The Ostrich Effect In Search Of A Realistic Model For Cybersecurity

Transcription

1 The Ostrich Effect In Search Of A Realistic Model For Cybersecurity 1

2 Contents Introduction 3 Threats Stealthy, Sophisticated & Successful 4 Operation Beebus 5 G20 Brisbane Redefining the Debate 6 Assurance 7 Staff Training & Education 7 A Risk Management Approach 8 A Better Approach to the Management of Threats 8 ASD Top 35 9

3 Introduction It could be argued that a huge range of choice, and the unrelenting promises of cyber security solutions from vendors, has led to IT security fatigue (even paralysis), with many organisations unsure of where to turn and what to do, resulting in poor cyber security arrangements. Added to this is what might be called organisational exceptionalism, namely the general perception, despite facts to the contrary, that it is other organisations which will be attacked and not one s own. However, the following analysis shows that both IT security fatigue and organisational exceptionalism are out of sync with the facts on the ground. Simply put, all organisations are susceptible to advanced malicious software, zero-day exploits, and targeted advanced persistent threat (APT) attacks. Traditional perimeter defences are no longer effective controls and are regularly bypassed as criminals focus on and web-based targeted attacks. These advanced attacks are difficult to stop, with traditional signature-based (that is, looking for the signature of the code) solutions like intrusion prevention systems and anti-virus identifying only already known threats. Advanced threats, using zero-day vulnerabilities often combined with spear phishing (tailored communications such as an or instant message directed at a specific individual or group of people who the attacker wishes to compromise) need to be detected and stopped in real time, or near real time. Zero-day means the exploit is used by attackers before it is known by the IT security industry and therefore are no software fixes nor signatures. In short, all aspects of an organisation, including technologies, people, and processes, may be vulnerable to compromise by sophisticated attackers. In spite of the clear evolution of threats, which have become more wide ranging in terms of vectors of attack, stealthiness and potential harm, many organisations still fail to protect themselves regardless of the array of products and services available. We hope that the following analysis will underscore why this posture should be re-examined and offer a path for how any cybersecurity shortcomings can be addressed.

4 Threats Stealthy, Sophisticated & Successful Organised online attackers, including those who act on behalf of nation states, are generally determined in their efforts and use many ways to mount their attacks. Their goals vary from stealing intellectual property to eavesdropping on sensitive communications. Attackers use a wide array of publicly available sources, such as organisational data available on social networking sites, company websites, and annual reports, to create highly targeted phishing s and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries, particularly those in export facing markets. Web-based exploits often use documents containing malicious code which is also a sophisticated way to attack an organisation (this is sometimes referred to as a watering hole attack because the attacker sets up their trap at a place known to be frequented by their intended victim, and waits for them to visit the website). Once inside an organisation s IT systems, advanced malware, zero-day and targeted APT attacks will hide, replicate, and disable host protections. After it installs, it may phone home to it s command and control server for instructions, which could be to steal data, infect other endpoints, allow reconnaissance, or lie dormant until the attacker is ready to strike. The seriousness of these blended attack modes can not be under estimated. But how should an organisation prepare itself? And if already subject to an attack, what should they do? APTs are highly complex cyber attacks which are targeted, persistent, evasive and hard to detect. APTs often use multiple attack vectors to maximise their success. These attacks may play out in several phases over a long period of time; apply a complex mix of attack methods and target multiple vulnerabilities The ten countries that were most frequently targeted by APTs in 2013 were: Based on FireEye data from 2013, the top 10 countries targeted by APT actors are the following: 1. United States 3. Canada 5. United Kingdom 7. Switzerland 9. Saudi Arabia 2. South Korea 4. Japan 6. Germany 8. Taiwan 10. Israel (FireEye Advanced Threat Report ) 4

