he Cyber pace Race
Transcription
he Cyber pace Race
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY ISSA Journal | March 2012 The Cyber Space Race By Richard Walters This article looks at the rise of advanced persistent threats and advanced evasive techniques, exploring how outbound traffic analysis, ingress-based analysis, and other forms of mitigation may be used to counter these offenses. Abstract Cyber attacks are becoming increasingly sophisticated as nation-states seek to make up ground economically. This article looks at the rise of Advanced Persistent Threats and Advanced Evasive Techniques, exploring how outbound traffic analysis, ingress-based analysis, and other forms of mitigation may be used to counter these offenses. C yber threats have evolved significantly over the past few years with attacks becoming increasingly targeted against individuals or specific companies. Extremely well funded and technically advanced “software factories” belonging to organized criminals and nation-states are producing complex, highly developed code that can be distributed over multiple vectors and quietly hidden in email attachments and websites. Often intricately coded, these can only have been designed by an organized structure such as nation-state governments, criminal gangs, or enterprises – although these are not mutually exclusive; governments may well use criminal organizations to carry out cyber espionage attacks, enabling them to exercise plausible deniability. Specialists for every element in the cybercrime “supply chain” are now established – from exploit research, to malware de- 12 velopment, to distribution, to data harvesting. As criminals specialize so the sophistication and speed of release of new threats increases, the chance of being caught diminishes. International criminal groups are becoming more technically sophisticated and are operating online where the potential rewards are greater and the chance of detection lower. Cybercrime has become a global and highly lucrative business. Studies by the Ponemon Institute1 and Symantec2 claim that cybercrime costs US businesses alone between $96 and $114 billion annually. Costs of cybercrime Ready-made packages are available for sale on malware exchange websites. The cost of cybercrime is increasing every year making it a highly lucrative business. The cost of entry to cybercrime fell in May 2011 with both the source code for ZeuS and the Blackhole exploit kit appearing within several days (the latest version of ZeuS still sells for around $5,000). The ZeuS Trojan cost US banks an estimated $250 million in 2010 with a single Ukraine-based cybercrime ring alone responsible for stealing $70 million from US banks and £6 million from UK accounts. 1 Ponemon Institute, “Second Annual Cost of Cyber Crime Study” (August 2011) 2 Symantec, “The Norton Cyber Crime Report 2011” (September 2011) ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. The Cyber Space Race | Richard Walters According to a study by Britain’s Office of Cyber Security and Information Assurance,3 the total annual cost to the British economy alone is £27 billion - made up of £21bn of costs to businesses, £2.2bn to government, and £3.1bn to citizens. The total cost to businesses is broken down into intellectual property theft (£9.2bn), industrial espionage (£7.6bn), extortion (£2.2bn), and direct online theft (£1.3bn). The remainder (£0.7bn) was lost through theft of customer data. The true cost of cybercrime is probably far higher – with many organizations reluctant to disclose. According to the Federation of Small Businesses, around 40% of cybercrime against small businesses goes unreported.4 Two of the most active cybercrime actors and contractors are China and Russia. China operates a massive intelligence organization to carry out systematic global cyber espionage against commercial, government, industrial, and military targets. This cyber army gathers information to assist Beijing in gaining competitive advantage. The Chinese are following a 15-year (2006-2020) information and communications development strategy. The aim of this strategy is to compete globally in the world of information technology, to support energy policy and sustained economic growth, and to ensure Chinese national security. China has been implicated in some of the most notable attacks such as that sustained by Google’s Gmail system in June 2011, for instance, which saw hundreds of personal email accounts of US officials, military personnel, and journalists compromised, allegedly by Chinese hackers located in the Jinan province. In 2010 Dongfan Chung – an engineer with Rockwell and Boeing who had worked on the space shuttle and other projects – was sentenced to 15 years in prison for espionage on behalf of the Chinese aviation industry. On arrest 250,000 pages of sensitive information were discovered in his home, collated between 1979 and 2006, enough to fill several filing cabinets. The digital equivalent of the mini paper mountain would be less than 500MB and fit comfortably on a CD or USB flash drive (either of which would be a lot easier to conceal or copy). Russia has also seen unprecedented growth in the level of cybercrime and cybercrime-to-cybercrime cooperation (CY2CY) in recent years. Highly organized and extremely lucrative, the Russian cybercrime industry follows classic marketing laws of pricing, monopolies, and competition. There are two distinct types of Russian cybercriminal: private individuals and organizations motivated purely by financial gain, and state-sponsored groups that work in cooperation with Russian agencies to achieve political ends. Cooperation creates complexity During 2011 increasing cooperation between different state and non-state actors was identified. Parties are repurposing 3 Office of Cyber Security and Information Assurance in the Cabinet Office, “The Cost of Cyber Crime” (February 2011) https://update.cabinetoffice.gov.uk/resourcelibrary/cost-of-cyber-crime. 