1.5 Post Attack
After a successful attack, there is work to be done in the areas of forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation. In addition, policies and defences must be examined to figure out what went wrong and how to do a better job next time.
It might be hard to get motivated and started on your defensive measures, if you don’t know why cyber security matters. Read on!
You or your team (the home team, the good guys) need to stop the offensive, otherwise the bad actors will win. The defensive has tactics that can be used to prevent a cyber security breach:
- Training and education
- Policies and procedures
- Law enforcement agreements
- Information sharing
- Threat intelligence
- Counter intelligence
- Hardware and software
- Current patches and techniques to improve security
- Encrypted data and hard drives on anything mobile—those things that are easily lost or stolen, such as phones, tablets, and laptops
Think football. This is the other team. The one wanting your data or wanting to do damage to you. The offensive has different plays that it can run such as distributed denial of service (DDos) attacks, phishing and spear phishing, malware, social engineering, software and hardware flaws, and insider threat. We’ll be calling the offensive “bad actors” or “hackers” throughout this article.
SgxSpectre attack can extract data from Intel SGX Enclaves
Target: Intel SGX
Attack Vector: Repetitive code execution patterns
Summary: A new variation of the Spectre attack named SgxSpectre that can extract information from Intel SGX enclaves has been revealed this week. The new variant can allow an attacker to completely compromise the confidentiality of SGX enclaves and learn the content of the enclaves memory.
Risk assessment summary: The threat is assessed as 3e MODERATE and the likelihood has been rated as POSSIBLE. If successful, attackers can potentially compromise the confidentiality of SGX enclaves and retract sensitive information held in the enclaves. Although the original variants of Spectre have been mitigated the new variant is not expecting mitigations until 16th March 2018 so companies are still at risk of exposure.
Target: Android devices/Facebook users
Attack Vector: Malicious app which steals credentials before using them to harvest more info
Summary: Throughout 2017 and into this year, malicious applications on Android devices have been a continuous, notable threat which we have reported on multiple times. Now in March 2018, a new malicious application “FakeApp” has been detected.
This application is notable in its aggressive methods, as it logs into its victim’s Facebook accounts and harvests account details from devices. It also uses the search functionality on Facebook to amass further data. The abilities it has shown to crawl Facebook, scrolling and taking content is something that has not previously been observed on Android malware.
Risk assessment summary: The threat is assessed as 3e MODERATE. While the threat is mainly limited to the Asia-Pacific region currently, the capability it shows is significant and in some cases never seen before. This could indicate a new trend which we may see more of in the future. The harvesting of such a wide range of personal data is also significant as it could be used to help facilitate a future attack or open up attack vectors on friends of the victim, who would also have information harvested during this attack. Furthermore, information could also be sold on the Dark Web, where there is no guarantee of a buyer’s intentions.
The target is what the attack is directed against. The primary target is whatever the main objective is think data, data, data. The intermediate target is the hacker’s means to achieving the primary target. Intermediate targets include a network or network appliance, server, workstation, and mobile device (tablet, laptop, phone). Also included are infrastructure devices such as network connected thermostats, circuit boards, and the software applications that run them. Many different types of devices are now connected to the Internet and controlled using webpage based interfaces. These devices can be particularly susceptible targets unless proper investment is made to produce secure programming code.
Data is the end goal of attacking a target. Data can take many forms. A few examples are records in a database containing customer data or health records, data files such as word processing documents or drawings of intellectual property, your GPS location, the words being said in a conference room, your personal credit card information or that of your customers, and even video information.
1.1 The Hacker’s Objectives
There are many reasons why people hack computer powered devices, but they all boil down to data. Steal data! Change data! Destroy data!
The motivations and objectives of hackers vary widely. Motivations range from idle curiosity to criminal intent. Perhaps the hacker just wants to brag that he or she can do it proving one’s cyber manhood (or womanhood). Perhaps the hacker was paid by a nation state for political and military benefit. Maybe the hacker was hired as an industrial spy for competitive and personal gain.
Objectives can be as simple as proving that the hacker could “log in” or as complex as stealing information from someone’s network for years without being noticed. Most of the time, the motivation has nothing to do with you personally, except that your data was valuable enough to merit the risk.
As examples, objectives might include:
- Denial of data access (blocking someone from accessing a storage device).
- Intellectual Property (IP) theft (stealing the top secret formula for a soft drink).
- Inflicting loss of reputation through exposure of sensitive information (revealing a political candidate’s tax returns or medical records).
- Creating loss of trust in a corporation (exposing a bank or credit card institution’s security weakness).
- Extortion (demanding a ransom payment in return for restoring one’s data access or keeping sensitive data from becoming public).
- Kinetic effect (having something happen in the real world—such as shutting off a power grid, controlling a patient drug infusion device, or controlling an airplane).
Computer and data security is broadly divided into physical security and logical security. Physical security (sometimes referred to as just “security”) includes building and personnel security. Logical security is focused on the data—both in storage and in transit on the network—and is sometimes called cyber security. Cyber comes from the word cybernetics which means the science of communications and automatic control systems. The military uses “cyber” to refer to computers or computer networking.
