he Cyber pace Race

Transcription

he Cyber pace Race
ISSA
DEVELOPING AND CONNECTING
CYBERSECURITY LEADERS GLOBALLY
ISSA Journal | March 2012
The
Cyber
Space Race
By Richard Walters
This article looks at the rise of advanced persistent threats and advanced evasive techniques, exploring how outbound traffic analysis, ingress-based analysis, and other forms of
mitigation may be used to counter these offenses.
Abstract
Cyber attacks are becoming increasingly sophisticated as
nation-states seek to make up ground economically. This article looks at the rise of Advanced Persistent Threats and Advanced Evasive Techniques, exploring how outbound traffic
analysis, ingress-based analysis, and other forms of mitigation may be used to counter these offenses.
C
yber threats have evolved significantly over the past
few years with attacks becoming increasingly targeted against individuals or specific companies.
Extremely well funded and technically advanced “software
factories” belonging to organized criminals and nation-states
are producing complex, highly developed code that can be
distributed over multiple vectors and quietly hidden in email
attachments and websites. Often intricately coded, these can
only have been designed by an organized structure such as
nation-state governments, criminal gangs, or enterprises –
although these are not mutually exclusive; governments may
well use criminal organizations to carry out cyber espionage
attacks, enabling them to exercise plausible deniability.
Specialists for every element in the cybercrime “supply chain”
are now established – from exploit research, to malware de-
12
velopment, to distribution, to data harvesting. As criminals
specialize so the sophistication and speed of release of new
threats increases, the chance of being caught diminishes. International criminal groups are becoming more technically
sophisticated and are operating online where the potential
rewards are greater and the chance of detection lower. Cybercrime has become a global and highly lucrative business.
Studies by the Ponemon Institute1 and Symantec2 claim that
cybercrime costs US businesses alone between $96 and $114
billion annually.
Costs of cybercrime
Ready-made packages are available for sale on malware exchange websites. The cost of cybercrime is increasing every
year making it a highly lucrative business. The cost of entry
to cybercrime fell in May 2011 with both the source code for
ZeuS and the Blackhole exploit kit appearing within several
days (the latest version of ZeuS still sells for around $5,000).
The ZeuS Trojan cost US banks an estimated $250 million
in 2010 with a single Ukraine-based cybercrime ring alone
responsible for stealing $70 million from US banks and £6
million from UK accounts.
1 Ponemon Institute, “Second Annual Cost of Cyber Crime Study” (August 2011)
2 Symantec, “The Norton Cyber Crime Report 2011” (September 2011)
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
The Cyber Space Race | Richard Walters
According to a study by Britain’s Office of Cyber Security and
Information Assurance,3 the total annual cost to the British
economy alone is £27 billion - made up of £21bn of costs to
businesses, £2.2bn to government, and £3.1bn to citizens.
The total cost to businesses is broken down into intellectual
property theft (£9.2bn), industrial espionage (£7.6bn), extortion (£2.2bn), and direct online theft (£1.3bn). The remainder (£0.7bn) was lost through theft of customer data. The
true cost of cybercrime is probably far higher – with many
organizations reluctant to disclose. According to the Federation of Small Businesses, around 40% of cybercrime against
small businesses goes unreported.4
Two of the most active cybercrime actors and contractors
are China and Russia. China operates a massive intelligence
organization to carry out systematic global cyber espionage
against commercial, government, industrial, and military
targets. This cyber army gathers information to assist Beijing
in gaining competitive advantage. The Chinese are following a 15-year (2006-2020) information and communications
development strategy. The aim of this strategy is to compete
globally in the world of information technology, to support
energy policy and sustained economic growth, and to ensure
Chinese national security.
