FEATURE Computer Fraud & Security September 2013 14 Global threats, cyber- security nightmares and how to protect against them The latest research from Dell SecureWorks Counter Threat Unit (CTU), published in April 2013, looked at the conditions that created threat scenarios in 2012. This article summarises those finding and provides recommendations on how these threats can be avoided in the future. Although the scope of potential threat scenarios remained intrinsically broad in 2012, we saw notable trends in software vulnerabilities, global-scale threats, Advanced Persistent Threats (APTs), Distributed Denial of Service (DDoS) attacks and mobile threats. The CTU team documented 7,696 new software vulnerabilities last year which was a 6% rise on 2011. So, what were the notable changes? Global threats During 2012, we continued to observe large-scale global deployment of malware through the specific targeting of end-user systems. Email and web browsing continued to be primary threat vectors exploited by cyber-criminals using a diverse and automated means of widely deploying malware. Cutwail is one of the largest and most notorious botnets that is used to send spam email that impersonates well-known online retailers, mobile phone companies, social networking sites and financial institutions. One of the reasons for its popularity stems from the ease of access to Cutwail’s spam-as-a-service infrastructure. This means that cyber-criminals can easily rent access at a low cost. In addition, we’re seeing the Pushdo trojan being deployed using Cutwail more and more through the use of Blackhole – an exploit kit offering pre-packaged ways to attack known software vulnerabilities. In 2012 we saw that Cutwail and Pushdo used certain techniques and technologies to sustain large malware deployment infrastructures. Pushdo is one of the most popular malware downloaders and its latest variant has between 175,000 and 500,000 active bots on any given day. The security industry has tried to shut down the Pushdo/Cutwail botnet four times during the past five years, but those efforts only resulted in temporary disruptions. The malware generates over 1,000 non-existent unique domain names every day. Since the attackers know how the algorithm works, they can register one of those domains in advance and wait for the bots to connect in order to deliver new instructions. This technique makes it hard for security researchers to shut down the botnet’s command and control (C&C) servers, or for security products to block its traffic. In summary, the Pushdo trojan remains a prominent threat that continues to hide in malicious network traffic and is more resilient to co-ordinated takedown efforts. Rafe Pilling, Dell SecureWorks While the global economic slowdown has been putting pressure on IT budgets, security is expected to remain a priority. According to Gartner, investment in security is expected to reach $86bn by 2016. 1 The Internet age has fostered many opportunities for cyber-criminals to attack organisations and while the motivation behind and the execution of these attacks varies, businesses simply cannot afford to ignore the risks they present. Rafe Pilling Figure 1: Malware interrelationships in the Cutwail botnet ecosystem. Source: Dell SecureWorks.
Transcript
FEATURE
Computer Fraud & Security September 201314
Global threats, cyber-security nightmares and how to protect against them
The latest research from Dell SecureWorks Counter Threat Unit (CTU), published in April 2013, looked at the conditions that created threat scenarios in 2012. This article summarises those finding and provides recommendations on how these threats can be avoided in the future.
Although the scope of potential threat scenarios remained intrinsically broad in 2012, we saw notable trends in software vulnerabilities, global-scale threats, Advanced Persistent Threats (APTs), Distributed Denial of Service (DDoS) attacks and mobile threats. The CTU team documented 7,696 new software vulnerabilities last year which was a 6% rise on 2011. So, what were the notable changes?
Global threats
During 2012, we continued to observe large-scale global deployment of malware through the specific targeting of end-user systems. Email and web browsing continued to be primary threat vectors exploited by cyber-criminals using a diverse and automated means of widely deploying malware.
Cutwail is one of the largest and most notorious botnets that is used to send spam email that impersonates well-known online retailers, mobile phone companies, social networking sites and financial institutions. One of the reasons for its popularity stems from the ease of access to Cutwail’s spam-as-a-service infrastructure. This means that cyber-criminals can easily rent access at a low cost. In addition, we’re seeing the Pushdo trojan being deployed using Cutwail more and more through the use of Blackhole – an exploit kit offering pre-packaged ways to attack known software vulnerabilities.
In 2012 we saw that Cutwail and Pushdo used certain techniques and technologies to sustain large malware
deployment infrastructures. Pushdo is one of the most popular malware downloaders and its latest variant has between 175,000 and 500,000 active bots on any given day. The security industry has tried to shut down the Pushdo/Cutwail botnet four times during the past five years, but those efforts only resulted in temporary disruptions.
