In today’s high-stakes corporate environment, you might think that it would be pretty hard to hack a company like yours.
Imagine trying to launch a phishing attack with nothing more than a well-crafted email delivering yesterday’s Trojan horse as payload, made by a well-known kit. Surely, that wouldn’t cut it. To infiltrate corporations whose data is of prime importance to them, a hacker would have to come equipped with cutting edge techniques, zero-day threats and bypass more traditional defenses like AV, Sandbox and IPS solutions.
BlackHat, Wargames, Here we come
If that sounds like a scene straight out of Hollywood, well, it is. In reality, it doesn’t take a mad tech genius to hack a highly guarded network. And it doesn’t require any revolutionary psychological ploys. The less than dramatic truth is that launching a successful attack with a sophisticated piece of malware is just an easy as riding a bicycle.
The Dark Web and CCaa$
The Dark Web, that eerie term used to describe a collection of websites that hide their server’s IP addresses, is basically a supermarket for hackers. As part of a phenomenon known as Cyber Crime as a Service, at any given moment there are thousands of Dark Web forums selling everything from stolen credit cards and personal data, to malware and even fully deployed browser exploit packs for the lazy or inexperienced hacker.
And it’s not just the malware itself that’s for sale, but all the tools and services a hacker would need in order to make sure their attack easily breaches all traditional defense systems. And in most cases, a zero day vulnerability is simply not a must to breach even some of the tightest defenses.
The rise of CCaaS, or Cyber Crime as a Service has made it alarmingly easy for even the least technically-inclined elements to pull off hacks of devastating proportions. As long as this junior hacker is capable of getting set up on the Dark Web, all he or she needs is a piece of malware and a crypter to make sure the malware is fully undetected to start his or her exploit.
Without knowing a thing about how AV works or how to circumvent it, the attacker has a strong piece of software that can evade the latest and greatest AV solutions out there. It’s constantly changing its binary signatures, checking environment variables and memory artifacts, running deliberately long and changing behavior to make sure that there isn’t any sandbox trying to record and detect the real malicious activity it was built for.
The crypter adds the capability of running a “blue pill, red pill test” to make sure it’s not living inside the matrix or the sandbox, fooling all detection mechanisms on its way in for the kill – infection and persistence inside the target network. Then, using a Virustotal-like service in the underground, he’ll ensure that the malware is truly unrecognized by all AV engines and sandbox solutions.
With the attack infrastructure near completion, now the malware needs to call home, get instructions and send data out. But since information security departments and some security solutions know to look for suspicious network traffic, it has to hide. One of the best ways to hide this kind of traffic is to embed data into unused fields in common protocols like http or DNS. Preferably, the malware will take the shape of social network communications to avoid being marked as an unfamiliar domain, which would make sink-holing impossible. (Another way to avoid sink-holing or C&C takedown is to use TOR client and talk to a hidden service. But that’s another tactic for another time).
Trojan horses today are using familiar services like Twitter, Facebook, Google docs and more in order to communicate, hoping to fly below the radar. This was clearly illustrated this past summer in the Hammertoss exploit. The Advanced Persistent Threat group known as APT 29, out of Russia, was found to be deploying attacks via Twitter and GitHub. The traffic patterns looked perfectly normal so they just blended right into the background, going undetected for quite some time.
So now, back to our attacker. He hasn’t written a single line of code. He hasn’t developed any state-of-the-art zero day exploit. Chances are, he doesn’t even understand the principles behind all this malware encryption and shape changing technology (polymorphism). And for just one bitcoin, the hacker has all the tools he needs to bring a corporation to its knees.
So how can the CISO protect his or her enterprise from undetected malware?
It’s a tough question and the answer is layered.
There are loads of tools a CISO needs to strengthen his or her organization’s digital fortress. You need pen testers and scanning software to identify entry points and other vulnerabilities from both inside and outside your company. You need flawless firewalls and rock-solid passwords and you’ll need a serious business level anti-virus program. But often times, the most important aspect, the one that is responsible for 95% of breaches, goes overlooked – That of training your employees to spot and report phishing emails and to be constantly on guard from social engineering tactics. Here are a few important guidelines to follow.
- Lower the risk
Block email attachments with macro code, both by content inspection and file extension;
- Educate your employees regarding email attachments hazards, make sure they know PDF and other MS Office files can be dangerous;
- Don’t rely on traditional security tools to safeguard network and user information alone;
- Monitor suspicious emails by creating a reporting system; monitor suspicious network traffic and look for abnormalities.
- Assess your organization’s overall susceptibility to phishing attacks. Have an accurate idea of what open source intelligence is out there that could potentially be used against your organization.
- Training, training and some more training…
Increase awareness through an ongoing training and simulation programs with staged, real-world whaling emails and user-specific campaigns tailored to managers’ digital footprints;
Update managers on the latest social engineering techniques.
Encourage and incentivize your employees to report suspicious emails back to the security team.
When it comes to breaches, the human element is the critical element. With the proper training, your employees can become your greatest allies in mitigating attacks, rather than your greatest vulnerability. And then your organization will be able to withstand any attack attempt that comes your way, whether they cost the hacker one or one million bit coins.