China has been implicated in some of the most notable attacks such as that sustained by Google’s Gmail system in June
2011, for instance, which saw hundreds of personal email
accounts of US officials, military personnel, and journalists
compromised, allegedly by Chinese hackers located in the Jinan province. In 2010 Dongfan Chung – an engineer with
Rockwell and Boeing who had worked on the space shuttle
and other projects – was sentenced to 15 years in prison for
espionage on behalf of the Chinese aviation industry. On arrest 250,000 pages of sensitive information were discovered in
his home, collated between 1979 and 2006, enough to fill several filing cabinets. The digital equivalent of the mini paper
mountain would be less than 500MB and fit comfortably on
a CD or USB flash drive (either of which would be a lot easier
to conceal or copy).
Russia has also seen unprecedented growth in the level of
cybercrime and cybercrime-to-cybercrime cooperation
(CY2CY) in recent years. Highly organized and extremely lucrative, the Russian cybercrime industry follows classic marketing laws of pricing, monopolies, and competition. There
are two distinct types of Russian cybercriminal: private individuals and organizations motivated purely by financial gain,
and state-sponsored groups that work in cooperation with
Russian agencies to achieve political ends.
Cooperation creates complexity
During 2011 increasing cooperation between different state
and non-state actors was identified. Parties are repurposing
3 Office of Cyber Security and Information Assurance in the Cabinet Office, “The Cost
of Cyber Crime” (February 2011) https://update.cabinetoffice.gov.uk/resourcelibrary/cost-of-cyber-crime.
4 http://www.bbc.co.uk/news/business-12496513.
ISSA Journal | March 2012
attack code for sale to other criminals, maximizing the return
on R&D investment. These elements are working together to
leverage existing infections and selling combined compromised hosts to completely separate groups, sometimes in different countries and with entirely different objectives to the
original authors of the separate pieces of malware.
Cooperation is not only about maximizing returns; it also
makes it more difficult to deconstruct a multi-code infection
with several command and control servers often in different
parts of the world to understand the location, motive, and
true intent of the attacker. It is easy to make incorrect assumptions based on identifying one piece of malware and to
miss the second infection, and combined result, altogether.
Cooperation between groups will only increase, reducing the
time to carry out an attack and resulting in an increase in the
sophistication of malicious code.
Attack
Initial advanced persistent threat (APT) attacks aim to establish a “beachhead” using common infection vectors including links, email attachments, removable media, malicious
websites, and social networking applications. APTs are “advanced” in primarily two ways: the level of knowledge the
actor has of the target coupled with effective spear-phishing
emails appearing to come from a trusted contact, often using
open- source intelligence to enable social engineering. And
secondly, the use of zero-day attacks which exploit vulnerabilities that the original software developer is unaware of.
APTs are multi-layered and designed to take place over long
periods of time with the intent to remain undetected and
to move “low and slow,” gathering intelligence or sensitive
information. The groups behind APTs are well staffed and
funded and are often linked to nation-states. One of the first
examples was Operation Aurora, reported in January 2010,
which saw coordinated attacks against 34 companies in the
technology, finance, and defense sectors in an attempt to gain
source code from targets that included Google and Adobe.
The sophistication of the attack used unprecedented tactics
that combined encryption, stealth programming, and an unknown hole in Internet Explorer.
Evasion
APTs tend to use advanced evasion techniques (AET), new
forms of delivery which are designed to evade detection. AET
enables the targeted malware to slip past traditional security
systems such as firewalls, antivirus, and intrusion prevention
systems, sidestepping these point solutions to deliver the APT
payload. This typically takes the form of a tiered infection
where several methods of communication back to command
and control (C&C) servers are established. The simplest will
be enabled first with the more sophisticated mechanisms
remaining dormant. This increases the persistence of the
threat – the more difficult to detect infections are only activated after the removal of the initial infection. Systems that
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
13
The Cyber Space Race | Richard Walters
are believed to be clean from one infection can remain compromised.
In March 2009 the GhostNet cyber espionage network was
discovered with over 1,295 infected systems across 103 countries. GhostNet began capturing data in May 2007. The average infection by this APT was 145 days, with the longest
active compromise 660 days.
