“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

Also earlier this week, McAfee released a report that just about everyone in the security industry has likely now read, “Revealed: Operation Shady RAT”. The report, written by Dmitri Alperovitch, VP Threat Research at McAfee, is an eye opening read covering targeted intrusions into over 70 global companies, governments and non-profit organizations over the last 5 years. The report covers the types of organizations hit the hardest (not shockingly, defense contractors led the list with 13 of the intrusions detected), the ramifications of the breaches, estimated times each were compromised (shortest being 1 month, an honor shared by 9 victims) and even outlines the generic attack approaches utilized:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

(Side note: Not to be outdone, Symantec did their own analysis of the attacks, which adds even more details. You can find that analysis here.)

In short, the McAfee report does an excellent job of driving home Dmitri’s (and most security professionals’) key message:

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Which finally brings me to the objective of this post. This is an Open Letter to McAfee, Symantec and the Australian DoD. Let’s find a way of making the “Operation Shady RAT” project truly useful. Please combine the known attacks from “Operation Shady RAT” with the best practice mitigation methodology utilized by the DoD in creating their 35 mitigation recommendations. Truly analyze the security processes and procedures that were in place at each victim, perhaps categorized by their effectiveness in shortening or avoiding the breach (I have to believe that the 9 entities that had the shortest compromises were doing something different than the ones that remained compromised for years), and create a modified (if necessary) version of the DoD’s mitigation recommendations. That would be truly useful… beyond the BFO (blinding flash of the obvious) from the original report: That all entities with any valuable infrastructure or information fit “into two categories: those that know they’ve been compromised and those that don’t yet know.

Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.

In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.

Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.

In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.

Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.

Here’s a good case and point. In the recent article, “Verizon: More breaches but less data lost. Huh?!” Verizon’s 2011 Data Breach Investigations Report found that the number of data breaches from cyber attacks increased from 140 in 2009 to 760 last year. That’s a significant jump over a one-year span. On the flip side, however, the four million compromised records lost surprisingly fell from the 144 million data breaches in 2009.

According to Alex Hutton, principal for research and intelligence at Verizon, this mixed trend could be the result of cyber criminals focusing on smaller businesses that don’t have adequate security measures in place, and the fact that criminals may be wanting to make a fast buck on credit card information that continues to lose value in the black market.

“There has been a shift in the threat landscape, and organized crime is targeting medium to small-sized businesses in the U.S. What we’re seeing is the bad guys exploiting people who haven’t taken basic security considerations into account in their small business. An attacker is running an automated attack, basically looking for people who have let their guards down. They are introducing malware into the environment, and if it’s credit cards they are after they’ll just scoop up a handful at a time.”

The leading attack types were hacking (50%) and malware (49%), with malicious software responsible for nearly 80% of the lost data. Nearly two-thirds of the malware was customized, which easily bypasses traditional blacklist-based solutions. The report also found that external attacks accounted for 92% of the breaches (up 22% from 2009), which is completely consistent with the primary attack vectors.

Despite all the findings, one of the things I found intriguing was the report’s conclusion that most of the breaches could have been avoided with basic, affordable security measures in place. With an increasing amount of undetectable needles in the enterprise haystack, now more than ever organizations need to take a proactive approach to stopping automated attacks that can compromise their data. Endpoint security like CoreTrace’s Bouncer application whitelisting solution help businesses prevent harmful malware from running on your network, as well as identify and remove any previously undetected worms or viruses to reduce the impact and loss caused by stealthier cyber attacks and other malware variants designed to make things look like business as usual.

Cyber criminals eyeing unprotected corporate intellectual property

With their sights set on something of more monetary value, cyber criminals are shifting their focus from customer and employee data like Social Security numbers to unprotected corporate intellectual property. With many high-profile organizations being hit by more sophisticated attacks, reactive security approaches are making it difficult for organizations to keep up with the bad guys.

According to the article, “Forget Social Security numbers — cyber criminals want your intellectual property,” hackers are getting better at posing as insiders to infiltrate organizations’ networks. As a result, Scott Aken, VP for cyber operations at the Science Applications International Corporation (SAIC), said new strategies are needed to combat today’s cyber criminal techniques.

“Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely — just as an insider would. Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks from this blended threat.”

Gartner report recommends whitelisting as a ‘complementary’ malware defense

A Gartner report released in March said that while whitelisting technology is a way to prevent malware attacks on corporate servers and PCs, it recommends whitelisting be used as a complementary security defense, not a substitute for traditional antivirus software.

According to the article, “Whitelisting on its own not a substitute for antivirus software,” because blacklist-based solutions can no longer keep up with today’s prolific attack software, enterprises should consider application control and whitelisting as a “strategic or tactical approach” to help protect their network endpoints from malicious code.

To some people’s amazement, CoreTrace actually agrees with many of Gartner’s opinions on this topic, as I wrote about in this post: Why whitelisting is not a standalone replacement for traditional antivirus…”. Please let me know your thoughts on it.

Attacks on federal government networks increased in 2010

According to a recent Congressional report, federal government networks experienced a 39% jump in the number of cyber attacks in 2010 than in the previous year, but overall incidents reported to US-CERT were down. While phishing attacks dropped, Trojans, viruses and worms were among the types of attacks that increased year-over-year.

To help government agencies protect their networks from more targeted malware attacks, the National Institute of Standards and Technology (NIST) published a report to support the Federal Information Security Management Act (FISMA).

Instead of focusing strictly on IT initiatives, NIST recommends organizations take a broader approach to federal IT security by considering risk management and security in their overall objectives and business functions. By prioritizing decisions around security, organizations can better address new security challenges facing the federal government and U.S. critical infrastructure.

Trojan-based attacks still top malware threat

Several security studies found that Trojan-based attacks remain the top malware threat, accounting for six of the top 10 threat types in February. With 1 in every 290 emails malicious, Symantec’s 2011 MessageLabs Intelligence Report said the month was one of the most prolific periods ever for the threats. The report also found that governmental organizations were the most targeted, with 1 in 41.1 emails blocked as malicious.

Based on the botnet activity patterns, it appeared that cyber criminals were working together as well-timed and highly targeted Zeus, SpyEye and Bredolab variants were distributed in alternating patterns throughout the month.

While Trojan-based attacks led the way, Symantec and GFI Software researchers said PDF exploits accounted for a growing number of document types used in cyber attacks. Looking at the current trends, by the middle of this year 76% of targeted malware could be used for PDF exploits, which concerns Paul Wood, MessageLabs Intelligence senior analyst.

“PDF-based targeted attacks are here to stay and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware.”

While Panda Security researchers reported Trojans were responsible for 61% of malware infections, the only silver-lining was that infection rates dropped from 50% in January to 39% in February.

Thanks for reading this month’s wrap-up security blog. Be sure to regularly stop by to read and provide your thoughts on the biggest stories in the security industry.