The malware generates over 1,000 non-existent unique domain names every day. Since the attackers know how the algorithm works, they can register one of those domains in advance and wait for the bots to connect in order to deliver new instructions. This technique makes it hard for security researchers to shut down the botnet’s command and control (C&C) servers, or for security products to block its traffic. In summary, the Pushdo trojan remains a prominent threat that continues to hide in malicious network traffic and is more resilient to co-ordinated takedown efforts.
Rafe Pilling, Dell SecureWorks
While the global economic slowdown has been putting pressure on IT budgets, security is expected to remain a priority. According to Gartner, investment in security is expected to reach $86bn by 2016.1 The Internet age has fostered many opportunities for cyber-criminals to attack organisations and while the motivation behind and the execution of these attacks varies, businesses simply cannot afford to ignore the risks they present.
Rafe Pilling
Figure 1: Malware interrelationships in the Cutwail botnet ecosystem. Source: Dell SecureWorks.
FEATURE
15September 2013 Computer Fraud & Security
DDoS attacksDistributed Denial of Service (DDoS) attacks tend to target shared, limited and consumable network environments. Historically, attacks have been driven by political and financial motivations. To give an example, in 2012 we saw fraudulent attempts in the financial sector where losses ranged from $180,000 to $2.1m. Our research into patterns of activity in 2012 showed that short-lived DDoS attacks were an indicator of an unauthorised wire transfer while longer attacks (lasting several hours or even days) signified fraudulent Automated Clearing House (ACH) transfers. The fraud attempts were non-trivial and were usually in the six-figure range, although some attempts reached millions of dollars. The majority of transfers were being made to banks located in Russia, Cyprus and China.
“One pitfall that we’ve observed in many organisations is the lack of knowledge and understanding between the IT managers and the employees, which results in a poor defensive posture”
We also continued to detect growth and active development of threats within the underground economy, both in offering DDoS as a service as well as creating DDoS kits that cyber-criminals with any skill level can use. We saw that DDoS infrastructure remains distributed globally, although it can be found in higher concentrations in Ukraine, US and Russia.
Like many of the other threats, DDoS continued to evolve and adapt throughout 2012 and we have already seen sites like WordPress become vulnerable to attack in 2012. In April this year, WordPress websites suffered from a large brute-force targeting campaign and it is reported
that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites before attempting to log in to the administrator’s account using a list of commonly used passwords. Servers using simple passwords such as ‘123456’ have been particularly at risk. If an attacker successfully logs in, a backdoor is installed for future use, meaning that compromised sites can then be used for other activities such as participating in DDoS attacks.
Advanced Persistent ThreatsAdvanced Persistent Threats (APTs) continue to emerge as a prominent concern in today’s threat landscape. APT attacks represent a growing threat to an organisation’s intellectual property, financial assets and reputation. The defensive tools, procedures and other controls commonly put in place to handle commodity security threat scenarios are an important layer of defence against APT-style threat actors. However, there are important differentiators related to the targeted nature of the attacks.
The key element of an APT-style attack campaign is achieving and maintaining persistence in a target
organisation’s network. In our recent research, one pitfall that we’ve observed in many organisations is the lack of knowledge and understanding between the IT managers and the employees, which results in a poor defensive posture against APT incursions. In order for the team to detect and respond to APT attacks promptly, they must implement robust layered security. Specific APT threat actors often deploy multiple families of malware used at different access points during a single attack campaign, increasing their chances of remaining persistent in a target environment. This tactical resiliency is one of the reasons affected organisations may find it difficult to eradicate APT threats.
Throughout 2012, the manufacturing industry was heavily targeted by APT malware. Quarter-by-quarter, it was attacked more frequently and with more trojans than other vertical markets such as government, legal, healthcare, technology and utility.
Mobile threats
Of the new threats that the Dell SecureWorks CTU research team observed in 2012, 28% were related to mobile operating systems. As mobile networked computing devices become more common, attackers are
Figure 2: Geographic breakdown of known DDoS command and control infrastructure. Source: Dell SecureWorks.
FEATURE
Computer Fraud & Security September 201316
actively developing and maturing technology and techniques associated with exploiting mobile devices. Mobile malware development and deployment primarily focused on Android and this trend is unlikely to change while this mobile platform remains the most broadly deployed. Here are some of the key observations we made:
Repackaging: Approximately two-thirds of Android malware observed by CTU researchers had been repackaged into existing legitimate applications. This malware is typically distributed via alternative marketplaces. Once in these marketplaces, social engineering is sometimes used to make the new or unrated applications seem more popular, convincing other users to download it.
Application update attack: This was a new type of attack observed in 2012. Android can in some instances permit installed applications to automatically update. This can mean that a user downloads a malware-free application that was created by an attacker. Later, the original application is automatically updated to one that contains malicious content.
