Advanced Persistent Threats are probably the most remarkable events for Information Security in 2011 since they are redefining the infosec landscape from both technology and market perspective.
I consider the recent shopping in the SIEM arena made by IBM and McAfee a sign of the times and a demonstration of this trend. This is not a coincidence: as a matter of fact the only way to stop an APT before it reaches its goal (the Organization data), is an accurate analysis and correlation of data collected by security devices. An APT attack deploys different stages with different tactics, different techniques and different timeframes, which moreover affect different portion of the infrastructure. As a consequence an holistic view and an holistic information management are needed in order to correlate pieces of information spread in different pieces of the networks and collected by different, somewhat heterogeneous and apparently unrelated, security devices.
Consider for instance the typical cycle of an attack carried on by an APT:
Of course the picture does not take into consideration the user, which is the greatest vulnerability (but unfortunately an user does not generate logs except in a verbal format not so easy to analyze for a SIEM). Moreover the model should be multiplied for the numbers of victims since it is “unlikely” that such a similar attack could be performed on a single user at a time.
At the end, however, it is clear that an APT affects different components of the information security infrastructure at different times with different threat vectors:
- Usually stage 1 of an APT attack involves a spear phishing E-mail containing appealing subject and argument, and a malicious payload in form of an attachment or a link. In both cases the Email AV or Antispam are impacted in the ingress stream (and should be supposed to detect the attack, am I naive if I suggest that a DNS lookup could have avoided attacks like this?). The impacted security device produce some logs (even if they are not straightforward to detect if the malicious E-mail has not been detected as a possible threat or also has been detected with a low confidence threshold). In this stage of the attack the time interval between the receipt of the e-mail and its reading can take from few minutes up to several hours.
- The following stage involves user interaction. Unfortunately there is no human firewall so far (it is something we are working on) but user education (a very rare gift). As a consequence the victim is lured to follow the malicious link or click on the malicious attachment. In the first scenario the user is directed to a compromised (or crafted) web site where he downloads and installs a malware (or also insert some credentials which are used to steal his identity for instance for a remote access login). In the second scenario the user clicks on the attached file that exploits a 0-day vulnerability to install a Remote Administration Tool. The interval between reading the malicious email and installing the RAT takes likely several seconds. In any case Endpoint Security Tools may help to avoid surfing to malicious site or, if leveraging behavioral analysis, to detect anomalous pattern from an application (a 0-day is always a 0-day and often they are released after making reasonably sure not to be detected by traditional AV). Hopefully In both cases some suspicious logs are generated by the endpoint.
- RAT Control is the following stage: after installation the malware uses the HTTP protocol to fetch commands from a remote C&C Server. Of course the malicious traffic is forged so that it may be hidden inside legitimate traffic. In any case the traffic pass through Firewalls and NIDS at the perimeter (matching allowed rules on the traffic). In this case both kind of devices should be supposed to produce related logs;
- Once in full control of the Attacker, the compromised machine is used as a hop for the attacker to reach other hosts (now he is inside) or also to sweep the internal network looking for the target data. In this case a NIDS/anomaly detector should be able to detect the attack, monitoring, for instance, the number of attempted authentications or wrong logins: that is the way in which Lockheed Martin prevented an attack perpetrated by mean of compromised RSA seeds, and also, during the infamous breach, RSA detected the attack using a technology of anomaly detection Netwitness, acquired by EMC, its parent company immediately after the event.
At this point should be clear that this lethal blend of threats is pushing the security firms to redefine their product strategies, since they face the double crucial challenge to dramatically improve not only their 0-day detection ability, but also to dramatically improve the capability to manage and correlate the data collected from their security solutions.
As far as 0-day detection ability is concerned, next-gen technologies will include processor assisted endpoint security or also a new class of network devices such as DNS Firewalls (thanks to @nientenomi for reporting the article).