In October 2010 hackers were
found to have infiltrated Nasdaq’s web-based Directors Desk
application, used by corporate
executives to share documents
and communicate. The malware was present for more than
a year before it was discovered.
The trend over
the last two years
suggests that as
much as 76% of
targeted malware
is already using
PDF-based attacks
More recently, in August 2011
Operation Shady Rat discovered
a single state actor was responsible for a sustained cyber attack over five years against more
than 70 targets including corporations, various governments
agencies and departments, and the United Nations. One of
the targets had been infected for 28 months. Despite using a
tool called HTran to mask the location of the attack, the main
C&C server hubs were tracked back to Shanghai and Beijing
through an error in the way HTran had been implemented.
APT attack vectors
Portable Document Format - PDF
The file type of choice for targeted malware distribution is
Adobe PDF. According to Symantec, in 2010 65% of targeted
attacks were embedded inside innocent looking PDFs, compared with 52.6% in 2009.5 While the analysis for 2011 is yet
to be published, the trend over the last two years suggests that
as much as 76% of targeted malware is already using PDFbased attacks. PDF documents can contain scripts – a feature
that is both useful and dangerous. JavaScript can be embedded within a PDF document that loads when the document is
opened. It is also possible to include attachments within PDF
files, similar to attachments to email.
The recent Night Dragon attacks used infected PDF files attached to spear-phishing emails as the initial infection vector.
Originating from China, Night Dragon exfiltrated data from
the computer systems of global oil, energy, and petrochemical companies with the intent of capturing information on
competitive operations and financial details of bids. Similarly, in April 2010 the ZeuS banking trojan began using the PDF
Launch feature to infect systems. More recently, in November 2011, at least 48 chemical and defense companies were
infected with malicious software known as PoisonIvy, which
was used to steal design documents, formulas, and manufac5 Symantec.Cloud MessageLabs Intelligence “Intelligence Report: Bredolab, Zeus and
SpyEye stage synchronized, integrated attacks; Targeted attacks favor PDF files”
(February 2011).
14
ISSA Journal | March 2012
turing details. Symantec discovered the attack, dubbed Nitro,
and said the victims comprised multiple Fortune 100 corporations whose chief business was the development of compounds and advanced materials for use in military vehicles.
Spear-phishing emails have also emerged with PDF attachments. The PDF attachment itself had an executable attachment embedded within it, renamed with a .PDF extension.
On opening the PDF the JavaScript exportDataObject function saved a copy of the attachment to the user’s PC. In Adobe
Reader a confusing dialog box displayed the message “Specify
a file to extract to” while users of other PDF readers received
no message at all – the attachment was saved without their
knowledge. The Launch action was then run and used to execute cmd.exe with a command line to execute. If this was
successful, then ZeuS was installed. Another Launch exploit
redirected users to a website that could contain malware.
Office suite
Other frequently used file types include Microsoft Office –
most commonly Word and Excel files – and text, executable,
and image files. The RSA hack in March 2011, where attackers
succeeded in stealing information related to the SecurID twofactor authentication products, used a spear-phishing email
with an Excel spreadsheet attachment. When users clicked on
the file, an Excel spreadsheet opened, which was completely
blank except for an X in the first box of the spreadsheet. The
X was the only visible indication that there was an embedded Flash exploit in the spreadsheet. When the spreadsheet
opened, Excel triggered the Flash exploit, which dropped a
backdoor (PoisonIvy) onto the system.
Images
The most common image file types used to distribute malware are BMP, GIF, and JPG. Information is hidden in image
files using a technique known as steganography.6 Steganography can also be used to hide information in other file types
– including video and audio files. The data to be hidden –
the message (which can be literally anything) – is embedded
within an innocent looking picture such as a cover image.
The colors, or shades of grey, in the resulting stego-image are
modified slightly from the original, but the changes are imperceptible to the human eye. It is possible to hide 294,912
bytes of information in a single 1024x768 resolution 24-bit
image file using a simple technique known as least significant bit insertion. Operation Shady Rat used stego-images,
including a rural waterside scene, to conceal command and
control instructions. Steganographic techniques are highly
effective at bypassing traditional anti-malware controls.