NotCompatible: The ubiquity of mobile devices and the regularity with which they move between networks challenges conventional security boundaries. NotCompatible emerged as a new threat in the second quarter of 2012 and gives an attacker access to networks available on a mobile device. This Android malware poses as a security update and is downloaded
directly from the Internet. Once executed, the malware behaves as a botnet client, initiating contact with servers and executing attacker commands.
SpamSoldier malware: Discovered in the fourth quarter of 2012, this malware stems mainly from SMS. A victim receives a text message to download a popular game, likely from an unrecognised number. SpamSoldier installs and hides itself, and then automatically installs the game as expected by the victim. The malware retrieves lists of messages and target numbers from a remote server and sends the message to each telephone number via SMS. The first indicator of the effects of this malware may be the SMS log as part of the victim’s monthly bill.
FakeToken: This is a good example of malware designed to steal sensitive information under the guise of a single-use authentication generator which targets popular banks. The financial sector botnet software now has mobile-oriented components including Zitmo and Spitmo that have been used for nearly two years to steal SMS messages used for out-of-band transaction authentication mechanisms.
Tatanga and Carberp: In 2012, malware like Tatanga and Carberp have embraced mobile devices and predominately targeted European countries such as Germany, the Netherlands, Italy, Portugal and Spain, where banks tend to use SMS for transaction verification. However,
Carberp variants have been observed targeting Russian banks.
The best defence is an effective defenceDefending against a full range of threat scenarios requires a robust, targeted, layered approach to security as a system of interlinked processes. Consider not just the protection but the detection and response. History and experience suggest even the best security implementations are likely, at some point, to experience attacks, accidents or failures that violate security policies and trigger incident response processes. Security incidents represent opportunities to learn and improve.
The following observations are based on experiences helping organisations respond to security incidents via the Dell SecureWorks Security Risk Consulting practice.
-dent response engagements in 2012 resulted from activity initiated by external actors. The remaining 20% of engagements resulted from insider threat activity.
manufacturing (17%), financial (16%), and industry service providers (15%).
At a high level, Dell SecureWorks’ incident response experiences in 2012 underscore several key conditions and trends:
users and end-user applications con-tinue to be primary targets for threat actors behind both commodity and APT attacks. Social engineering and reconnaissance of targeted organisa-tions is prevalent and advancing, making campaigns more convincing.
and application servers still provide significant risk to organisations. They pose the most risk to legal exposure with the possible compromise of Personal Identification Information (PII) and Payment Card Industry (PCI) data.
struggle with legacy IT architectures that are poorly designed for defence, have poor segmentation of critical sys-tems, and use very little (if any) data classification that offers additional layers of protection for critical intel-lectual property. Administrator privi-leges are often not properly managed or controlled, which allows threat actors to easily attain administrator or domain administrator access.
very little or no proactive measures to monitor insider threat activity or to reduce the risk of insider activity. Nearly all of the incident response engagements that involved an insider threat were investigations where a terminated employee was suspected to have used elevated privileges to sabotage the network or to remove intellectual property. In only one case did an organisation discover the activ-ity through a data loss prevention (DLP) solution. As security policy is formulated and becomes prac-tice, there is a continued disconnect between IT/security departments and human resources (HR) departments in many organisations. Managers who supervise employees with privileged access should consider restricting that access when poor performance or employee misconduct is observed. The basic practice of terminating access, especially privileged access, before an employee leaves an organisation would have mitigated most of the insider threat incidents.
Recommendations
Organisations can adopt key practices to improve their ability to defend, detect, and respond. The recommendations are grouped into three broad categories based on perceived difficulty of implementation: low complexity, medium complexity, and high complexity. While this is not a comprehensive list of security measures
and controls, these actions would have significantly minimised the incidents observed by the Dell SecureWorks Security Risk Consulting team in 2012.
Low complexity (can be implemented by management controls or IT staff ):
and certification to raise the level of awareness about threat actors targeting the organisation. Tie user access and privileges to performance and compliance with training programmes. For example, restrict Internet access for non-compliant users.
between the HR and IT security staff to share advance notice of pending termination of employment. Managers of employees with elevated privileges should be aware of the risk their employees pose to the enterprise and take appropriate actions to restrict access when warranted by employee poor performance or misconduct.
plan that is compliant with the organisation’s recognised standards. Routinely rehearse the plan to validate procedures and the team’s proficiency.
Medium complexity (can be implemented by IT staff with support from security professionals):
servers located in a DMZ.
especially for remote access through a virtual private network (VPN).
configured to an enterprise-wide security standard, that risk is reduced through a secure configuration, and that patching of OS and application software is timely.