5 identified within the organisation. Cyber criminals target organisations dependent on their sector and the potential value of the information which lies within its systems. Organisations should seek threat intelligence such as new malicious software profiles, vulnerability exploits, and obfuscation tactics which are deployed across multiple threat vectors. They then need a systematic way to deal with these many issues, particularly the need for dynamic analysis to detect zero-day threats. The most common software targets for zero-day attacks in 2013 signatures to detect and remove threats. Which threats get detected and which signatures get subsequently created arises from evidence collected in the wild. A key aspect of targeted attacks is their ability to enter an organisation under the radar, while compromising networks, avoiding detection and remaining in place until they have done their job. Reputation-based threat intelligence networks can make false assumptions about potentially risky code and broadcast signatures. These systems rely heavily on signatures and known patterns of misbehaviour to identify and block threats. Operation Beebus Internet Explorer Java Flash Reader Exploiting a vulnerability in the Windows operating system, this campaign uses both and drive-by downloads as a means of infecting end users. The perpetrator uses attachment names of documents/white papers released by well-known companies as a hook. The malicious attachment exploits some common vulnerabilities in PDF and DOC files. Java has traditionally been a common focus for attackers in developing zero-day attacks as exploit development against Java is much easier than for most other programs. Older versions of browsers are susceptible to compromise with tell-tale signs including changes within a system that cannot be accounted for, such as new user accounts, executables and changed permissions. Many of these attacks are vocationally or regionally focused. It is expected browser based vulnerabilities will become more common. Conventional protections, like traditional and next-generation firewalls, intrusion prevention systems, anti-virus and web gateways are important but generally only scan for known inbound attacks. Traditional signature based security tools rely on reactive The malware communicates with a remote command and control server. This campaign has been targeting companies in the aerospace and defense verticals. These industries have rich data which requires an advanced threat protection solution that not only monitors cyber attacks from the outside in, but the inside out as well. If an organisation is unable to stop threats from entering through the web, , or the office front door, then effort needs to be placed in stopping them from communicating out and spreading further. 5

6 G20 Brisbane 2014 APT activity may be described as a campaign combining a series of attacks over time. In the lead up to the G20 in St Petersburg, 2013, a number of global diplomatic missions and ministries of foreign affairs were targeted in a cyber espionage campaign falsely advertising information updates about the crisis in Syria a focus of the G20 meeting. The attackers responsible were first identified in 2010 and have traditionally used spearphishing s with either a malware attachment or a link to a malicious download as their method of attack. In addition to the Syria-themed campaign, they also used a London Olympics-themed campaign in Cyber attackers routinely employ breaking news as targeted lures in an attempt to entice targets into clicking on malicious attachments. The 2014 G20 Leaders Summit will be held in November in Brisbane, Queensland. This will be the most significant meeting of world leaders that Australia has hosted with as many as 4,000 delegates and 3,000 media representatives expected to attend. Building on the St Petersburg summit, Australia s G20 Presidency will structure leaders discussion around the key themes of promoting stronger economic growth and employment outcomes, and making the global economy more resilient to deal with future shocks. The scope for targeted spear-phishing attacks to compromise government and private sector organisations involved with the series of G20 meetings is large. Once control is gained, attackers will conduct reconnaissance and move laterally through the compromised networks. Accordingly, diplomatic missions, including ministries of foreign affairs, are likely to be targeted by malware-based espionage campaigns in the lead up to this event. Redefining the Debate Achieving effective IT security is an ongoing process of gathering and sharing intelligence and responding to changing technology and conditions, whilst balancing security measures against functionality. This balance is critical to ensure business operations can efficiently take place against the trade-off of reducing cyber attacks. With the correct tools and techniques in place organisations can respond, mitigate and reduce their likelihood of a breach significantly. Top ten most targeted verticals, based on the number of unique APT-associated malware families. (FireEye Advanced Threat Report ) 6

7 Rather than focus on threat nomenclature and brochure-ware hype, organisations need to look closely at the industry they operate in and it s broader susceptibility to compromise from state sanctioned actors, organised cyber criminals, issue motivated groups and disgruntled current or former employees and contractors. They need to consider their current IT and physical security posture and take a risk-based approach to accurately identifying the controls they should put in place. There isn t a single path to take to increase the resilience of business assets to cyber threats. Organisations today need to explore a new threat protection model in which their defense-in-depth architecture incorporates a signature-less layer that specifically addresses the evolution of cyber attacks discussed in this paper. Assurance Assurance does not automatically imply good security, but provides a degree of confidence that security needs of a system are satisfied. It provides a level of certainty that controls have been implemented to reduce the anticipated risk. Assurance allows organisations to have a reasonable and prudent degree of trust in their software, hardware and data. An assurance framework will assist organisations to comply with relevant legislation, identify capability gaps, recognise opportunities for improvement, prioritise remediation activities, articulate and quantify organisational risk and evaluate the overall effectiveness of their security program. Staff Training & Education Rather than exploiting vulnerabilities in hardware or software, many targeted attacks exploit vulnerabilities in people, in what is known as social engineering. Advanced attacks use spear phishing; drive-by-downloads, where an attacker compromises a website in such a way where malicious software is surreptitiously installed on the computer of a visitor to the website; or watering hole attacks, where an attacker plants malware on a website most likely to be visited by a target organisation, using this as a stepping stone to compromise an organisation; as part of a multi-vector attack strategy. For example, intelligence may first be gathered by the attacker to determine the websites most frequently visited by employees of a target organisation, so that they may compromise those websites to host malicious code. This makes employees an equally important part of the security equation and a key component of defence-in-depth protocols. Staff need to be educated on the types of cyber attacks which may target them; how to recognise social engineering attempts; identification of sensitive business critical information and intellectual property; and how to report suspicious activity or unexpected behaviour. Rapidly changing technology, human error, poor requirement specifications, inadequate development processes and underestimating the threat all introduce challenges to achieving the right level of assurance. Staff training is more of an art than a science and must fit organisational culture as well as business requirements. 7