Social networks
Social networking sites and other cloud-based services are
being increasingly used to distribute malware. In 2010 the
6 Neil F. Johnson and Sushil Jajodia, “Exploring Steganography: Seeing the Unseen”,
Center for Secure Information Systems, Dept of Information and Software Systems
Engineering, George Mason University, Fairfax, VA, (1998)
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
The Cyber Space Race | Richard Walters
ZeuS banking trojan, for example, began spreading through
Facebook friend requests. When a user clicked the link within a notification to accept a friend request, a page opened
asking the user to download software alleged to be the latest
version of Adobe Flash but which was the Trojan code. Social
networking sites have also been used as a channel between
malware and remote command and control servers.
CONNECT
LEARN
ADVANCE
ISSA Journal | March 2012
Dealing with the threat
Firewalls, AV, and IDS/IPS are inadequate in countering these
threats. Issues are moving up the stack, away from the network and protocol layers, increasingly exploiting applicationspecific vulnerabilities in the Adobe PDF format, Microsoft
products, web applications, and increasingly, mobile apps.
Traditional security solutions tend
to focus on the analysis of inbound
network traffic, particularly over
email and HTTP. Advanced malware
exposes the limitations in current
signature-based AV tools that search
files for strings of characters known
to exist within malicious code. Highly targeted malware exploiting zeroday vulnerabilities may never appear
in the wild in sufficient numbers to
reach AV vendors labs. Even when
there is a signature, malware authors
rapidly modify products to bypass simple character-based
detection. It is now equally important to analyze outbound
traffic for C&C server “back-chat.”
It is now equally
important
to analyze
outbound traffic
for C&C server
“back-chat.”
Defense: Evolution not revolution
The emergence of APTs and other advanced malware represents the latest shift in the threat landscape. In some respects
this is history repeating itself. Other information security
milestones, such as the introduction of file sharing networks,
instant messaging, social networking, and VoIP, did not result in adoption of an entirely new security strategy or model
but rather a shift in the layered defenses used to address the
threats.
Targeted attacks began to emerge in 2008, and once again the
defensive response needs to evolve. Enterprises need to adopt
signature-less, proactive, real-time technologies and techniques incorporating testing of suspicious content and looking for signs of compromised systems reaching out to C&C
servers. New techniques and technologies augment rather
than displace traditional defense-in-depth layers.
Supporting the Development
of Information Security
Professionals Worldwide
WWW.ISSA.ORG
Whitelisting
Whitelisting, and application whitelisting, is becoming an increasingly important defensive approach, moving the underlying fundamental principle from allow all to deny all. Any
software not explicitly allowed is prevented from installing
or launching. This almost logical shift represents a significant
advance over reactive detection or blacklisting solutions. The
challenge with the approach, however, is maintaining an accurate, up-to-date whitelist of operating system and application-related files.
Outgoing traffic analysis
Traditional security solutions focus on the analysis of inbound network traffic, typically over email and HTTP. With
the new generation of advanced attacks it is equally impor-
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
15
The Cyber Space Race | Richard Walters
ISSA Journal | March 2012
tant to analyze outgoing traffic for signs of infected systems,
deployed malware beaconing back to C&C servers, as well as
exception reporting of unusual or suspicious endpoint activity pointing to compromise. C&C servers are typically external to the organization (although not always), often on a host
using Dynamic DNS. A baseline of normal network activity
should be created across protocols, applications, and user activity. Any exceptions to the baseline should be highlighted
and analyzed.
Solutions are emerging that are specifically designed to analyze egress traffic, looking for signs of infection. These can
be agent-based (monitoring activity on and traffic leaving
the endpoint), appliance-based (looking at outbound traffic before it leaves the gateway or bounces off the inside of
the firewall), or SaaS-based (analyzing traffic that has left the
network using sinkhole and related technology). Integrated
within a defense-in-depth approach, these tools can replace
costly manual or complex event correlation processes to
identify the presence of malware within minutes.
