transformative step forward, leaving
many organisations unsure of which steps they need to take to mitigate the threat.
“The truth behind targeted attacks is that they are a very real issue for firmsof all sizes, not merely those in military, government or critical infrastructurerelated industries.”
Further readingCombating Advanced Persistent Threats http://www.trendmicro.co.uk/apt
Next-generation Protection from Advanced Persistent Threats http://www.trendmicro.co.uk/products/deep-discovery
Contact Trend MicroPlease call us on 01628400500
or send an email to [email protected]
ihttp://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/
iihttp://www.cryptzone.com/news/article.aspx?category=Email-security&title=Google-reveals-data-security-breach-on-Gmail&id=800565910
iiihttp://www.nytimes.com/2011/05/28/business/28hack.html
ivhttp://searchsecurity.techtarget.com/news/2240114107/Symantec-breach-Data-breach-basis-of-Norton-source-code-leak
vThe occurrence and impacts of targeted attacks, Quocirca Ltd, February 2013
viThe Human Factor in Data Protection, Ponemon Institute LLC, January 2012
viiData Breach Investigations Report, Verizon, March 2012
viiihttp://www.stuxnet.net/
ixhttp://www.theregister.co.uk/2012/09/10/elderwood_cyberespionage/
xhttp://www.informationweek.com/security/attacks/6-worst-data-breaches-of-2011/232301079
xihttp://www.guardian.co.uk/technology/2011/apr/06/epsilon-email-hack-marks-spencer
xiihttp://www.itworld.com/security/180587/morgan-stanley-warns-34000-customers-data-breach
xiiihttp://www.pcworld.com/article/219251/article.html
xivhttp://www.theregister.co.uk/2011/06/06/lockheed_martin_securid_hack/
xvhttp://www.theregister.co.uk/2011/07/27/rsa_security_breach/
xvihttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf
xviiData Breach Investigations Report, Verizon, March 2012
xviiihttp://news.cnet.com/8301-31021_3-20057921-260.html
xixhttp://www.guardian.co.uk/technology/2013/jan/24/sony-fined-over-playstation-hack
10 11
References
Contact Trend Micro
01628 400 500
www.trendmicro.co.uk
©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company and/or product names may be trademarks or registered trademarks of their owners.