As far data management and correlation are concerned, yes of course a SIEM is beautiful concept… until one needs to face the issue of correlation, which definitively mean that often SIEM projects become useless because of correlation patterns, which are too complex and not straightforward. This is the reason why the leading vendors are rushing to include an integrated SIEM technology in their product portfolio in order to provide an out-of-the-box correlation engine optimized for their products. The price to pay will probably be a segmentation and verticalization of SIEM Market in which lead vendors will have their own solution (not so optimized for competitor technologies) at the expense of generalist SIEM vendors.
On the other hand APT are alive and kicking, keep on targeting US Defense contractors (Raytheon is the latest) and are also learning to fly though the clouds. Moreover they are also well hidden considered that, according to the Security Intelligence Report Volume 11 issued by Microsoft, less than one per cent of exploits in the first half of 2011 were against zero-day vulnerabilities. The 1% makes the difference! And it is a big difference!
- Information, The Next Battlefield (paulsparrows.wordpress.com)
Le Cyberwar sono state definite il quinto dominio della guerra. Ma se doveste spiegare in parole semplici a cosa corrisponde una Cyberwar come la definireste? In queste slide divulgative, redatte in occasione di un convegno al quale sono stato invitato, ho cercato di inserire la mia personalissima risposta con gli esempi più famosi del 2011 e alcuni collegamenti, apparentemente improbabili, alla vita di tutti i giorni.
Le slide non sono tecniche e qualche purista storcerà sicuramente il naso. Per chi volesse approfondire tutto il materiale è reperibile all’interno del blog sotto i tag Stuxnet, RSA, e naturalmente all’interno del Master Index relativo agli attacchi informatici del 2011.
Visto il tempo (e lo spazio) a disposizione nelle slide non sono citati gli esempi di Operation Aurora e Shady RAT. Alla fine la sostanza non cambia: entrambi rimangono comunque esempi degni di nota (anche se il secondo è ancora argomento di controversia).
Per ulteriori dettagli sulle altre vittime illustri (Fondo Monetario, ONU, etc.) il punto di riferimento è sicuramente il Master Index.
Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.
Have a look to the fake sender: a message from beyond…
Original Post follows:
I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.
As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.
Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!
And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:
Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!
By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.
Update July 15: Reuters reports that hat a classified US military weapons system will now need to be redesigned after specs and plans for the system were stolen from a defense contractor database during the breach of March,
According to an AP Statement, on Thursday the Pentagon revelead to have suffered a breach of 24,000 documents in March, during a single intrusion. Particularly interesting is the fact that sources believe the attack was perpetrated by a Foreign Country, confirming the fact that cyberspace has really become the fifth domain of war (earlier in this year China had been charged to have hacked some gmail accounts including those of senior US and South Korean government officials, and similarly at the end of 2009 some gmail accounts belonging to dissidents).
According to the original statement by AP:
William Lynn, the deputy secretary of defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense industry computer network in a single intrusion in March. He offered no details about what was taken but in an interview before the speech he said the Pentagon believes the attacker was a foreign government. He didn’t say which nation.
“We have a pretty good idea” who did it, Lynn said the interview. He would not elaborate.
For the chronicle, DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe.
It is not a coincidence that at the beginning of the year Pentagon declared that computer sabotage coming from another country can constitute an act of war, a finding that
for the first time opened the door for the U.S. to respond using traditional military force (probably at that time they were alre
ady aware of the above attack, which explains the change in strategy).
In the same wake, yesterday the Department of Defence announced its Strategy for Operating in Cyberspace, which relies on five strategic initiatives. At first glance the strategy aims to defend and prevent with a measured, reasonable approach focused on good network hygiene and data-sharing, rather than bombing hackers into submission.
- Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential;
- Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems;
- Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy;
- Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity;
- Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.
Honestly Speaking I must confess that, as soon as I stumbled upon this report I could not help thinking (but this is a mere personal speculation) to the RSA Breach. Details of the Pentagon breach are not known so far, but I would not be surprised if they were somehow related. On the other hand the RSA breach happened in mid-March and was followed to attacks towards three US Defense Contractors (L-3, happened at the beginning of April but disclosed at the end of May, Lockheed Martin, discovered on May, the 22nd, and Northrop Grumman on May, the 26th). Only a coincidence?
As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric), the list of 2011 major cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.
All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.
Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.