Safe detonation – sandboxes
Gateway products, including some firewalls and web-security
solutions, now include the ability to safely detonate (execute)
files within a sandbox environment, a specialized type of virtual machine with limited resources and network access. The
sandbox is designed to execute files from untrusted thirdparties or websites to analyze the real intent of the code.
Attempts to modify registry settings, make configuration
changes, or replace or install additional files are all indicative
of something potentially malicious.
Cloud-based malware sandboxes are increasingly being introduced by vendors, including those offering SaaS-delivered
outbound-traffic analysis. Sandbox features have also been
added to applications including Google Chrome and Adobe’s
PDF Reader. The malware author’s response has been to include checks to determine if the malicious code is running in
a virtual machine and if so, to not execute but lie and wait.
Security education and awareness
Malware exploits technical vulnerabilities in software, human vulnerabilities, or both. The use of spear-phishing to
Book Review
Schneier on Trust – Society Cannot Function Without It
By Joel Weise – ISSA Distinguished Fellow, Vancouver, Canada Chapter
T
rust me when I say the new
Bruce Schneier book, Liars and
Outliers: Enabling the Trust that
Society Needs to Thrive, is an interesting
read. Bruce has definitely moved from
his position as one our pre-eminent
cryptographers to philosopher general,
thus preserving his place in history as
one of those rare individuals who not
only understands the technology we all
use on a daily basis, but the impact it has
on us both individually and collectively
as humans who interact and presumably, to one degree or another, trust each
another. This is a crucial manuscript for
anyone who is the least bit interested in
the impact of technology on the human
species.
My first question of course is, should I
trust his hypothesis?
As a security architect and practitioner,
I was expecting more practical guidance
on how to implement a defined trust
model into an IT environment; but this
is not a book on technology. Nonetheless, I found this to be a great book on
one of my favorite topics: Trust. How to
16
establish trust and what does it mean to
have trust. This is much more complex
than many of us realize. How exactly do
we ensure that we have the correct trust
model implemented and it is fit for purpose? The book provides an extensive
discussion on trust and will certainly
make readers realize that this is a topic
they best not dismiss.
The book spends considerable time on
how societal, moral and other pressures
affect how trust relationships are confirmed and maintained. In fact, these
pressures are at the core of trust and
well worth reading if for no other reason than they provide a human side to
what many today think of only in terms
of IT systems, PKI, key management,
and other areas where trust is a fixture.
Just as interesting is how the notion of
risk trade-offs are made. What happens when there is insufficient societal
pressures on stealing or avoiding taxes?
Then translate that into security systems. If I do not trust my customers
and add extra security measures, how
will that affect my business? [Why does
Costco really have to
see your receipt when
you exit the store?
For inventory management? Seriously,
their cash registers
do that. They don't
fully trust their customers and are creating a disincentive for stealing.]
The book ends with the simple notion
that, “society can't function without
trust, and our complex, interconnected,
and global society needs a lot of it.” After reading this book I am sure you will
agree.
About the Author
Joel Weise, ISSA Distinguished Fellow and
chairman of the ISSA
Journal Editorial Advisory Board, has been
working in the field of information security for over 30 years on subjects ranging
from cryptography and operating system
controls to security and public policies. He
may be reached at jmweise@gmail.com.
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
The Cyber Space Race | Richard Walters
trick users into opening or installing files containing malicious software can only be partially addressed with technical
defenses (including hardened endpoint builds and endpointprotection software).
Security education and awareness programs are critical to
improving user understanding of the techniques used by
modern malware and the risk associated with opening files
attached to untrusted, unexpected or unusual emails. Users must learn to carefully check URLs and links contained
within email messages or on social networking sites.
Prevention is better than infection
Yet this is largely a reactive approach, looking for signs of
suspicious activity post-infection. Even when an infection is
identified, recovery is not straightforward. If an APT is present, the compromised system should be isolated and monitored in order to understand the exact nature of the code.
