About these ads

Archive

Posts Tagged ‘0-Day Vulnerability’

November 2011 Cyber Attacks Timeline (Part II)

November 30, 2011 Leave a comment

The second half of November has confirmed the trend seen in the previous report covering the first half of the month. The period under examination has confirmed a remarkable increase in Cyber Attacks from both a quality and quantity perspective.

Although the month has been characterized by many small attacks, several remarkable events have really made the difference.

Among the victims of the month, Finland deserves a special mention in this unenviable rank: the second half of the month has confirmed the emerging trend for this country, which suffered in this period two further breaches of huge amounts of personal data, for a global cumulative cost, computed on the whole month, around $25 million.

But Finland was not the only northern European country hit by cybercrookers (maybe the term cyberprofessionals would be more appropriate): Norwegian systems associated with the country’s oil, gas and energy sectors were hit with an APT based cyber attack resulting in a loss of sensitive information including documents, drawings, user names and passwords.

But once again the crown of the most remarkable breach of the month is placed upon the head of South Korea which suffered another huge data dump affecting users of the popular MMORPG “Maple Story” affecting theoretically 13 million of users, nearly the 27% of the Korean population, for an estimated cost of the breach close to $2.8 billion.

The list of affected countries this month includes also 243,089 Nigerian users, victims of the hack of Naijaloaded, a popular forum.

Microsoft has been another victim in this November, with a phishing scam targeting Xbox Live users. Details of the scam are not clear, although each single affected user in U.K. might have lost something between £100 and £200 for a total cost of the breach assimilable to “million of Pounds”.

November will make history for showing for the first time to information security professionals the dangers hidden inside the SCADA universe (and not related to Nuclear Reactors). The echo of Stuxnet and Duqu is still alive, but this month was the the turn of SCADA water pumps, that have suffered a couple of attacks (Springfield and South Houston), the first one allegedly originated from Russia and the second one from a “lonely ranger” who considered the answer from DHS concerning the first incident, too soft and not enough satisfactory. My sixth sense (and one half) tells me that we will need to get more and more used to attacks against SCADA driven facilities.

The Anonymous continued their operations against governments with a brand new occurrence of their Friday Releases, targeting a Special Agent of the CA Department and leaking something like 38,000 emails. Besides from other some sparse “small” operations, the other remarkable action performed by the Anonymous collective involved the hacking of an United Nations (old?) server, that caused personal data of some personnel to be released on the Internet.

November Special mentions are dedicated (for opposite reasons) to HP and AT&T. HP for the issue on their printers discovered by a group of Researchers of Columbia Univerity, which could allow a malicious user to remotely control (and burn) them. AT&T deserved the special mention for the attack, unsuccessful, against the 1% of its 100 million wireless accounts customer base.

In any case, counting also the “minor” attacks of the month, the chart shows a real emergency for data protection issues: schools, e-commerce sites, TVs, government sites, etc. are increasingly becoming targets. Administrators do not show the deserved attention to data protection and maybe also the users are loosing the real perception of how much important is the safeguard of their personal information and how serious the aftermaths of a compromise are.

As usual, references for each single cyber attack are reported below. Have a (nice?) read and most of alle share among your acquaintances the awareness that everyone is virtually at risk.

Related articles

Read more…

Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Advanced Persistent Threats and Security Information Management

October 13, 2011 3 comments

Advanced Persistent Threats are probably the most remarkable events for Information Security in 2011 since they are redefining the infosec landscape from both technology and market perspective.

I consider the recent shopping in the SIEM arena made by IBM and McAfee a sign of the times and a demonstration of this trend. This is not a coincidence: as a matter of fact the only way to stop an APT before it reaches its goal (the Organization data), is an accurate analysis and correlation of data collected by security devices. An APT attack deploys different stages with different tactics, different techniques and different timeframes, which moreover affect different portion of the infrastructure. As a consequence an holistic view and an holistic information management are needed in order to correlate pieces of information spread in different pieces of the networks and collected by different, somewhat heterogeneous and apparently unrelated, security devices.