4 http://www.bbc.co.uk/news/business-12496513. ISSA Journal | March 2012 attack code for sale to other criminals, maximizing the return on R&D investment. These elements are working together to leverage existing infections and selling combined compromised hosts to completely separate groups, sometimes in different countries and with entirely different objectives to the original authors of the separate pieces of malware. Cooperation is not only about maximizing returns; it also makes it more difficult to deconstruct a multi-code infection with several command and control servers often in different parts of the world to understand the location, motive, and true intent of the attacker. It is easy to make incorrect assumptions based on identifying one piece of malware and to miss the second infection, and combined result, altogether. Cooperation between groups will only increase, reducing the time to carry out an attack and resulting in an increase in the sophistication of malicious code. Attack Initial advanced persistent threat (APT) attacks aim to establish a “beachhead” using common infection vectors including links, email attachments, removable media, malicious websites, and social networking applications. APTs are “advanced” in primarily two ways: the level of knowledge the actor has of the target coupled with effective spear-phishing emails appearing to come from a trusted contact, often using open- source intelligence to enable social engineering. And secondly, the use of zero-day attacks which exploit vulnerabilities that the original software developer is unaware of. APTs are multi-layered and designed to take place over long periods of time with the intent to remain undetected and to move “low and slow,” gathering intelligence or sensitive information. The groups behind APTs are well staffed and funded and are often linked to nation-states. One of the first examples was Operation Aurora, reported in January 2010, which saw coordinated attacks against 34 companies in the technology, finance, and defense sectors in an attempt to gain source code from targets that included Google and Adobe. The sophistication of the attack used unprecedented tactics that combined encryption, stealth programming, and an unknown hole in Internet Explorer. Evasion APTs tend to use advanced evasion techniques (AET), new forms of delivery which are designed to evade detection. AET enables the targeted malware to slip past traditional security systems such as firewalls, antivirus, and intrusion prevention systems, sidestepping these point solutions to deliver the APT payload. This typically takes the form of a tiered infection where several methods of communication back to command and control (C&C) servers are established. The simplest will be enabled first with the more sophisticated mechanisms remaining dormant. This increases the persistence of the threat – the more difficult to detect infections are only activated after the removal of the initial infection. Systems that ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. 13 The Cyber Space Race | Richard Walters are believed to be clean from one infection can remain compromised. In March 2009 the GhostNet cyber espionage network was discovered with over 1,295 infected systems across 103 countries. GhostNet began capturing data in May 2007. The average infection by this APT was 145 days, with the longest active compromise 660 days. In October 2010 hackers were found to have infiltrated Nasdaq’s web-based Directors Desk application, used by corporate executives to share documents and communicate. The malware was present for more than a year before it was discovered. The trend over the last two years suggests that as much as 76% of targeted malware is already using PDF-based attacks More recently, in August 2011 Operation Shady Rat discovered a single state actor was responsible for a sustained cyber attack over five years against more than 70 targets including corporations, various governments agencies and departments, and the United Nations. One of the targets had been infected for 28 months. Despite using a tool called HTran to mask the location of the attack, the main C&C server hubs were tracked back to Shanghai and Beijing through an error in the way HTran had been implemented. APT attack vectors Portable Document Format - PDF The file type of choice for targeted malware distribution is Adobe PDF. According to Symantec, in 2010 65% of targeted attacks were embedded inside innocent looking PDFs, compared with 52.6% in 2009.5 While the analysis for 2011 is yet to be published, the trend over the last two years suggests that as much as 76% of targeted malware is already using PDFbased attacks. PDF documents can contain scripts – a feature that is both useful and dangerous. JavaScript can be embedded within a PDF document that loads when the document is opened. It is also possible to include attachments within PDF files, similar to attachments to email. The recent Night Dragon attacks used infected PDF files attached to spear-phishing emails as the initial infection vector. Originating from China, Night Dragon exfiltrated data from the computer systems of global oil, energy, and petrochemical companies with the intent of capturing information on competitive operations and financial details of bids. Similarly, in April 2010 the ZeuS banking trojan began using the PDF Launch feature to infect systems. More recently, in November 2011, at least 48 chemical and defense companies were infected with malicious software known as PoisonIvy, which was used to steal design documents, formulas, and manufac5 Symantec.Cloud MessageLabs Intelligence “Intelligence Report: Bredolab, Zeus and SpyEye stage synchronized, integrated attacks; Targeted attacks favor PDF files” (February 2011). 