Building A Better Toolset

IN the last year, information security researchers have warned black hat activity had shifted from digital vandalism to financially motivated attacks. Once motivated by curiosity or the desire to gain notoriety, attackers are now driven by profit. Today’s most ominous threats are designed to gather financial information. In the last half of 2006, the Symantec security response organization observed increases in adoption of targeted-threat techniques, such as polymorphics and rootkit technologies, and reported 54 percent of the attack code was designed to harvest sensitive or proprietary information.

Hacking isn’t a kid’s game anymore. It’s big business. Professional hackers are now organized career criminals that launch narrowly focused targeted attacks in order to hold for ransom, destroy or steal information—all with financial profit in mind. Security industry research firm Gartner has identified targeted attacks as the top security threat facing businesses in the next two years. In its 2006 Cyberthreats Hype Cycle, Gartner predicts by 2008 nearly 40 percent of organizations will be targeted by financially motivated cybercrime and urges businesses to invest in preventative measures.

Slow to Act
The targeted-attack threat is real, but it has yet to garner serious attention from CSOs. Enterprises face an ever-changing set of computer and information security issues due to the dynamic nature of today’s threats and the increasing dependence on technology as a business enabler. In confronting the cyberthreat challenge, enterprises have been successfully mitigating the traditional threat environment with firewall, anti-virus patching and other practices. The management of these security technologies is providing reasonable safeguards against traditional attacks. But, even a flawless implementation of security will leave an enterprise susceptible to new or unknown vulnerabilities. An organization also can be exposed to external threats—the window of time between a patch’s release and application.

Regrettably, it’s difficult for security officers to justify spending more money on information security. It has been nearly two years since Zotob’s impact prompted industry experts to advocate the use of some form of traffic inspection that filters for illegitimate transactions. Although Zotob’s vulnerability-to-exploit cycle should have been a wake-up call for enterprise security officers. Symantec Research Labs documented 2,249 new vulnerabilities in the first half of 2006, up 18 percent over the second half of 2005. This is the highest number ever recorded for a six-month period.

A review of data illuminates why security officers have not felt compelled to address the targeted attack threat. Targeted attacks are custom-built, narrowly focused exploits that target specific companies or industries. Security research companies have not defined a targeted-attack signature. In spite of record-level vulnerability statistics, there is no identifiable attack behavior to defend against. Targeted attacks are typically the product of social engineering, constructed using insider information, making the level of customization almost impossible to detect with conventional security products. The concept is so vague that security officers have a difficult time factoring the potential of a targeted attack in a risk assessment process.

A Classic Example
Targeted attacks can lead to exposure of mission-critical business data or customer-sensitive information and inflict serious damage to corporate reputation. Perhaps the best illustration of a targeted attack occurred at TJX, the parent company of T.J. Maxx, Marshall’s and HomeGoods stores. On Jan. 17 the retailer said that computer systems storing credit card, check and merchandise return transaction data were compromised. In a recent SEC filing, TJX disclosed that more than 45 million credit and debit card numbers may have been stolen from its systems over an 18-month period, making it the single largest customer data breach to date.

A classic targeted attack example, TJX doesn’t know whether there was one continuous intrusion or multiple, separate breaches of its data security. It is the stealthy nature of targeted attacks that is so dangerous. The attacker employs exploit techniques designed to both evade detection and cover tracks.

Cybercriminals want to operate under the radar. The crimeware programs used in a targeted attack are too valuable to waste on an attention-grabbing event. Major outbreaks get detected too soon, trigger mass patching by users and investigations by law enforcement agencies. Cybercriminals are more apt to craft a slow and stealthy attack designed to install malicious code on a select set of targeted machines.

Evolution of Exploit Frameworks
Cybercriminals increasingly rely on powerful exploitation frameworks to launch attacks. Free tools like Metasploit and commercial tools like CORE IMPACT and Immunity CANVAS have revolutionized attacker methodology. Previously, upon finding a vulnerability, the attacker either had to create custom exploit codes from scratch or scour the Internet to find such codes to exploit the hole. Today, instead of scraping together individual exploits, integrated exploit frameworks include numerous exploits to compromise target systems.

One property of exploit tools is separation of the exploit from the payload. An exploit is the software taking advantage of a flaw, letting the attacker load and execute a program of the attacker's choosing. The code triggered by the exploit is known as the payload. Traditional attacks tightly bundled exploits and payloads together. An attack might exploit a database buffer overflow with the purpose of adding the attacker as a user to the local administrators group. But, with this tight integration, the attacker was stuck with the payload attached to the exploit for the specific vulnerability.

Taking the payload from one attack and embedding it with another exploit required deep technical knowledge and serious coding skills. To remedy the situation, today's exploit frameworks include an arsenal of different exploits and payloads, each offering a different effect. So today, the attacker can use a tool like Metasploit to choose an exploit, such as a buffer overflow in lsass.exe. Then, the attacker can choose from more than a dozen different payloads. Metasploit packages the payload with the exploit and then launches it at the target.

The real effect of these frameworks reverberates through the industry. Developers who create fresh exploits for new flaws don't have to reinvent the payload wheel every time. They can focus their time on perfecting exploits and quick production. Moreover, those developers who focus on payloads can now zoom in on the production of high-quality payloads.