The Total Cost is an incredible number: nearly US $ 18 billion.
Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.
The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.
Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.
Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.
Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.
Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
- It was only a matter of time… (paulsparrows.wordpress.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
Update June 29: 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated)
I found this interesting graph from an original Thomson Reuters post, showing the timeline of the major 2011 CyberAttacks.
The graph shows all the main Cyber Events of this tremendous 2011 up to June, the 16th. Actually to be perfect it should include also the infamous Epsilon Data Breach, happened on March, the 30th. Probably it had a major impact on the U.S. rather than in Europe, but it is clear that the aftermaths of this breach will last for years in terms of spear-phishing attacks tarteting the affected users.
Moreover, to be “ultra perfect”, it shpould also include the other attacks discovered against U.S. Defense Contractors (L-3 on April, the 6th, and Northrop Grumman on May, the 26th) should be considered as well.
Even if some attacks are missing, the graph is useful (and meaningful) to show the easiness with which our data are at risk.
Of course after June, the 16th, another cyber-attack leading to a breach was perpetrated against Sega (to be added to the list of Game Publisher), affecting 1.3 million users.
Following the Sega Breach, in these last two days, after the #Antisec Manifesto and the consequent teaming between LulzSec and Anonymous, several government sites have been hit by massive DDoS attacks, including SOCA in UK, some sites affiliated to PM Silvio Berlusconi in Italy, and some Government Sites in Brazil.
Another crucial episode in the affair of the RSA Breach. In a letter published yesterday by mean of the Executive Chairman Art Coviello, letter that will probably go into the annals of computer security, RSA has confirmed that information taken in March had been used as an element of an attempted broader attack on Lockheed Martin. This evidence was obtained, according to the company, on June the 2nd, and so far, the Lockeed Martin attack is the only one, among those (alleged) aimed to other contractors, which has been confirmed directly related to the use of compromised seeds.
Finally this letter indirectly confirms that, given the stolen information, SecureID tokens have been comprimised (but this was implicitly said in the original letters as well):
While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack
and moreover, as was quite clear from the beginning, RSA believes that certain characteristics of the original attack indicated that the perpetrator’s most likely motive was to obtain an element of security information to be used to target defense secrets and related IP. For this reason, the Company worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure.
Another interesting (and shareable) point of the letter is the fact that the unprecedented wave of cyber attacks against Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. Albeit totally unrelated to the breach at RSA, this events, and this is a really important point, delineate a changing threat landscape and hence have heightened public awareness and customer concern: a landscape in which Cybercrime and Cyberwar dangerously overlap.
As a result, the Company is expanding its security remediation program including two offers for assuring SecureID users’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Is this a new dawning age for two-factors authentication?
With the alleged Northrop Grumman Cyber-attack, we have experienced three attempts, unleashed in few days, to leverage the compromised RSA seeds in order to steal data from U.S. Contractors.
Albeit the above mentioned events are characterized by two evident points in common: all the targeted companies are U.S. Defense Contractors, and all of them use RSA tokens; there is a point that seems confusing, and it is the timeline with which the attacks were carried out and subsequently unleashed (we will see that the two are very different and somehow confusing).
Analyzing the timeline: the first attack unleashed was the one led against Martin Lockheed. According to the sources, remote access to internal resources was disabled late on Sunday, May, the 22nd, just immediately after the attack was detected. The first details, although the target was not immediately revealed, were given few days after, on May, the 26th.
The second cyber-attack targeted L-3 and was unleashed few days after , on May, the 31st. According to the information revealed, the event occurred at the beginning of April (more exactly on April, the 6th, that is more than a month and a half before) and described into an e-mail sent by an executive to the 5000 group’s employees belonging to the division affected. Nothing strange apparently: the late disclosure was unintended for the target company and probably a consequence of the huge echo raised after the Lockheed Martin affair which led an anonymous source to reveal details to Wired.
On June, the 2nd, an alleged third attempt to attack a U.S. Defense Contractor using compromised seeds was unleashed, this time against Northrop Grumman. According to the revealed timeline, this attack was held on May, the 26th, that is nearly in contemporary (4 days after) the event of Lockheed Martin.