Consider for instance the typical cycle of an attack carried on by an APT:

Of course the picture does not take into consideration the user, which is the greatest vulnerability (but unfortunately an user does not generate logs except in a verbal format not so easy to analyze for a SIEM). Moreover the model should be multiplied for the numbers of victims since it is “unlikely” that such a similar attack could be performed on a single user at a time.

At the end, however, it is clear that an APT affects different components of the information security infrastructure at different times with different threat vectors:

  • Usually stage 1 of an APT attack involves a spear phishing E-mail containing appealing subject and argument, and a malicious payload in form of an attachment or a link. In both cases the Email AV or Antispam are impacted in the ingress stream (and should be supposed to detect the attack, am I naive if I suggest that a DNS lookup could have avoided attacks like this?). The impacted security device produce some logs (even if they are not straightforward to detect if the malicious E-mail has not been detected as a possible threat or also has been detected with a low confidence threshold). In this stage of the attack the time interval between the receipt of the e-mail and its reading can take from few minutes up to several hours.
  • The following stage involves user interaction. Unfortunately there is no human firewall so far (it is something we are working on) but user education (a very rare gift). As a consequence the victim is lured to follow the malicious link or click on the malicious attachment. In the first scenario the user is directed to a compromised (or crafted) web site where he downloads and installs a malware (or also insert some credentials which are used to steal his identity for instance for a remote access login). In the second scenario the user clicks on the attached file that exploits a 0-day vulnerability to install a Remote Administration Tool. The interval between reading the malicious email and installing the RAT takes likely several seconds. In any case Endpoint Security Tools may help to avoid surfing to malicious site or, if leveraging behavioral analysis, to detect anomalous pattern from an application (a 0-day is always a 0-day and often they are released after making reasonably sure not to be detected by traditional AV). Hopefully In both cases some suspicious logs are generated by the endpoint.
  • RAT Control is the following stage: after installation the malware uses the HTTP protocol to fetch commands from a remote C&C Server. Of course the malicious traffic is forged so that it may be hidden inside legitimate traffic. In any case the traffic pass through Firewalls and NIDS at the perimeter (matching allowed rules on the traffic). In this case both kind of devices should be supposed to produce related logs;
  • Once in full control of the Attacker, the compromised machine is used as a hop for the attacker to reach other hosts (now he is inside) or also to sweep the internal network looking for the target data. In this case a NIDS/anomaly detector should be able to detect the attack, monitoring, for instance, the number of attempted authentications or wrong logins: that is the way in which Lockheed Martin prevented an attack perpetrated by mean of compromised RSA seeds, and also, during the infamous breach, RSA detected the attack using a technology of anomaly detection Netwitness, acquired by EMC, its parent company immediately after the event.

At this point should be clear that this lethal blend of threats is pushing the security firms to redefine their product strategies, since they face the double crucial challenge to dramatically improve not only their 0-day detection ability, but also to dramatically improve the capability to manage and correlate the data collected from their security solutions.

As far as 0-day detection ability is concerned, next-gen technologies will include processor assisted endpoint security or also a new class of network devices such as DNS Firewalls (thanks to @nientenomi for reporting the article).

As far data management and correlation are concerned, yes of course a SIEM is beautiful concept… until one needs to face the issue of correlation, which definitively mean that often SIEM projects become useless because of correlation patterns, which are too complex and not straightforward. This is the reason why the leading vendors are rushing to include an integrated SIEM technology in their product portfolio in order to  provide an out-of-the-box correlation engine optimized for their products. The price to pay will probably be a segmentation and verticalization of SIEM Market in which lead vendors will have their own solution (not so optimized for competitor technologies) at the expense of generalist SIEM vendors.

On the other hand APT are alive and kicking, keep on targeting US Defense contractors (Raytheon is the latest) and are also learning to fly though the clouds. Moreover they are also well hidden considered that, according to the Security Intelligence Report Volume 11 issued by Microsoft, less than one per cent of exploits in the first half of 2011 were against zero-day vulnerabilities. The 1% makes the difference! And it is a big difference!

Follow

Get every new post delivered to your Inbox.

Join 3,094 other followers