Chapter 1 Surveying a World of Advanced Threats

In This Chapter ▶ Distinguishing between basic and advanced threats ▶ Recognizing three types of cyberenemies ▶ Counting the cost of data breaches

It’s getting rough out there. I’m not kidding. In more than two decades of observing the effects of enterprise and government data breaches, I’ve never seen anything like today’s threat landscape. The sheer number of recent high-profile is staggering. The bad guys clearly have the upper hand, and it seems like there’s nothing that any of us can do about it.

Given the efficacy of modern-day threats, today’s informa- tion security professionals are judged not only on how well they can block known threats but also on how quickly they can uncover, identify, and mitigate unknown threats. Unfortunately, too many security professionals lack the tools andCOPYRIGHTED training needed to stay ahead MATERIAL in this cyberarms race. In this chapter, I distinguish between basic and advanced cyberthreats while exploring common variations of advanced threats along the way. I also cite recent data-breach statistics, describe three types of cyberenemies, and review high-profile commercial and government cyberattacks that recently made international headlines.

But first, allow me to clarify the differences between basic and advanced threats.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 3 77/1/13/1/13 112:452:45 PMPM 4 Advanced Threat Detection For Dummies Contrasting Basic and Advanced Threats The following are key characteristics of basic and advanced cyberthreats:

✓ Basic threats are known threats against known operat- ing system (OS) or application-level vulnerabilities. They are commonly detected by traditional signature-based network- and endpoint-security defenses, including intru- sion prevention systems (IPSs), secure web and e-mail gateways, and antivirus platforms. ✓ Advanced threats are unknown threats against unknown OS or application-level vulnerabilities. They can’t be detected by traditional signature-based defenses.

Better network security devices can detect unknown threats (or new variants of known threats) that target known vulner- abilities, but I still classify those threats as basic.

Obviously, as the name suggests, advanced threats are far more difficult to detect. Traditional security defenses that rely on pattern-matching signatures for detection are useless for detecting advanced threats. Don’t get me wrong — traditional defenses such as firewalls, IPSs, and secure web and e-mail gateways are your front line in a defense-in-depth (layers of security defenses) strategy. But you can’t rely on these tech- nologies exclusively for detecting today’s advanced threats. (Jump to Chapter 2 to find out why.)

Before delving into some of the advanced threats that endan- ger today’s organizations, take a few minutes to reacquaint yourself with some basic threats that have been around for years. Basic Threats: Oldies but Baddies The basic cyberattacks described in this section generally don’t pose huge threats to enterprises and government agen- cies because they’re largely mitigated by traditional network

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 4 77/1/13/1/13 112:452:45 PMPM Chapter 1: Surveying a World of Advanced Threats 5

and endpoint security solutions. If you fail to take them seri- ously, however, any of them could be your downfall. Worms, Trojans, and viruses A is malware that exploits the vulnerabilities of a computer’s OS (typically, Microsoft Windows) to self- propagate via the internal network to which the computer is linked. Worms are dangerous to any network because they can be used to exfiltrate data or otherwise harm computer systems. They also consume large amounts of bandwidth, causing degradations in network performance. Unlike a virus (discussed later in this section), a worm doesn’t attach itself to computer programs or files.

A Trojan (or ) is malware disguised as a legitimate software application to trick a user into installing it on a com- puter. Unlike computer worms, Trojans can’t propagate to other vulnerable computers on their own. Instead, they join networks of other infected computers (called botnets; see the next section), wait to receive instructions from the attacker, and then transfer stolen information. Trojans are commonly delivered by means of social media and spam e-mails; they may also be disguised as installers for games or applications.

A is malicious code that attaches itself to a program or file so that it can spread from one computer to another, leaving infections as it propagates. Unlike a worm, a virus can’t travel without a human helper — in this case, a user who sends (usually unknowingly) an infected program or file to another user. Spyware and botnets Spyware is a form of malware that covertly aggregates user information without the user’s knowledge and forwards it to the perpetrator via the Internet. Sometimes, spyware is employed for the purpose of advertising (in which case it’s called adware and displays pop-up ads). At other times, it’s used to collect confidential information such as usernames, passwords, and credit-card numbers. Typically, spyware is secretly bundled into shareware or freeware.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 5 77/1/13/1/13 112:452:45 PMPM 6 Advanced Threat Detection For Dummies

A botnet is a group of Internet-connected computers on which malware is running (bots). Bots are often used to commit denial-of-service attacks (attacks that overload a server’s pro- cessing power), relay spam, steal data, and/or download addi- tional malware to the infected host computer.

