5 Lessons From Real-World Attacks
INTEROP — New York City — Take it from Harry Sverdlove, CTO of security firm Bit9, no organization – regardless of size or business — is immune to today’s attacks.
The security whitelisting vendor earlier this year revealed details of how attackers had stolen one of its digital code-signing certificates and then used it to sign malware attacks against three of its customers, who were the ultimate targets. It was an awkward and painful position for a security vendor, but Bit9 provided a detailed firsthand account of some of the key specifics of the attack, as well as the malware that was used.
Sverdlove here at Interop tomorrow will share five lessons from real-world attacks — some of which are gleaned from his company’s own experience getting attacked.
“Obviously, everyone is a target. It’s not pleasant to talk about … but [our breach] was a supply chain attack,” Sverdlove says. “There were multiple teams of hand-offs … What we gathered on the campaign is that we weren’t the target.”
[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks .]
Lesson number one: everyone is a target.
Sverdlove says mom-and-pop shops, suppliers, and other small businesses are getting hit. “You don’t have to be working on a secret nuclear weapons program. You don’t even have to have information of value, you just have to know people with information of value.”
Cyberespionage actors are getting to their actual targets via their suppliers and business partners, he says. After the Flame cyberspying malware attack was exposed a year and a half ago, one of Bit9’s customers in the Middle East found that it had been attacked by Flame. Bit9’s software blocked an actual infection, he says, and it turns out the firm was targeted because they do business in the Middle East. “They were a stepping-stone attack,” Sverdlove says.
That doesn’t mean small businesses don’t have valuable information of their own that attackers want. A small tire-maker in Texas, for example, was breached and the attack was traced to a sophisticated attack group, Sverdlove says. “I asked him, ‘well, why were you attacked?’ and he said, ‘I have a special way I make my tires.'”
Such proprietary information is attractive to cyberspies, Sverdlove says.
Lesson number two: attackers are constantly raising the bar.
The bad guys are sharing intel they gather, and they also capitalize on any code that’s published by the security community, such as the snippets of Stuxnet code that were posted in the wake of the discovery of the game-changing malware. “Stuxnet just raised the bar for everybody,” he says.
“Enemies are sharing the intel, and sometimes, we facilitate it” when posting and analyzing code, he says. “We’re doing our jobs. But the attackers download those samples,” too, he says, as well as the Metasploit modules that are released in the wake of zero-day finds.
“Metasploit is a great security tool for researchers, [for example], but that commercialization allows less sophisticated attackers to download it and they’re performing zero-day attacks,” he says.
Distributed denial-of-service (DDoS) attacks are getting exponentially more powerful and efficient, and waterholing attacks are becoming a popular way for cyberespionage attackers to more efficiently net their targets. “Instead of emailing you, they go to a softer target, a website you frequent and wait for you to come there,” Sverdlove says.
Since many companies outsource their websites, they have less control over the security, for instance, he says. Plus organizations can’t “secure the Internet” for all the websites their users visit, he says.
How do the attackers filter out the unwanted catches? “You can set up a watering hole attack and monitor the IP addresses and the machine names of the systems you have compromised,” Sverdlove says.
In one such attack on one organization investigated by Bit9, the attackers established a foothold in multiple systems and went dormant in the ones they didn’t want or need. “They can tell the others to delete and clean themselves up” and wait for the specific targeted user’s machine they were after, he says.
Several Chinese cyberspy gangs are broken into units, he says. They split the duties in their attacks: one group compromises the websites, filters out the targets, and hands them over to another group that handles the exfiltration of data. “It allows them to do campaigns that are certainly longstanding and prolonged. It’s not like they have one goal in mind; they have entire sectors they compromise and later, when they need specific information, they call in specific teams.”
Lesson number three: you’ve already been infiltrated.
“You should be assuming you are” infected, Sverdlove says.
These advanced attackers are in it for control and information, he says, so you have to assume you are under attack. “Then you have to answer the question, ‘if I were infected, how would I know?'”
Sverdlove says that requires changing your security program from prevention to protection and watching what’s happening in your environment. “And you need a response” to an attack, he says.
“Part of a security program, you have to have prevention, detection, and to monitor your ability on how quickly you can respond,” he says, whether it’s to wipe a system or sandbox it and watch the bad guys’ actions, he says.
Response encompasses several parties, including public relations. “It helps to have that PR agency on speed dial,” he says. “You have a process for escalation … in the early stage, you bring in a security analyst, who’s going to see what’s going on. But then later, you might need to bring in executive stakeholders, legal and or law enforcement.”
Lesson number four: Traditional security methods don’t solve today’s problems.
Default/deny, signature-based technology doesn’t stop sophisticated attacks. Companies who are getting hacked have had all of these technologies, including antivirus and firewalls, and still were infiltrated, Sverdlove says.
“They’re not stopping the attackers,” he says. But even so, they’re necessary for known threat prevention.
Lesson number five: Don’t despair.
There are steps organizations can take to minimize their risk of a targeted attack, however.
“Don’t use home email for work. That’s the number one way spearphishing happens,” Sverdlove says.
Keep patching, he says, and set in place policies for risky applications such as Java, for instance.
“A simple set of policies can reduce your attack surface area,” he says. But policies require verification, too.
Take strong password policies. Bit9’s security team regularly tests the company’s users’ passwords. “They use off-the-shelf password cracking tools,” Sverdlove says. If they can crack a user’s password with the tools, the user is notified and given tips on creating a stronger one.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.