APTs may consist of multiple infections, one active, and the
rest dormant. Once a full analysis has been completed a “bare
metal install” is likely to be the appropriate response alongside an investigation of other potentially affected hosts. This
structured incident response requires significant resources,
making preventing infection far more preferable.
One approach is to inspect the files used to spread malware
at the point of ingress but with a technique that does not rely
upon the reactive signatures used by AV. By deconstructing
and analyzing files at the byte level, inspecting content for
anything that should not be present, files can be validated
against manufacturer’s specifications. A new file containing
only known good data – without malicious code, metadata,
and hidden data – can be generated at the gateway or on the
server or endpoint. This approach, which does not rely on signatures, means that there is no such thing as a false positive.
One method provides an analysis capability that is already
being integrated into other content security and auditing solutions.
Alternatively, there is always the option to fight fire with fire,
which is exactly what the Japanese government is reputed to
be doing. Reports suggest Fujitsu7 is developing a computer
virus as an electronic weapon capable of determining the
source of a cyber attack and neutralizing it. The virus works
by monitoring attacks, identifying the source, and closing it
down to prevent further attempts. However, to date the project has taken three years and cost $2.3 million, which begs
the question whether it will be able to keep pace with APT
innovation.
Mobile malware is growing exponentially
The threat spectrum is constantly evolving and attackers are
increasingly focusing on other targets such as mobile devices
and operating systems. Malware infected applications appear
7 Hana Stewart-Smith, ZD Net, “Japan develops virus to counter cyber attacks:
but can it be used?” (January 2012) – http://www.zdnet.com/blog/asia/japandevelops-virus-to-counter-cyber-attacks-but-can-it-be-used/635.
ISSA Journal | March 2012
on the official Android Market regularly with over 100 removed to date. Android.Counterclank, identified in 13 apps
(on January 31 2012), is capable of harvesting user data, adding bookmarks to the web browser, and randomly placing
a new search icon on the home screen that displays a page
similar to Google when opened. In
September 2011 the developers of the
SpyEye banking Trojan released associated malware for Android-based
devices. People already infected with
the desktop version of SpyEye were
told they must install security software to use their Android phones
with a bank’s online services. Once
in place the Trojan intercepted all
SMS text messages sent to the phone.
SpyEye was upgraded to overcome
the introduction of one-time pass
codes sent by text to customer’s mobile phones by banks to stop password-logging software.
There is always
the option to
fight fire with
fire, which is
exactly what
the Japanese
government is
reputed to be
doing.
Mobile threats are evolving as rapidly
as the technology. In the short term
near field communications (NFC) features will provide a
new attack surface; another contender is Wi-Fi Direct, which
enables mobile phones, cameras, printers, PCs, and gaming
devices to connect to each other to transfer content and share
applications. Devices make a one-to-one connection, or a
group of several devices can connect simultaneously, without
joining a traditional home, office, or hotspot network.
In conclusion
APTs and cyber attacks are now an integrated part of the
normal social, economic, political, defense, and security
landscape. Traditional technical controls have a limited part
to play in defending against highly targeted, sophisticated
malware if used in the traditional way. Organizations need
to be aware of exactly how complex the products of statesponsored software factories are becoming. Right now we are
being consistently out-manoeuvred and losing, albeit to formidable adversaries.
APTs and other advanced malware do not require the adoption of an entirely new security strategy or model, but rather
a shift in the layered defenses used to address the threats. Existing elements of operational security and technical defenses
should be combined in new ways and
supplemented with emerging technologies and techniques
About the Author
Richard Walters has a unique and thorough understanding of risk management,
standards, regulations and legislation such
as ISO/IEC 27001/2, PCI DSS, and the
DPA, and has spent many years consulting with FTSE100 companies. He can be contacted at richard.walters@invictis.com.
©2012 Information Systems Security Association, Inc. (ISSA) • www.issa.org • editor@issa.org • All rights reserved.
17