The person who controls a botnet — the bot herder or botmaster — typically uses web servers called command-and- control (CnC) servers. CnC servers have only one job: control- ling bots. Social engineering attacks Social engineering attacks are extremely common, especially the two types discussed in this section: phishing and baiting. As I discuss later in this chapter, these attacks are often incor- porated into advanced threats.

Phishing Phishing is an attempt to steal confidential information — usernames, passwords, credit-card numbers, Social Security numbers, and so on — via e-mail by masquerading as a legiti- mate organization. After clicking a seemingly innocent hyper- link in the e-mail, the victim is directed to enter personal information on an imposter website that looks almost identi- cal to the one it’s emulating.

Phishing has two common variants:

✓ Spear phishing targets specific people within an organiza- tion, using information about them collected from social media sites such as Facebook, LinkedIn, and Twitter. ✓ Whaling is phishing that targets the senior executives of a given organization.

Baiting Baiting occurs when a criminal casually drops a USB flash drive or CD-ROM in a public area (perhaps a parking lot or cybercafé) within close proximity of the targeted organiza- tion. The media device is labeled with enticing words such as Product Roadmap or Proprietary & Confidential to spark the finder’s interest. When the victim inserts the device into her computer, it instantly installs malware on the computer.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 6 77/1/13/1/13 112:452:45 PMPM Chapter 1: Surveying a World of Advanced Threats 7 Buffer overflows and SQL injections These two common techniques exploit vulnerabilities in web applications:

✓ A buffer overflow attack is a painfully common cyber- threat in which a malicious hacker knowingly writes more data into a memory buffer than the buffer is designed to hold. Data subsequently spills into adjacent memory, causing the application to execute unauthor- ized code that may grant the hacker administrative privi- leges or possibly even crash the system. ✓ In an SQL injection attack, the attacker enters SQL state- ments into a web form in an attempt to get the form to pass an unauthorized SQL command to the database. If successful, the attack can give its perpetrator full access to database content such as credit-card numbers, Social Security numbers, and passwords. Advanced Threats: Emerging Dangers Now that you’re up to speed on basic threats, it’s time to explore the advanced threats that are making headlines today. Advanced persistent threats Advanced persistent threats (APTs) — also known as advanced targeted attacks (ATAs) — are sophisticated, multivectored (perpetrated through multiple channels) cyberattacks in which an attacker gains unauthorized network access and stays undetected for a long period. To date, the goal of APTs generally has been data theft, but more extreme conse- quences, including kinetic damage, are possible.

APTs target organizations in industries that handle high- value information, such as financial institutions, government agencies and contractors, and companies that have valuable

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 7 77/1/13/1/13 112:452:45 PMPM 8 Advanced Threat Detection For Dummies

intellectual property in such sectors as technology, pharma- ceuticals, and energy.

To help illustrate the nature of an APT, I break down the com- ponents of the acronym:

✓ Advanced: Attackers use a full spectrum of computer- intrusion technologies and techniques, often exploiting unreported vulnerabilities in OSs and applications. Many of these threats are undetectable by traditional security systems. ✓ Persistent: After a network is breached, the perpetrator operates low and slow to remain undetected. Patience is key as he quietly maps the network and connects to each host (often in the middle of the night) until the ultimate target has been identified. ✓ Threat: The attacker initiates each APT with a specific objective in mind and won’t stop until he achieves that objective. He’s skilled, highly motivated, and well funded.

Chapter 2 explores APTs in considerably more detail and also provides an overview of the APT threat life cycle.

Zero-day threats A zero-day threat is a on an OS or application vulnerability that’s unknown to the general public. It’s called a zero-day threat because the attack was launched before public awareness of the vulnerability (on day zero).