Detecting a Targeted Attack
The problem with commonly deployed security tools is the reliance on signatures or rules. In order for a security tool to stop an attack, it requires specific knowledge about the attack, such as an exploit signature. Customers often have to wait days or weeks to get a working signature for a new exploit, leaving the network exposed to anyone with malicious intent. But in the current threat environment, attackers are often one step ahead of the products designed to thwart them.

The challenges facing information security teams are daunting. Targeted threats can lead to exposure of mission-critical or customer-sensitive data and can inflict serious damage to a corporate reputation. A growing number of data security standards and regulations can result in sanctions, fines and civil liability if a targeted attack is successful. In this gathering storm, where attack activity is motivated by financial gain, security teams need purpose-built tools to combat targeted threats.

Anomaly-based threat detection offers the most effective solution for addressing the targeted threat dilemma. At the core of this new threat detection technology are anomaly-based algorithms used to identify emerging threats. Four types of anomaly detection are used in commercially available solutions.
• Protocol detects packets that are too short, have ambiguous options or violate specific application layer protocols. It is most useful for detecting host-level attacks.
• Rate-based detection shows floods in traffic using a time-based model of normal traffic volumes. Most useful for detecting denial-of-service attacks.
• Relational or behavioral detection shows changes in how individual or groups of hosts interact with one another on a network. For example, a normally quiet host that starts connecting to hundreds of hosts per second on the SQL port indicates a worm. It is useful for a variety of threats, from worms and malware to insider misuse.
• Statistical detection shows changes in normal content usage by identifying deviations in each application traffic, flow direction and packet size. It is most useful for identifying unknown, application-layer exploits.

Not all anomaly-based security solutions are created equal. Capabilities are largely a function of supported algorithms. When evaluating new solutions, it is important to discern the type of threats the products are designed to detect. In order for an anomaly-based detection solution to proactively identify zero-day worms, malware, acceptable-use policy violations and insider misuse, the product should employ a multi-algorithm approach.

There's both an art and a science to applying anomaly detection. Effective use of the technology by security vendors requires deep experience with networks, threats and the appropriate anomaly-detection algorithms for a given threat model. When done well, anomaly detection is effective in finding and foiling network-borne threats and should be part of everyone's security tool set.

Specialized Attack Techniques
Cybercriminals find the victims by diligently profiling hosts to identify large and vulnerable targets. There are numerous techniques used to spawn a targeted attack:

Bots. A bot (short for robot) is a computer where a worm or virus has installed programs that run automatically and allow cybercriminals complete access and control. Cybercriminals use viruses or other bots to search for vulnerable computers where they can load programs or store data. A botnet is a collection of infected machines that can be centrally controlled and used to launch simultaneous attacks. Spammers, hackers and other cybercriminals are acquiring or renting botnets, making it harder for authorities to track down the real culprits.

Keylogging. These programs covertly recover keys typed by a computer user. The program either stores the data for later access or secretly sends the information to the author. The advantage of a keylogger program is a cybercriminal does not need to trick a user into supplying sensitive information.

Bundling. This entails embedding a virus or spyware to a benign or legitimate download, such as a screensaver or a game. When the computer user downloads and installs the legitimate file, they also are unwittingly installing the criminal program.

Denial of service. An attack specifically designed to prevent normal functioning of a computer network or system, it also prevents access by authorized users. A distributed denial-of-service attack uses thousands of computers captured by a worm or Trojan to send a landslide of data in a very short time. Attackers can cause denial-of-service attacks by destroying or modifying data or by using zombie computers to bombard the system with data until its servers are overloaded and cannot serve normal requests.

Packet sniffers. These are software programs that monitor network traffic. Attackers use packet sniffers to capture and analyze data transmitted via a network. Specialized sniffers capture passwords crossing a network.

Rootkit. This is a set of tools used by an intruder after hacking a computer. The tools allow the cybercriminal to maintain access, prevent detection, build hidden backdoors and collect information from compromised computers.

Spyware. Spyware is software that gathers information without the user’s knowledge. Spyware is typically bundled covertly with another program. The user does not know installing one also installs the other. Once installed, the spyware monitors user activity on the Internet and transmits information in the background to someone else.

Social engineering. Social engineering is not limited to cybercrime, but it is an important element of cyberfraud. Social engineering tricks deceive the recipient into taking an action or revealing information. The reasons given seem legitimate, but the intent is criminal. Phishing is an obvious example—a certain percentage of users will respond unthinkingly to a request that appears to be from a legitimate institution.

Worms and Trojans. A Trojan is a malicious program unwittingly downloaded and installed by computer users. Some Trojans pretend to be a benign application. Many hide in a computer’s memory as a file with a nondescript name. Trojans contain commands a computer automatically executes without the user’s knowledge. Sometimes, it can act as a zombie and send spam or participate in a distributed denial-of-service attack. It may be a keylogger or other monitoring program that collects data and sends it covertly to the attacker. Worms are wholly contained viruses that travel through networks, automatically duplicate and send programs to other computers.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3