Page 29 - Security Today, February 2018
P. 29
tiple motives and strategies on the hacker side that are impossible to second-guess from the CISO’s chair.
Identifying Major Breeds of
Modern Cyberattacks
Ultimately, there are two major types of cyberattacks. The first can be compared to a fisherman trawling the ocean. Attackers cast a wide virtual net out into the internet not knowing what they will catch, or if they’ll even catch anything. Ransomware is a good example of this tactic. Cybercriminals own or rent a botnet and spread their malware through this network, using email or social accounts that were stolen from an internet ser- vice provider’s large database and made available on the Darknet. Their investment is quite low, but the payout can be high if they are able to catch a lot of unsuspecting Internet users with a well- constructed message.
With the ransomware-as-a-service model, virtually anyone can create their own code, spread it to the target audience and harvest the paid ransom in Bitcoin. In such cases the motive is fairly simple: collect as much money as possible. They typically target end users to prey on their ignorance of how cyberspace operates. However, those end users are often sitting in an office during these attacks and are using corporate devices connected to the corporate network. From a defense perspective, this type of attack seems to be manageable, although it still causes huge prob- lems for companies that haven’t invested in education for their staff or in the latest technologies.
The second attack model is more strategic and focused. It can be compared to a fisherman who is looking for a particular species of fish, uses a specific “rig” and selects a location where they know the fish is located. These cyberattacks target only one organization with a special cyber-weapon crafted and sharpened against its weaknesses. Many times, this attack is indirect, as at- tackers hack a trusted third party first and reach the target orga- nization from their network. Rogue actors have the necessary re- sources, such as time, money and expertise and they usually have specific motives for the attack.
This is referred to as a targeted attack or Advanced Persistent Threat (APT). The National Institute of Standards and Technol- ogy in the United States defines this term as “an adversary that possesses sophisticated levels of expertise and significant resourc- es that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical and deception).
These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program or organization; or positioning itself to carry out these objectives in the future.
The advanced persistent threat: 1. pursues its objectives re- peatedly over an extended period of time, 2. adapts to defend- ers’ efforts to resist it and 3. is determined to maintain the level of interaction needed to execute its objectives. The intruder can capitalize on any vulnerability in the infrastructure, leading to a “needle in the haystack” approach from a defense perspective. In addition, the initial steps to discovery take months or years and usually stay under the radar, while exfiltration only takes seconds
or minutes. Victims don’t have time to even realize that something bad is happening.
Understanding Motivations
Behind the Attacks
To truly understand why commonly used security measures fail, we have to understand the nature of targeted attacks or an APT. In its well-known Cyber Kill Chain model, Lockheed Martin de- fines an APT in the following seven steps.
Reconnaissance. Attacker defines its target, gets as much in- formation as possible from it and tries to identify vulnerabilities in the target infrastructure.
Weaponization. Attacker creates a cyber weapon that enables remote access to the target infrastructure. This is usually a mal- ware, such as a virus or worm, which exploits one or more identi- fied vulnerabilities.
Delivery. Attacker delivers weapon to victim. It can be trans- mitted via email attachments, websites or USB drives.
Exploitation. Cyber weapon takes effect and exploits relevant vulnerabilities on the target network.
Installation. Cyber weapon opens a remote connection, usu- ally a backdoor, and lets attacker access the target infrastructure. Command and control. Through the already-opened access, cy- ber weapon lets the attacker remain in the victim’s infrastructure. Actions on objective. The attacker takes necessary steps to reach their objective, such as data exfiltration, data destruction
or encryption for ransom.
Naturally, those seven steps apply to hundreds of tactics,
thousands of known tools and the same amount of currently un- known tools. NotPetya ransomware is a good example of how well-known tools and tactics gave life to a new strategy. Accord- ing to expert opinions, the motivation behind this specific mal- ware was to influence Ukraine’s standard daily operation and to test the resistance of the maritime industry, even though it appeared to be ordinary ransomware. It utilized the same Eter- nalBlue vulnerability as Wannacry had a month prior, and used the hacker’s favorite Mimikatz tool to extract privileged accounts from the memory.
Nothing new there. However, the malware is believed to have originated from the software update mechanism of M.E.Doc, a Ukrainian tax preparation software, widely used in the country. No one expected that the source of a global malware campaign would be a local software’s update that has to be installed for security reasons. The masterminds on the attacker side did their job perfectly by building upon known vulnerabilities on both the human and technology side and utilized existing tools and tech- niques to reach their strategic goals.
How Attackers are Outpacing Defenses
The MITRE Corp., a nonprofit organization that operates re- search and development centers sponsored by the federal govern- ment, published a large database on cyberattack tactics and tech- niques. MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. It largely reflects Lockheed Martin’s Cyber Kill Chain and pro-
WWW.SECURITYTODAY.COM NS7