|How eEspionage is done
According to Alan Paller, director of research at SANS Institute ‘the attack of choice involves targeted spear phasing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source.’
‘Social engineering’ involves nothing more than gathering information about people of interest via ‘open sources’ like Linked In and Face book. The hackers’ emails appear to come from legitimate sources, as they include specific content such as a reference to recent meetings or a seemingly bone fide attachment.
Often the seemingly bone fide attachments contain exploit code which instructs the user’s machine to download an undetectable malware Trojan. Once activated, the Trojan allows the attackers to gain control of the user’s PC to upload specific files, e-mails or more importantly to access the broader network. Once access to the network is gained, the attack is broadened by stealing domain administrative and user credentials.
These persistent attacks target multiple systems and install various utilities to capture data and steal e-mails, list running processes and install dormant executables. Stolen data is sent to the attackers’ remote servers and, if they detect remediation efforts, they’ll try to establish additional footholds and modify their malware. Often they install multiple back doors across the network to secure a reliable return route for a future visit. Don’t be fooled: this isn’t cyber-conjecture, it’s reality.
Earlier this year, we saw a new dimension when security tokens stolen from RSA were used to attack US defence contractor Lockheed Martin. ‘We are seeing more and more cases and big samples of malware,’ McAfee chief security officer, Brett Wahlin, told Computerworld in June, ‘that are going after everything from infrastructure like Night Dragon to security companies like RSA.’
Why these attacks aren’t detected
You probably have a full array of defences and your security team is watching their logs and reports, so how could attackers get through your firewalls, intrusion detection systems, spyware catchers, virus scanners and SIEM systems? The answer is that these attacks are far more difficult to detect or prevent than the hacks of old. They’re designed to circumvent traditional defences with custom-built malware that rules-based ‘detect and prevent’ techniques are almost powerless to stop. The malware doesn’t match known signatures or patterns, because it is designed not to, so current antivirus solutions only detect between 5 to 25% of this kind of malware.
The Verizon Business Data Protection Breach Report confirms this, finding that ‘nearly two-thirds of malware investigated in the Verizon caseload was customized - the highest we have ever seen. The extent of customization found in a piece of malware can range from a simple repack of existing malware to avoid AV detection to code written from the ground up for a specific attack.
Alan Paller from the SANS Institute says that the people engaged in economic eEspionage are often the same people doing military espionage, using similar techniques to steal information from commercial organisations working in the attackers’ country. Custom-built Trojans have long been used by security agencies to siphon off vital intelligence, as Mossad reportedly did to obtain information on nuclear facilities in Syria.
However, it’s not only military intelligence at risk. Not long ago, a Trojan attack on an Australian financial institution fooled the firewall security and enabled documents to be sent to a hostile website through an open firewall port. The firewall showed the offending port closed, and there were no alerts to the contrary from other security systems. The attack was only stopped when behaviour-based security technology detected that significant amounts of information were trying to traverse the firewall.