The IT director for an international hedge fund received the bad news in a phone call from a stranger: Chinese hackers were running amok on the fund’s network. Not seeing evidence of the claimed intrusion, and unsure about the credibility of the caller, the IT director fired off an email to a reporter.
“So do you think this is legit, or is the guy trying to scare us?” the IT director asked in an email to KrebsOnSecurity.com, agreeing to discuss the incident if he and his company were not named. “He has sent me the logs for the connections to the infected server. I checked the firewall and am not seeing any active connections.”
The call, from Hermes Bojaxhi of Columbia, Md. based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), was indeed legit, and a follow-up investigation by the hedge fund revealed that at least 15 PCs within the financial services company were compromised and were sending proprietary information to the attackers.
CyberESI knew about the incident because it was monitoring several hacked, legitimate servers that the attackers were using to siphon data from multiple victims. Bojaxhi said the hedge fund notification was one of several he made that week to Fortune 500 companies that also had been hacked and were communicating with the same compromised servers.
And it wasn’t his first call to the hedge fund.
“On that particular victim, I tried to reach out to them a month prior, but I was handed off to an administrative assistant,” Bojaxhi said. “We had 25 [victim organizations] to call that day. But when they popped back up on the radar a month later, I tried again.”
The hedge fund incident illustrates the complexities of defending against and detecting targeted attacks, even when victims are alerted to the problem by an outside party.
Joe Drissel, founder and CEO for CyberESI, said too many companies think of cyberattacks as automated threats that can be blocked with the proper mix of hardware and software.
“So many firms are stuck in a paradigm of drive-bys, not targeted attacks,” Drissel said. “There seems to be a real disconnect with what’s really happening on a daily basis. We’re trying to fight an asymmetrical war in a symmetrical way, sort of like we’re British soldiers [in Revolutionary War], all walking in line and they’re picking us off one by one. By the time we turn around and aim, they’re already gone.”
None of the first three Trojans installed on the hedge fund’s computers were initially detected by any of the 42 anti-virus products bundled into the scanning tools at Virustotal.com.
Drissel said victims that his company notifies sometimes mistakenly think his firm is involved in the attack, or that they’re somehow joking.
“One guy laughed and said, ‘Thank you for watching out for our company,’ but he didn’t call us back,” Drissel said of a conversation with a victim earlier this year, declining to name the victim. “We watched [the attackers] exfiltrate weapons systems data for the Defense Department out of their systems, and ended up having to text the same guy a file stolen off their servers. Fifteen minutes later, we got a call back from him, and they unplugged their entire corporate network.”
Some say that the attacks CyberESI notifies companies about — often referred to as the advanced persistent threat (APT) — are over-hyped, and that the malware and exploits used in these incursions usually aren’t that sophisticated. APT attacks also are frequently associated with targets in the U.S. government and companies in the defense industry.
But most APT attackers tend to be only as sophisticated as they need to be, which often isn’t too sophisticated, said Gavin Reid, senior manager of Cisco’s computer security incident response team. Speaking at a conference in Warsaw, Poland this week, Reid said successful APT attacks need not use zero-day software flaws.
“People will say, ‘Well, this attack wasn’t very advanced, so it can’t be APT’, but I will tell you the folks who are behind some of this stuff are not going to use cool zero-day stuff if they can go in the underground economy and say, ‘Hey, I need [access to] an infected machine in this organization,’ and pay $50 in Paypal in order to get that,” Reid said.
APT almost always involves social engineering, or tricking people into infecting their systems by disguising a malware-infected email attachment as something that is relevant to the recipient. Experts say this method usually works against targets if the attacker has enough resources, time, and solid information about his targets. In many ways, it is the “persistence” aspect of APT that makes it such a potent threat.
Drissel said any company that has valuable intellectual property can be a target.
“It’s not just the DoD and defense companies being targeted,” he said. “The truth is most companies have been compromised at one form or another.”
ASSUME YOU HAVE BEEN BREACHED
That was one of the key findings from an APT summit July 13 and 14, 2011 in Washington. The conference was put on by a large technology and security industry trade group called TechAmerica, and RSA, the security company that suffered a particularly high-profile APT intrusion earlier this year.
From the interim report published after that summit:
-Determined adversaries can always find exploits through people and in complex IT environments. It’s not realistic to keep adversaries out. Organizations should plan and act as though they have already been breached.
-Organizations should focus on closing the exposure window and limiting damage through efforts to compartmentalize systems, stop sensitive data egress and go back to the core principles of IT security such as ‘least privilege’ and ‘defense in depth.’
-The key is to know what digital assets are important to protect, where they reside, who has access to them and how to lock them down in the event of a breach.
The report also stressed the value of early detection of breaches, something that happens all too infrequently with APT intrusions. It stressed the importance of disrupting APT operations:
“The key is actively preserving, aggregating and reviewing data to detect a potential intrusion but also for post-event forensics. Don’t underestimate the power of disruption. Damage from APTs can be minimized or prevented by simply interrupting attackers’ work flow at multiple points. Organizations should strive for a disruptive approach to defense in order to match the rapidly evolving threat environment.”
Cisco’s Gavin Reid said organizations that don’t have a good record of internal network activity stretching back months or even years have little chance of understanding the breadth of an APT attack after it occurs.
“Without that information, there is very little victims can piece together to understand what came in, what went out, and who else was involved,” Reid said.
But Reid cautioned that logging is not enough, and the security industry has sold many companies on a lie: That automation and network logging solutions can take the place of skilled staff in detecting intrusions.
“One of the areas where we’ve failed as a security community is that we’ve got an over-reliance on automation,” Reid said. “We’ve sold this idea that we can automate it, in a way that will not only help your security staff identify threats, but that you can cut your staff down because these technologies are going to do the work of a lot of people. That has failed. We’re still stuck with [the reality that] you need smart people who understand computer, applications and networks, and a logging solution becomes a tool they can use to identify some of these things. Hopefully this has been a little bit of a wake-up call, and we can start looking at things a little differently and start putting people back into the equation.”
OFFENSE AS A GOOD DEFENSE?
It is one thing for an APT victim organization to disrupt the flow of information from its own networks to the control networks run by the attackers. But is it anyone’s job to disrupt the infrastructure used to attack multiple corporations simultaneously? Does it even make sense for an organization with specific skill sets attuned to APT attacks to do this?
Drissel said CyberESI and other competitors who notify companies hit by APT attacks have lobbied the U.S. government for the authority to take more aggressive steps to target APT infrastructure, with little success.
“What [the U.S. government needs] to do is to allow us the latitude to go after the attackers,” said Drissel, former acting section chief of the intrusions section at the Defense Computer Forensics Lab, housed at the Department of Defense’s Cyber Crime Center in Linthicum, Md. “We all came out of the Department of Defense. All of us worked in some capacity for the federal government, and we do know where the line is that we can’t cross. We can stop them, but we don’t. We can cut them off, we just don’t.”
It’s not clear how far CyberESI or even the federal government would go to shut down command and control networks being used for these attacks, or whether that approach would be effective and desirable. I have interviewed several experts who told me that although the FBI regularly alerts companies infiltrated by APT attacks, it usually does nothing to disturb the attacker’s infrastructure for fear that disrupting it would eliminate visibility into future victims.
CyberESI requested that I not publicize the domain names, Internet addresses or other data included in the report that they sent to the hedge fund; the company said that publishing the location data would likely cause the attackers to alter their attack infrastructure, and potentially diminish the firm’s ability to identity and alert new victims.
Updated, 1:24 p.m.. ET: Fixed misspelling of Drissel’s name.