So definitively although the three attacks were revealed nearly in contemporary, only two of them were (i.e. the ones towards Lockheed Martin and Northrop Grumman), while the second one, to L-3 happened a couple of weeks after the RSA Breach and almost one month and half before the others. This sounds not clear to me.
If I had been in the attackers’ shoes, I would have attacked all at once in order to prevent the spreading of the information, and definitively to avoid the possibility for the others victims to organize themselves, for instance immediately replacing the tokens as made by Raytheon immediately after the RSA Breach.
Let us suppose (as it seems clear) that the alleged theft of the seeds was only the first step of the “perfect plan” to attack the U.S. Defense contractors, let us also suppose that the attackers took some time to obtain the missing pieces of the puzzle, that is to link the tokens to users, and eventually to obtain the PINs, by mean of keylogger trojans or phishing e-mails as suggested by by Rick Moy, president of NSS Labs. Do you really think that they would have left one month and a half between one attack and the other? Honestly speaking I do not think so. Of course I can imagine that obtaining all the PINs or user to token mappings at once was simply impossible, for reasons of time because it is impossible that all the victims to a specific targeted phishing campaign could reply simultaneously, but also because a massive “vertical” campaign of phishing targeting all the U.S. Contractors (and aimed to obtain information about RSA tokens) would have probably raised too much attention, so that I do not exclude that the necessary information to perform the attack had to be obtained with “evasion” techniques.
Nevertheless, provided the above depicted scenario is real, even if it is unlikely the attackers could attack all the target simultaneously, one month and half between one wave and the other seems actually too much: I doubt they already knew that the information concerning the first alleged attack to L-3 would have been revealed only many days after, of course it is easy to predict that L-3 and the eventual other victims would not have been happy to do it immediately after; but if they really had the perfect plan, relying on a similar occurrence would have been a huge hazard capable to put at risk the entire operation.
I seriously fear the truth is different. Of course this is a mere personal speculation, but I am more and more considering the hypothesis that a first wave of attacks was really held at the beginning of April (more or less in contemporary with L-3), that is after a short interval the original breach, short enough to catch the most part of the victims unprepared, most of all in case of very big companies. The consequence could be that many others attacks have not been revealed or simply were not detected at all, since, as I said a couple of days ago:
I wonder if military contractors are really the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.
How to explain the alleged second wave of May? It might be that the attackers have tried once, since the result was successful (it is not clear if they were able to steal sensitive data, but for sure the information was not immediately revealed) so they decided to try a second and a third chance (and who knows how many others). Otherwise, it might be that after the first wave they decided to sell the seeds on the black market (probably at a lower price since at that point the seeds would have been considered a good of second choice), and this could explain the late attack to Lockheed Martin and Northrop Grumman (and who knows who else). In this case I am afraid we will see many other attacks, unless other potential targets (that so far refused to comment the events) will not decide to follow the example of Raytheon and replace the tokens.
I just finished reading this interesting article that seems to offer a different view for the attack at Lockheed Martin (actually, a lone voice which does not consider the attack related to compromised seeds), that here it is another bolt from the Blue. As a matter of fact Wired reports that a second Defense Contractor, L-3, has been targeted with penetration attacks leveraging information stolen from the infamous RSA Breach. This information was contained into an E-mail, dated April 6, sent to the 5000 group’s employees. t’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved.
Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.
Is the only comment of the company.
This revelation occurs few days after the explosive news pertaining the attack led with similar methods to another Defense Contractor, Lockeed Martin.
Maybe all the defense contractors should have followed the wise example of Raytheon (another Defense Contractor) which declared to have taken immediate companywide actions in March when incident information was initially provided to RSA customers, to prevent a widespread disruption of their network.
If confirmed, this event is a further corroboration of the fact the real target of the Hackers was not RSA but their customers, event if at this point I wonder if military contractors are the only targets or if they have been the only ones capable to detect the attempts because of their strict security protocols and policies.
- Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks (wired.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- Some Random Thoughts On RSA Breach (paulsparrows.wordpress.com)