Released this past week the fact that hackers can infiltrate a network and remain undiscovered. This brings another level to the discussion on how do the bad guys get in, stay, capture, remove, and not get caught. This also explains another reason for the value placed on a set of stolen credentials. The vast majority of systems are not monitoring what type of traffic is going on internally. They are really only looking at who enters.
Once a cyber-criminal is inside a network, they are going to use lateral moves and disguises as well. The ability to catch a cyber-criminal inside requires the same Intelligence inside as it does outside. The key is to set a base line of standard behavior. All network have a pretty stable cadence. Each dept. has rights to go to and view certain areas, files, and information. The goal is to be positioned to see all the traffic via sensors throughout as well as the information leaving the organization. That includes standard entrance and exist points and Wi-Fi. Then make sure you have the ability to detect change factors, process, abnormal behavior, and etc.
Intelligence should play a major role in the inside security functions as well. Like on the outside, cyber attacker will use maneuvers to disguise and conceal. It takes the intelligence to put together that an individual in marketing has no business in the daily accounting records or legal dept. In addition, the security platforms should alert administrator and security individuals of abnormal behavior.
Intelligent Threat Management in Real Time is as important to the inside protection as at the perimeter.
New Rounds of data Wiping Malware
Data wiping Malware is not new. However, the latest version suggests Cyber Criminals are altering their strategies and process just enough to get in.
Prevention discussion still evolve around human intervention such as;
1. Do not open unknown attachments from people you do not know.
2. Individuals should be able to inspect a web site and decide if the site is safe.
The irony is this is the method of prevention that has been suggested for Years. If Malware is getting past the networks put together and secured by professionals, why are they still relying non-technical individuals to identify this for themselves?
Data Wiping Malware has attributes that can be detected within the data stream. This can all be identified in the data stream via Machine Analytics. Even though this Malware has changed or has become Polymorphic that are still part of the process. Second, with identifying attributes and adding Intelligent Threat Management, you can not only identify Process. The additional advantage with Intelligent Threat Management is you have checks and balances. If one attribute is missed, another is in a good position to identify the attack.
The last part of the human intervention aspect is that of speed. The most Intelligent and Skilled Cyber Security Experts can no longer identify and block cyber threats at the speed needed today. The world of rapid change and polymorphic attacks can easily defeat reactions that are within minutes. Rapid Change or Never before seen events require reaction within microsecs.
Barrier1 Intelligent Threat Management Inspects, Analyzes all Traffic and Traffic Types, and then reacts/blocks within microsecs.
Barrier1Zero Access Bot is another great example of a multi vector attack. In addition, it has shown resilience due to its flexibility in usage of the CnC component.
First it really is a Trojan. It is used to download malware and infect machines. Machines are infected via Click fraud and bitcoin. In order to stay hidden, it uses rootkit techniques. Zero Access also infect the master Boot record and random drivers. This give the Cyber-criminal total control. IN addition, it can disable Window Security Center and therefore leaving no FW protection and thus wide open.
In true form of today’s cyber-attacks there are several attack vectors used.
1. Social Engineering- by disguising as a legitimate file or including hidden code as additional payload in an executable.
2. Advertising- By the use of Click Advertising to lure user, once the ad is click the user is redirected to an infected URL.
3. 3rd parties are being hired to install rootkits.
First efforts by Microsoft were to kill the CnC connection. Not all CnC were using outbound destination IP. They were using P2P for outbound.
Barrier1 stops ZeroAccess Bot in several ways.
1. Barrier1 has 5 versions of Rootkits that are used for inspection.
2. Barrier1 inspects the Payload of all packets.
3. Barrier1 Analytics are used for the ENTIRE data stream and analyzed in Total. So, assuming the first CnC communications were standard destination and thus “Odd” outbound hand shaking and communications, Barrier1 would block, alert, and learn. When the CnC switches to P2P, Barrier1 would have learned enough about the previous CnC communication blocking to no STOP/BLOCK the P2P version of the CnC. This ability to learn and then apply would also work through a rapid change of IP Source Address throughout a multination BOT network.