8 Successful programs need to integrate corporate policies and procedures; readily available security awareness resources, such as on a staff intranet; simple, yet consistent messaging; integration into other training & education; and, most importantly, sponsorship and adoption by senior management. A Risk Management Approach The process of risk management assists decision makers to make informed choices, to identify priorities and select the most appropriate action. Identifying advanced threats prior to their impact is becoming harder for many organisations. A well-executed and rehearsed response can more effectively contain damage and boost resilience to future attacks. A thorough approach to incident management can help organisations to develop proactive controls to reduce the number of incidents within their networks and more effectively and efficiently identify and respond to incidents through implementation of consistent solutions. Organisations should perform: Incident response gap analysis Incident response technical training Incident response dry run exercises Not only should organisations focus on the basics of secure system design, development and testing, they also need to extend their enterprise wide risk management framework to cyber security issues, thoroughly analysing the effect of uncertainty on the objectives of the business. CISO s need to consider the possibility of advanced cyber risks occurring, and apply risk treatment options to ensure that any uncertainty in their organisations operational requirements will be avoided, reduced or removed. A Better Approach to the Management of Threats The cyber landscape sees a constant evolution of the types of cyber attacks and how they are deployed in an attempt to circumvent IT security defences. Organisations are finding it harder to perform real-time threat detection along with the subsequent triage process. Automation enables this process and allows security teams to focus on containing, and resolving incidents. However, even with automation, they still need to monitor and react to the changing attack situations including live analysis and within a sandbox. A properly rehearsed plan, allowing for a strategic response, will allow for a more competent reaction, including identification of what criminals may be trying to do to a network and the types of information they are seeking. This will allow them to effectively update their information security policies and plans, assess business risks and proactively respond to information security incidents. Critical to the management of threats is the ability to determine the nature and extent of an incident, along with identifying the internal and external resources required to facilitate an investigation. Organisations should augment their security staff with incident response and forensic services to handle critical security incidents, resolve immediate issues and put long-term solutions in place to address systemic causes of the incident. 8

9 ASD Top 35 The Australian Signals Directorate on behalf of the Australian government, in acknowledging the threat to government departments, critical infrastructure organisations and the broader private sector, created a list of 35 mitigations, which if followed will greatly reduce the likelihood and impact of a cyber incident. Understanding the difficulty in implementing many of these measures and the fluidity of the ever changing online threat environment, organisations need an integrated platform that inspects traffic, Web traffic, and files at rest, and shares threat intelligence across those attack vectors. This has been borne out with amendments to the Australian Signals Directorate s 35 mitigations, with automated dynamic analysis of and web content run in a sandbox to detect suspicious behaviour now placed at number six. This mitigation analyses network traffic, new or modified files, or other configuration changes. It is relatively simple to implement and helps prevent malicious code execution. In addressing this mitigation, organisations should seek to: Analyse s before delivering them to users Mitigate web content that has already been delivered to users which has subsequently been identified as malicious Enable a customised sandbox to match the operating system CISO checklist to report to Management 1. We have a flow chart of the threat lifecycle. 2. We have implemented at least the ASD Top 4 mitigations. 3. We have active management on our Firewalls, IPS, AV and gateways. 4. We have technical measures in place to guard against advanced dynamic attacks which exploit zero-day vulnerabilities. 5. We have a rehearsed incident response plan in place should there be a compromise. 6. We can isolate critical systems from the remainder of the network and test their operational independence from other systems. 7. We encrypt sensitive or businesscritical information. 8. We know what is the single most important piece of information in our company. 9. We know who has access to our business sensitive information. Organisations need to augment their existing defences to inspect internet traffic and/or files looking to identify obfuscation techniques. Sessions should be replayed in a (safe) virtual environment to determine whether the suspicious traffic actually contains malware. 9

10 About the Centre for Internet Safety The Centre for Internet Safety at the University of Canberra was created to foster a safer, more trusted Internet by providing thought leadership and policy advice on the social, legal, political and economic impacts of cybercrime and threats to cybersecurity. For more information visit About FireEye FireEye has invented a purpose-built, virtual machine-based security platform that provides realtime threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across 65 countries, including over 150 of the Fortune 500. For more information visit