14 ISSA Journal | March 2012 turing details. Symantec discovered the attack, dubbed Nitro, and said the victims comprised multiple Fortune 100 corporations whose chief business was the development of compounds and advanced materials for use in military vehicles. Spear-phishing emails have also emerged with PDF attachments. The PDF attachment itself had an executable attachment embedded within it, renamed with a .PDF extension. On opening the PDF the JavaScript exportDataObject function saved a copy of the attachment to the user’s PC. In Adobe Reader a confusing dialog box displayed the message “Specify a file to extract to” while users of other PDF readers received no message at all – the attachment was saved without their knowledge. The Launch action was then run and used to execute cmd.exe with a command line to execute. If this was successful, then ZeuS was installed. Another Launch exploit redirected users to a website that could contain malware. Office suite Other frequently used file types include Microsoft Office – most commonly Word and Excel files – and text, executable, and image files. The RSA hack in March 2011, where attackers succeeded in stealing information related to the SecurID twofactor authentication products, used a spear-phishing email with an Excel spreadsheet attachment. When users clicked on the file, an Excel spreadsheet opened, which was completely blank except for an X in the first box of the spreadsheet. The X was the only visible indication that there was an embedded Flash exploit in the spreadsheet. When the spreadsheet opened, Excel triggered the Flash exploit, which dropped a backdoor (PoisonIvy) onto the system. Images The most common image file types used to distribute malware are BMP, GIF, and JPG. Information is hidden in image files using a technique known as steganography.6 Steganography can also be used to hide information in other file types – including video and audio files. The data to be hidden – the message (which can be literally anything) – is embedded within an innocent looking picture such as a cover image. The colors, or shades of grey, in the resulting stego-image are modified slightly from the original, but the changes are imperceptible to the human eye. It is possible to hide 294,912 bytes of information in a single 1024x768 resolution 24-bit image file using a simple technique known as least significant bit insertion. Operation Shady Rat used stego-images, including a rural waterside scene, to conceal command and control instructions. Steganographic techniques are highly effective at bypassing traditional anti-malware controls. Social networks Social networking sites and other cloud-based services are being increasingly used to distribute malware. In 2010 the 6 Neil F. Johnson and Sushil Jajodia, “Exploring Steganography: Seeing the Unseen”, Center for Secure Information Systems, Dept of Information and Software Systems Engineering, George Mason University, Fairfax, VA, (1998) ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. The Cyber Space Race | Richard Walters ZeuS banking trojan, for example, began spreading through Facebook friend requests. When a user clicked the link within a notification to accept a friend request, a page opened asking the user to download software alleged to be the latest version of Adobe Flash but which was the Trojan code. Social networking sites have also been used as a channel between malware and remote command and control servers. CONNECT LEARN ADVANCE ISSA Journal | March 2012 Dealing with the threat Firewalls, AV, and IDS/IPS are inadequate in countering these threats. Issues are moving up the stack, away from the network and protocol layers, increasingly exploiting applicationspecific vulnerabilities in the Adobe PDF format, Microsoft products, web applications, and increasingly, mobile apps. Traditional security solutions tend to focus on the analysis of inbound network traffic, particularly over email and HTTP. Advanced malware exposes the limitations in current signature-based AV tools that search files for strings of characters known to exist within malicious code. Highly targeted malware exploiting zeroday vulnerabilities may never appear in the wild in sufficient numbers to reach AV vendors labs. Even when there is a signature, malware authors rapidly modify products to bypass simple character-based detection. It is now equally important to analyze outbound traffic for C&C server “back-chat.” It is now equally important to analyze outbound traffic for C&C server “back-chat.” Defense: Evolution not revolution The emergence of APTs and other advanced malware represents the latest shift in the threat landscape. In some respects this is history repeating itself. Other information security milestones, such as the introduction of file sharing networks, instant messaging, social networking, and VoIP, did not result in adoption of an entirely new security strategy or model but rather a shift in the layered defenses used to address the threats. Targeted attacks began to emerge in 2008, and once again the defensive response needs to evolve. Enterprises need to adopt signature-less, proactive, real-time technologies and techniques incorporating testing of suspicious content and looking for signs of compromised systems reaching out to C&C servers. New techniques and technologies augment rather than displace traditional defense-in-depth layers. Supporting the Development of Information Security Professionals Worldwide WWW.ISSA.ORG Whitelisting Whitelisting, and application whitelisting, is becoming an increasingly important defensive approach, moving the underlying fundamental principle from allow all to deny all. Any software not explicitly allowed is prevented from installing or launching. This almost logical shift represents a significant advance over reactive detection or blacklisting solutions. The challenge with the approach, however, is maintaining an accurate, up-to-date whitelist of operating system and application-related files. Outgoing traffic analysis Traditional security solutions focus on the analysis of inbound network traffic, typically over email and HTTP. With the new generation of advanced attacks it is equally impor- ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. 