The general perception that cyber security is a relatively new field is false. Only the current emphasis in the media is new. Cyber security has existed for years; however, it previously received minimal funding and attention due to the costs of cyber defense. It also lacked visibility, because you don’t see attacks that were deflected—nor do organizations want you to be aware of how many times they have been attacked.
This article is a broad overview of cyber security. There are several sub-areas of cyber security, but not all experts classify cyber security the same way. There is not, as of yet, an agreed upon division or taxonomy of the subject. But, relax. This article does not cover all these sub-areas and their sub-areas in detail. There are just enough highlights to make you an informed consumer, employee, or manager.
Cyber security tends to employ military terms like defense in depth, target, attack, offensive, and defensive. The various areas of cyber security use lots of terms that may be foreign to you. Included at the back of this book is a glossary of terms.
The decision of a hacker (or the hacker’s sponsor) to mount an attack is based on the perceived reward versus the risk—in other words, the ability to obtain or manipulate data without negative consequence. A defensive investment in cyber security—or how much you are willing to spend to defend against hacking—is driven by the value of the data versus the perceived risk of it being stolen, changed, or destroyed. As an example of low cost security, I used to have a large dog that accompanied me on trips. To create the illusion of high risk, I would leave a two inch chewed-through bone on the front porch while I was gone. It never failed to work.
So, what reward is worth the risk for a hacker?
RIG Exploit Kit (EK)
Analysis conducted by Palo Alto compared activity levels, malware payloads and network traffic characteristics from the RIG Exploit Kit (EK) between January 2017 and January 2018. RIG EK was the most prominent and popular EK across 2016, but has since seen a significant decline in its use. The decline in itself is interesting, but the identification by Palo Alto of recent developments in its use has much more business impact.
RIG EK’s decline has been observed since April 2017. Palo Alto views this as the result of arrests and “vendor efforts to fortify browsers and browser-based applications”. Additionally, malicious actors shifted their focus to other types of exploits, with the example of various Microsoft Office vulnerabilities evident. Similarly, actors also began using the phishing attack vector.
Firstly, the decline in RIG is not related to obfuscation or anti-detection techniques, although efforts had been made by the authors to include such components. Domain shadowing was removed and replaced with IP addresses. Base64-encoded strings were also used where the exploit kit had previously used English text in domains. The move from domain shadowing was forced upon the malware’s authors. In June 2017 a coordinated effort, documented by RSA Research, took down associated domain shadowing infrastructure.
The payload of RIG has also adapted. Analysis by Palo Alto highlighted that 36 out of 39 previous campaigns linked to RIG were used to send different types of ransomware, such as Locky, CryptoMix, CryptoShield and Spora. This has since changed to incorporate the ‘malware of the moment’, crypto miners. Specifically, Ramnit, Remcos RAT, coin miners and GandCrab ransomware were identified.
The threat from RIG EK has somewhat diminished but remains significant. As previously reported, crypto miners in themselves are on the lower end of the malware spectrum when comparing impact to business. The initial infection method however, still requires remediation to prevent subsequent infections. In the profile by Palo Alto, evidence of the exploit kit switching from crypto miner to an infostealer was presented. Although the frequency of attacks has changed and is likely to remain low, the payload’s change is likely only temporary in nature.
APT28 FancyBear Targeted Germany’s Interior Ministry Throughout 2017
Target: German Interior Ministry Network
Attack Vector: Possible Phishing E mail
Threat Actor: FancyBear
Summary: It has been reported by German security sources that a serious cyber-attack has been carried out against the servers of the country’s Interior Ministry throughout 2017, which was only discovered in December of the same year. It is believed that large quantities of data may have been obtained by the actors and authorities have suggested that APT28 (aka FancyBear, Pawn Storm, Sednit, Tsar Team and Sofacy) may be responsible.
Risk assessment summary: It is currently assessed that state-sponsored Russian actors continue to present an ongoing 2c HIGH threat to a broad spectrum of sectors. Although specific technical details of the latest breach have not been released at present, investigators have positively identified the presence of an unspecified malware on the affected servers.
The fact that investigators have stated Russian actors may be responsible for the attack, suggests the malware concerned may be one of the tools commonly used by APT28. The targeting of German political and intelligence entities is entirely compatible with the group’s previous activity in the country. The ability to covertly obtain intelligence from such a major player in the EU and, by implication, the Ukraine conflict would be highly attractive to Moscow.
It is likely that the attack was initiated via a phishing email which may have contained a specifically tailored lure. Now that APT28 may be in possession of personal details of German interior ministry personnel means they might be able to refine future phishing campaigns to mimic subject lines copied from genuine email exchanges, increasing the likelihood of subsequent breaches.
The incident does serve to illustrate that the APT threat remains constant and that the tempo of such attacks is not necessarily bound to geopolitical effects on the ground. Although increased military or political tensions often act as a driver for the subsequent release of hacked data.
It is recommended that all organizations ensure that system users receive sufficient training in order to understand and identify phishing emails. Additionally, the timely implementation of updates and patches cannot be over-emphasized and should always be treated as a matter of urgency, irrespective of any threat level. Monitoring of the threat environment will continue in order to identify further actionable intelligence.