Now Sony gaming has been hit again with a DDOS attack. It proves that a DDOS attack can be for hire. A mid size DDOS attack can be generated for around $100 then just use your PayPal account.
Time to rethink DDOS
Regin Malware has just been identified. Like most Malware, it is really not new. In many cases, new means just found. However, in reality, the Malware has been performing for sometimes years.
Regin, has several aspects that model former Malware. Flamer, Weevil, Dubuqu, Stuxnet, and etc. were similar. These early version introduced the concept of delivering in stages, have back doors, and customized for specific targets.
There are 5 stages. They are Dropper, 2 steps of the loading process, 2 steps for the Kernel and then Payload. A user is tricked into a spoofed version of a well-known web site. The dropper is installed via web browser or App. Regin has been found to originate from Yahoo, Instant Messenger, and etc. The remote access Trojans are using features and process found years ago and called RAT (remote access Trojans). They are intent on network monitoring, stealing passwords, and overall cyber theft. There are custom built and modified EVFS files, Encrypted RC5, ICMP/ping, embedded commands in HTTP Cookies, and custom TCP&UDP protocol usage.
Barrier1, with its extensive Intelligent Analytics that deals with the entire data flow and not individually, would identify Regin in several ways.
- RAT has been identified several years ago. Barrier1 has remembered how it operates and thus would detect and block.
- Barrier1 already has identified, blocked, and learned about Dubuqu, Stuxnet, Flamer, and weevil. The very attributes of this would be identified through Barrier1 AARE Engine and Analytics.
- Barrier1 extensive library of rootkits would detect the kernel frame work.
- Barrier1 inspect the Payload and thus would detect abnormal structures, request, and behavior.
- Barrier1 AARE Engine and Analytics would be able to detect spoofed web sites. Even those that are NOT on any URL black list.
- Barrier1 extensive library of Protocols would detect variants of RC5, ICMP pings, and the Customer TCP/UDP protocols would be different than the accepted RFC specs.
The following are threats to the Cloud Infrastructure
- Data segregation and session highjacking are threats
- Multi tenancy model is a great challenge to privacy
- Storage security at the cloud service providers data centers are often directly linked
- Tradition breach opportunities do not go away
- Malicious users can sniff network packets and gain extensive insight
- bypass the application logic to access the databases directly
- Cyber criminals have learned to move horizontal and thus making multi tenancy vulnerable
- Check you SLA do not assume service providers will be able to support electronic discovery or internal investigations of illegal activity
- What happens if the Cloud Provider goes out of business?
- Check your SLA, most of the time NONE of an organizations legal and regulatory compliance responsibilities are transferred to a provider when the organization adopts cloud services.
The cyber kill chain was documented to explain how cyber criminals were getting in. Several years ago, the single vector cyber-attack made its way to multi-vector approach. This also represents a process of events to accomplish goals set forth by the cyber-criminal.
These are individual steps. What was not addressed was the Rapidly Changing, Never before seen, polymorphic attacks. The principals are the same but solutions were put in place to perform functions at each stage.
The MISSSING Link was Intelligence in Real Time. The key attributes of Intelligence as defined in Wikipedia, is Knowledge, learning, memory, problem solving, and Reaction time. Intelligence delivers the ability to learn and remember what each of the steps in the Cyber Kill Chain did. Therefore, with the analysis or problem solving, and knowledge of the TOTAL situation, one can now React/block with extreme accuracy in Real Time.
Barrier1 Intelligent Threat Mgmt. goes beyond UTM- NGFW- Cloud Solutions, and Sandboxing
Intelligent Threat Management in Real Time
goes Beyond Static Analysis and Dynamic Analysis Sandboxes
Over $7B – $20B per year is being spent on network security. Yet, it is being reported that 8,000 -30,000 new malware exploits are identified per month. Worse, they are getting through the defense. UTM- NGFW- Sandboxes- Cloud Security Services were to have fixed or stop the problem. In addition, the belief that spending a lot of money on these platforms and extensive vulnerability scans and you would be protected.
