Attacks on computer security infrastructure used to be little more than indiscriminate acts of vandalism perpetrated by hackers who desired bragging rights more than anything. But the perpetrators of attacks and their motivations have changed. Security intelligence experts have detected the tell-tale signs of organized crime gangs and government espionage in attacks, and a hacker community much more motivated by financial gain than personal or political fulfillment. The resulting increase in attack sophistication means that companies must adopt a more vigilant and correspondingly sophisticated approach to defending their environments.
New Genres of Attack Indicate Organized Criminal Involvement
In recent times, security attacks have become far more sophisticated in nature, targeted at particular organizations and user groups, and designed for financial gain. Three particular types of attack are becoming more common:
- Targeted Trojans. Targeted Trojan attacks have much the same effect as conventional Trojans, often opening back doors and covert channels for the theft of information. What makes targeted Trojans different though is that they are made specifically for use against a particular organization or user group. Moreover, because they are not widespread, they slip under the radar of most antivirus (AV) vendors looking to develop new signatures and are seldom detected by AV software. For example, the UK National Infrastructure Security Coordination Centre (NISCC) reported a sophisticated targeted Trojan attack on the UK Ministry of Defence and other government agencies. In another case, the Grams e-gold attack sent an email to users, purporting to be from the IT organization, prompting them to run a script to update configuration settings. In reality, the script connected to the Internet and then downloaded and executed a program that monitors the user surfing the Web. Then, if the user accessed an account at the financial Web site www.e-gold.com, the Trojan opened a hidden Web session in the background and drained the users account.
- Zombie bot attacks. In the last couple of years, there has been an explosion in the number of attacks that start by infecting legions of home computers connected to the Internet with specific malware. These networks of infected machines are often known as "zombie bot networks" or "botnets" and hackers then take control of these machines and use them to send spam, phishing messages, or launch distributed denial of service (DDoS) attacks on Web sites. Researchers at messaging security vendor CipherTrust found, on average, more than 170,000 newly infected zombie machines every day during May 2005. Another worrying aspect of zombie bot DDoS attacks is that they often go hand-in-hand with an attempt to extort money from the victim organization. Typically, the criminal sends the victim a demand for money or else they will launch a DDoS attack against the victim's Web site. However, in contrast to a virus or worm that hits globally and gets extensive publicity, a DDoS extortion attack hits one organization, and they generally keep very quiet about it.1 In the UK, the National Hi-Tech Crime Unit (NHTCU) reported that more than 50 UK companies had been hit by DDoS extortion attacks in 2004, and last summer, they arrested members of a Russian crime gang who had netted £1.3 million in 90 days, via this type of extortion.
- Sophisticated phishing and message-based fraud attacks. Email- and IM-based phishing attacks are getting more sophisticated and more targeted, sometimes using multiple vectors of attack to obtain information from system users. For example, one recent phishing attack appeared to direct users toward the search site Ask Jeeves, but instead directed them to a spoofed site that downloaded a keylogger onto their machine.2 The keylogger then waited until the user accessed an online banking application and forwarded the keystrokes to a malicious Web site. Also, last November phishers used cross-site scripting vulnerabilities in SunTrust Banks' and Citibank Australia's Web sites to make the target URLs in phishing emails appear legitimate.
Successful Attacks are Often Multifaceted
Most successful attacks in recent years have often involved a combination of the following elements:
- Social engineering. People are usually the weakest link in any security program. For example, in a recent scandal involving industrial espionage at Israeli telcos and software companies, targeted Trojans were distributed on marketing CDs.3 Phishing attacks almost always rely on being able to trick the user into opening a bogus Web site. During a social engineering experiment at the IRS, auditors posing as network technicians managed to trick one-third of users into giving their passwords over the phone. In an experiment at the Infosecurity Europe conference, more than 90% of users gave up commonly used identity data like pet's names and names of the first school they attended in exchanged for the chance to win theater tickets.