15 The Cyber Space Race | Richard Walters ISSA Journal | March 2012 tant to analyze outgoing traffic for signs of infected systems, deployed malware beaconing back to C&C servers, as well as exception reporting of unusual or suspicious endpoint activity pointing to compromise. C&C servers are typically external to the organization (although not always), often on a host using Dynamic DNS. A baseline of normal network activity should be created across protocols, applications, and user activity. Any exceptions to the baseline should be highlighted and analyzed. Solutions are emerging that are specifically designed to analyze egress traffic, looking for signs of infection. These can be agent-based (monitoring activity on and traffic leaving the endpoint), appliance-based (looking at outbound traffic before it leaves the gateway or bounces off the inside of the firewall), or SaaS-based (analyzing traffic that has left the network using sinkhole and related technology). Integrated within a defense-in-depth approach, these tools can replace costly manual or complex event correlation processes to identify the presence of malware within minutes. Safe detonation – sandboxes Gateway products, including some firewalls and web-security solutions, now include the ability to safely detonate (execute) files within a sandbox environment, a specialized type of virtual machine with limited resources and network access. The sandbox is designed to execute files from untrusted thirdparties or websites to analyze the real intent of the code. Attempts to modify registry settings, make configuration changes, or replace or install additional files are all indicative of something potentially malicious. Cloud-based malware sandboxes are increasingly being introduced by vendors, including those offering SaaS-delivered outbound-traffic analysis. Sandbox features have also been added to applications including Google Chrome and Adobe’s PDF Reader. The malware author’s response has been to include checks to determine if the malicious code is running in a virtual machine and if so, to not execute but lie and wait. Security education and awareness Malware exploits technical vulnerabilities in software, human vulnerabilities, or both. The use of spear-phishing to Book Review Schneier on Trust – Society Cannot Function Without It By Joel Weise – ISSA Distinguished Fellow, Vancouver, Canada Chapter T rust me when I say the new Bruce Schneier book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, is an interesting read. Bruce has definitely moved from his position as one our pre-eminent cryptographers to philosopher general, thus preserving his place in history as one of those rare individuals who not only understands the technology we all use on a daily basis, but the impact it has on us both individually and collectively as humans who interact and presumably, to one degree or another, trust each another. This is a crucial manuscript for anyone who is the least bit interested in the impact of technology on the human species. My first question of course is, should I trust his hypothesis? As a security architect and practitioner, I was expecting more practical guidance on how to implement a defined trust model into an IT environment; but this is not a book on technology. Nonetheless, I found this to be a great book on one of my favorite topics: Trust. How to 16 establish trust and what does it mean to have trust. This is much more complex than many of us realize. How exactly do we ensure that we have the correct trust model implemented and it is fit for purpose? The book provides an extensive discussion on trust and will certainly make readers realize that this is a topic they best not dismiss. The book spends considerable time on how societal, moral and other pressures affect how trust relationships are confirmed and maintained. In fact, these pressures are at the core of trust and well worth reading if for no other reason than they provide a human side to what many today think of only in terms of IT systems, PKI, key management, and other areas where trust is a fixture. Just as interesting is how the notion of risk trade-offs are made. What happens when there is insufficient societal pressures on stealing or avoiding taxes? Then translate that into security systems. If I do not trust my customers and add extra security measures, how will that affect my business? [Why does Costco really have to see your receipt when you exit the store? For inventory management? Seriously, their cash registers do that. They don't fully trust their customers and are creating a disincentive for stealing.] The book ends with the simple notion that, “society can't function without trust, and our complex, interconnected, and global society needs a lot of it.” After reading this book I am sure you will agree. About the Author Joel Weise, ISSA Distinguished Fellow and chairman of the ISSA Journal Editorial Advisory Board, has been working in the field of information security for over 30 years on subjects ranging from cryptography and operating system controls to security and public policies. He may be reached at jmweise@gmail.com. ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. The Cyber Space Race | Richard Walters trick users into opening or installing files containing malicious software can only be partially addressed with technical defenses (including hardened endpoint builds and endpointprotection software). Security education and awareness programs are critical to improving user understanding of the techniques used by modern malware and the risk associated with opening files attached to untrusted, unexpected or unusual emails. Users must learn to carefully check URLs and links contained within email messages or on social networking sites. Prevention is better than infection Yet this is largely a reactive approach, looking for signs of suspicious activity post-infection. Even when an infection is identified, recovery is not straightforward. If an APT is present, the compromised system should be isolated and monitored in order to understand the exact nature of the code. APTs may consist of multiple infections, one active, and the rest dormant. Once a full analysis has been completed a “bare metal install” is likely to be the appropriate response alongside an investigation of other potentially affected hosts. This structured incident response requires significant resources, making preventing infection far more preferable. One approach is to inspect the files used to spread malware at the point of ingress but with a technique that does not rely upon the reactive signatures used by AV. By deconstructing and analyzing files at the byte level, inspecting content for anything that should not be present, files can be validated against manufacturer’s specifications. A new file containing only known good data – without malicious code, metadata, and hidden data – can be generated at the gateway or on the server or endpoint. This approach, which does not rely on signatures, means that there is no such thing as a false positive. One method provides an analysis capability that is already being integrated into other content security and auditing solutions. Alternatively, there is always the option to fight fire with fire, which is exactly what the Japanese government is reputed to be doing. Reports suggest Fujitsu7 is developing a computer virus as an electronic weapon capable of determining the source of a cyber attack and neutralizing it. The virus works by monitoring attacks, identifying the source, and closing it down to prevent further attempts. However, to date the project has taken three years and cost $2.3 million, which begs the question whether it will be able to keep pace with APT innovation. Mobile malware is growing exponentially The threat spectrum is constantly evolving and attackers are increasingly focusing on other targets such as mobile devices and operating systems. Malware infected applications appear 7 Hana Stewart-Smith, ZD Net, “Japan develops virus to counter cyber attacks: but can it be used?” (January 2012) – http://www.zdnet.com/blog/asia/japandevelops-virus-to-counter-cyber-attacks-but-can-it-be-used/635. ISSA Journal | March 2012 on the official Android Market regularly with over 100 removed to date. Android.Counterclank, identified in 13 apps (on January 31 2012), is capable of harvesting user data, adding bookmarks to the web browser, and randomly placing a new search icon on the home screen that displays a page similar to Google when opened. In September 2011 the developers of the SpyEye banking Trojan released associated malware for Android-based devices. People already infected with the desktop version of SpyEye were told they must install security software to use their Android phones with a bank’s online services. Once in place the Trojan intercepted all SMS text messages sent to the phone. SpyEye was upgraded to overcome the introduction of one-time pass codes sent by text to customer’s mobile phones by banks to stop password-logging software. There is always the option to fight fire with fire, which is exactly what the Japanese government is reputed to be doing. Mobile threats are evolving as rapidly as the technology. In the short term near field communications (NFC) features will provide a new attack surface; another contender is Wi-Fi Direct, which enables mobile phones, cameras, printers, PCs, and gaming devices to connect to each other to transfer content and share applications. Devices make a one-to-one connection, or a group of several devices can connect simultaneously, without joining a traditional home, office, or hotspot network. In conclusion APTs and cyber attacks are now an integrated part of the normal social, economic, political, defense, and security landscape. Traditional technical controls have a limited part to play in defending against highly targeted, sophisticated malware if used in the traditional way. Organizations need to be aware of exactly how complex the products of statesponsored software factories are becoming. Right now we are being consistently out-manoeuvred and losing, albeit to formidable adversaries. APTs and other advanced malware do not require the adoption of an entirely new security strategy or model, but rather a shift in the layered defenses used to address the threats. Existing elements of operational security and technical defenses should be combined in new ways and supplemented with emerging technologies and techniques About the Author Richard Walters has a unique and thorough understanding of risk management, standards, regulations and legislation such as ISO/IEC 27001/2, PCI DSS, and the DPA, and has spent many years consulting with FTSE100 companies. He can be contacted at richard.walters@invictis.com. ©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved. 17