History has a Clue
Network Security was developed by a couple of notable fundamentals. The process went like this
1. Early attacks were singular in nature. Singular that they had one attack vector.
2. Defense designs were first to find and identify the cyber-attacks.
3. The identification process was that of finding someone that had been the recipient of the attack and then scan that system.
4. Once found, craft a solution and then distribute the fix. This often took weeks to months.
This process was true for Viruses, Trojans, bad web sites, and etc. It was the method used on Routers using ACL rules and Thresholds, Firewall using rules, AV using signatures, Web Content/URL filtering, IDS using definitions, and etc. That process could take months. As the profit and disruptive motives increased, new vulnerabilities in OS, Applications, and Process were discovered faster and deployed faster. This ushered in new terms for exploits such as Zero Day, Malware, Bots, Mutation, Polymorphic, Dynamic, Automatic, Evasive, Rapid evolution, APT’s, and etc.
The common themes to this evolution of attacks are
• Sensors- Cyber criminals took some old and some new tools and used them to learn what was in place. They include, key loggers, root kits, Threshold technics, and etc.
• Time Compression- New Attacks types and categories are developed and launched faster
• Change- Once launched, they have the ability to Change. That could mean a change in responses, clocking, and acknowledgements, require responses, ports, destinations, file structure, and etc.
• Intelligent Evasion- by using packing, encryption, Change the required response time, changing fingerprints of the code all would alter the outcome.
How did the Cyber Criminals change?
Cyber Criminals continued to increase their activities. The increased activities compressed the time it took for new versions and methods. Second, they turned the cyber-attacks structure from a single vector to a multiple vector approach. Third, cyber-attacks became a process. The process is;
These activities are much like any modern day warfare. Cyber Criminals used these steps to learn about their targets, figure out how to get around the defenses, Attack, Extract the information called for by the Objective, and Cover Tracts. Over time this process became automated and at speeds that rendered present security solutions useless. Thus, $7B – $30 B spent and cyber criminals are still getting through.
What is the Security Gap in today’s Approaches?
The fundamental Security Gaps are;
1. Learning- No real time learning at the Edge of networks
2. Remembering- No one remembers what they found
3. Analysis- No one is analyzing the entire data stream together and as a whole
4. Slow reaction- Today’s speed of networks require inspection, analysis, and reaction with in microsecs.
5. Automation- Humans can no longer analyze fast enough to be effective
These fundamental requirements are absent in UTM-NGFW- Sandboxing- and Cloud based Security Solutions.
A new category is on the horizon. Some media outlets are calling it “Breach Detection Market”. So, what is this and how would it work? In order for this to work you will have to A. Identify and Block the known cyber attacks and B. Identify and Block the never before seen cyber attacks. All in real time.
Using real time Intelligence at the Edge of Networks is the only way.
There is more and more Malware being discovered that involves IP and SCADA. Black Energy is one of those. This is another case proving that Malware and APT’s are a process.
Black Energy capabilities include Trojan Custom Plug In, IT steal digital certificates and passwords, Attacks and can launch attacks from Cisco Routers and other networking devices, Targets ARM and MIPs platforms, can launch DDOS Attacks, and is compatible with a number of protocols like SMTP, HTTP, and FTP. Black Energy can Launch DDOS attack, delete all system tracking and files related to malware, gather information from USB. For CnC they use a lot of different servers.
Barrier1 with all of the components and the SCADA protocols would be able to identify this attack. One of the main reasons is the ability to Learn, Inspect All traffic, Analyze the traffic in total such as if a DDOS is launched Barrier1 would learn about the origins and stop if that source would try and steal digital certificates. In addition, Barrier1 has various version of Keyloggers on board acting as sensors. If the keyloggers detect activity and block it, the key attributes would be log in the onboard dbase and thus available for immediate (12 microsecs) use in the analytics for the next packet.