- Breakdown in process. Improperly defined processes or badly enforced policies are often a factor in security breaches. For example, last month's security breach at credit card transaction processing company CardSystems was largely a result of data, that should have been discarded, being stored for troubleshooting purposes in an unencrypted format. In another high-profile case, ChoicePoint failed to check properly the background of criminals posing as business customers who stole identity data of up to 145,000 users.4
- Technical vulnerability. Technical vulnerabilities like unpatched systems, improperly applied access controls, and unvalidated inputs are usually an important part of a successful attack. For example, payroll company PayMaxx had to disclose that it had potentially exposed more than 25,000 customer W-2 records after security researchers at software company Think Computer found improperly applied authorization controls at its Web site.
- Insider abuse. Many of the most successful attacks are the result of authorized users abusing their access privileges. In a recent case in New Jersey, a fraudster paid employees at several large banks, including Wachovia and Bank of America, to supply customer account details which he then sold to collection agencies and attorneys. As many as one million customer account details may have been compromised in this scam. Business partners also often have access to sensitive corporate information. In 2002, credit reporting company Experian reported that 13,000 customer records were stolen using an authorization code belonging to Ford Motor Company.
Sophisticated Attacks Require More Complex and Coordinated Defenses
All the security measures in the world cannot fully protect an organization against the most sophisticated attacks. However, the most important initiatives to start with are:
- Arm yourself with relevant and timely threat information. Wading through the reams of threat and vulnerability data available from free sources like CERT can be a time-consuming business; often, identifying the information that applies to your organization is like finding a needle in a haystack. Enlisting the services of security intelligence companies like Symantec, Cybertrust, or VeriSign, that recently acquired iDEFENSE, will give you customized information and advice about the specific threats that apply to your organization. Use this information to help determine how your systems and processes could be compromised and prioritize remediation activities accordingly.
- Deploy multiple threat mitigation techniques. To mitigate sophisticated threats, companies are going to have to move away from a mode where they just look for a predefined set of conditions, like simply signature-matching, or comparing network activity against known vulnerabilities. Detecting real "zero day threats" demand that companies deploy adaptive technologies that can build a profile of normal activity, and then alert network staff or block traffic in the event that user activity strays outside of baseline normal network activity. Companies like Mazu Networks, Arbor Networks, Lancope, and Q1 Labs have specific technologies that examine baseline network activities and alert network administrators to suspicious activity that deviates from the norm.
- Knuckle down on your users. People are invariably the weakest but most important element of a security program. Before hiring, background checks are essential not only for your own employees but for contractors and partners, too. During employment, security awareness efforts need to be aggressive and frequent a user awareness program goes way beyond emailing a copy of the security policy or just including a link in a home page to a "security tips and tricks" page. In fact, banks have found that few users pay any attention whatsoever to their current security education efforts. A Forrester survey showed that only half of online banking users were aware that their bank makes security information available and, of those that were aware, 35% had not even read it. When breaches do occur, users must be held accountable for their actions; disciplinary action may seem draconian, but it's the only way users will learn.
- Impose security requirements with business contracts. Even if you've outsourced a business process, the liability and bad publicity resulting from a security breach will fall squarely on your shoulders. Make sure that any business partners accessing your data have at least as stringent security requirements as you have, and make sure that these requirements are written into the contract.
Endnotes
1. There have been multiple high-profile DDoS attacks over the past 18 months that may or may not have been linked to extortion attempts. For example, UK gaming Web site Betfair experienced a DDoS attack in July 2004. Content delivery network provider Akamai Technologies was hit by an attack in June 2004. Credit card processing company Authorize.Net confirmed that they were the victim of a DDoS extortion attempt in September 2004.
2. The Ask Jeeves attack tricked users into looking for data about themselves at the Ask Jeeves Web site. Source: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=212
3. Several high-level employees at Israeli firms have been implicated in an industrial espionage scandal using targeted Trojans. Source: http://www.msnbc.msn.com/id/8145520
4. On February 20, 2005, ChoicePoint announced that it would rescreen some 17,000 business customers accessing its data stores because scammers, posing as legitimate businesses, opened up some 50 of those accounts.