-nerability scans of external-facing data and application servers, prioritis-ing servers with critical data such as PCI and PII.
(eg, EXE, RAR, SCR) from all inbound mail.
within the organisation, publish the results and leverage them as a posi-tive tool for raising awareness of the significant risks posed by malicious email messages.
High complexity (requires a security professional and possible outside consulting services):
with security in mind. Establish aggre-gation points where firewalls, intru-sion detection systems (IDS), intru-sion prevention systems (IPS), and deep package inspection (DPI) are in-line and able to filter and inspect all inbound and outbound traffic. These devices must record useful logs and must be integrated into a robust centralised security event monitoring platform, forming a critical compo-nent of the security teams situational awareness capability.
-tures and indicators provided by a Managed Security Service Provider (MSSP) to ensure network defence appliances (eg, firewalls, IPS, IDS) are tuned with threat indicators gath-ered through activity observed across a multitude of networks.
line filtering of email and web traffic where executable code is discovered with both signature-based indicators and in-line sandbox discovery. Ensure SSL traffic is decrypted at the bound-ary and inspected for threat activity.
capture of all relevant security events that could be elevated to security incidents. Conduct some type of analytics on these event logs based on a reputable set of threat indicators to look for threat activity that may be avoiding signature-based defence appliances.
-vider if critical business operations rely on connectivity with custom-ers from the Internet. Rehearse and stress test DDoS recovery plans and
FEATURE
Computer Fraud & Security September 201318
ensure they can be implemented in close co-ordination between the IT and security staff.
an electronic governance, risk manage-ment, and compliance system (eGRC) to monitor security controls and com-pliance to policy and procedures.
of security controls by an outside party to assess effectiveness.
-gence surveillance of the organisation to help identify threat actors, quan-tify their risk to the organisation, and assess vulnerabilities to these threat actors’ capabilities.
involved in merger and acquisition processes, and develop a plan for integrating the newly acquired IT infrastructure into the parent organi-sation security plan.
software development lifecycle (SDLC) internal to the organisation. Ensure application development considers security and the risk accepted during the SDLC is transparent so security staff can reduce the residual risk.
About the authorRafe Pilling is a principal security consultant at Dell SecureWorks. He is
an experienced information security consultant and has worked at Dell SecureWorks for seven years. In this time he has built up expertise in digital forensics, security incident response and malware analysis. He has a key role in advising businesses how to protect their networks and infrastructure. Pilling architects complex solutions to threat scenarios and provides consultancy on a variety of cyber-security threats.
Reference1. Ruggero Contu, Christian Canales,
Lawrence Pingree. ‘Forecast Overview: Security Infrastructure, Worldwide, 2010-2016’. Gartner, 8 Aug 2012.
Identity – the new security perimeter
Businesses too are embracing this trend so that they can seize the productivity and efficiency gains it promises to deliver. However, if employees are using their own devices to access sensitive data from the corporate network, companies need to ensure that they protect it from harmful distribution or possible intellectual property (IP) leakage. That’s why they need to link an appropriate identity to the device – ensuring only a trusted individual can access sensitive information and applications from a mobile device is a fundamental requirement for both corporate issued and personal mobile devices.
One device, multiple identitiesFor work use, an email client and a secure browser for accessing corporate portals are among the apps that a typical employee will need to complete their daily tasks. The corporate IT department needs to ensure that the digital identity used to enable access to these resources is securely linked to the correct person, as well as ensure they can disable that access when appropriate.
Organisations now realise that users need a place on the mobile device for personal apps and data that can function
concurrently with work activities. If an employee leaves, IT can simultaneously terminate access from their mobile device. Importantly, an IT organisation must be able to erase all of the work data, without touching the former employee’s personal files.
Identity is the new perimeterThis increased mobility also has been a major driver in the shift away from ring-fencing intellectual property and sensitive data such as customer information and financial details. Reducing the risk of compromise from threats, such as organised crime, overseas espionage, hacktivists and simple unintentional human error, by keeping the data contained within the company premises is no longer a realistic approach. The firewalled ‘corporate boundary’ has traditionally been seen
Chris Edwards, Intercede
The consumerisation of IT has fuelled a dramatic increase in the use of mobile devices in the workplace. Whether in the office, travelling, working from home, or just in a conference room, the employee expectation is to have immediate access to information via voice, chat, text or email. If their corporate device does not allow this, they can, and will wherever possible, use their personal device to access corporate data. According to a recent survey by YouGov, nearly half of British employees are adopting the Bring Your Own Device (BYOD) trend – using their personal devices for work purposes.1