In some cases, the OS or application vendor is already aware of the vulnerability but hasn’t disclosed it publicly because the vulnerability hasn’t been patched yet. In other cases, the vendor is caught by surprise. Polymorphic threats A polymorphic threat is a cyberattack — such as a virus, a worm, a Trojan, or spyware — that continuously changes (morphs), making it impossible for traditional signature-based security defenses to detect. Polymorphic threats morph in a variety of ways, including filename and file-size changes.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 8 77/1/13/1/13 112:452:45 PMPM Chapter 1: Surveying a World of Advanced Threats 9

Bypassing million-dollar security with a good pair of shoes No matter how much money your products that can detect all kinds of organization spends on perimeter- threats originating both inside and based network security defenses, outside the organization. they’ll be bypassed every time by If you’re an IT security professional users carrying their own laptops, who thinks that advanced cyber- mobile devices, and portable media threats can penetrate your network (such as USB flash drives) right only through your firewall, you’re through the office front door. The headed for a rude awakening — and best approach to information secu- possibly a new career. rity is a defense-in-depth strategy comprised of best-of-breed security

Although the code within a polymorphic threat changes with each mutation, the function generally remains the same. Consider a spyware program that’s designed to act as a key- logger (malware designed to record keystrokes in an effort to steal usernames, passwords, or other confidential data). Even after its underlying code changes, that program continues to act as a keylogger. Blended threats A blended threat employs multiple attack vectors (paths and targets) and multiple types of malware to disguise the attack, confuse security analysts, and increase the likelihood of a successful data breach. Classic examples of blended threats include Conficker, Code Red, and Nimda. Insider threats Not all threats originate outside the network. Some originate within, introduced by two types of users:

✓ Malicious users: These users may consist of ill-intentioned contractors, disgruntled employees, or even criminals who use social engineering techniques to gain physical

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 9 77/1/13/1/13 112:452:45 PMPM 10 Advanced Threat Detection For Dummies

access to the network after being admitted to the building by a negligent receptionist. ✓ Unknowing employees: Even well-intentioned employees may bring malware-infected laptops and mobile devices into the office after surfing the web at home over the weekend.

Depending on how sophisticated your information security is at home and on whether you ever connect your personally owned mobile devices (laptops, smartphones, or tablets) to your company’s network, you might be an insider threat and never even know it! Malnets A malnet (malware network) employs a distributed network infrastructure in the Internet that is purpose built and main- tained by cybercriminals to launch a variety of attacks against Internet users over extended periods of time. A malnet is com- prised of unique domains, servers, and websites that work in unison to funnel users to the malware payload.

Blue Coat Security Labs projects that nearly two-thirds of all new cyberattacks will originate from malnets.

Know Thy Enemy It’s not enough just to know what kind of cyberthreats you face. You also need to know the sources and goals of those threats. This section gives you some insights into potential attackers — and potential attacks. Types of attackers Cyberattackers have changed dramatically over the past half century. In the 1970s and 1980s, phone phreaking (hacking telephone equipment to make free long-distance calls) was common. In the 1990s, widespread Internet adoption and the emergence of the World Wide Web enticed hackers to deface public websites primarily for bragging rights.

Since the turn of the century, however, cyberattackers have fallen into three broad categories: cybercriminals, state- sponsored hackers, and hacktivists.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 1010 77/1/13/1/13 112:452:45 PMPM Chapter 1: Surveying a World of Advanced Threats 11

Cybercriminals As the name suggests, cybercriminals hack for profit. They pen- etrate a company’s network security defenses in an attempt to steal something valuable (such as credit-card numbers) and sell them on the black market. Many of today’s botmasters and CnC servers are under the control of cybercriminals and their circuits. Today, cybercrime is a multibillion-dollar industry.

State-sponsored hackers Cyberattacks committed by nations against foreign corpora- tions and governments are perpetrated by state-sponsored hackers — people who hack for a paycheck with the objective of compromising data, sabotaging systems, or even commit- ting cyberwarfare.

China, Russia, Iran, and North Korea are among the coun- tries most often cited for recruiting state-sponsored hackers, although evidence has emerged that the United States is also active in this arena.

Hacktivists Hacktivists are computer hackers who are driven by political ideology. Typical attacks committed by hacktivists include website defacements, redirects, information theft and expo- sure, and virtual sit-ins through denial-of-service attacks.

Some hacktivists join forces to target their victims, working as groups such as LulzSec (which claimed responsibility for attacks against Sony Pictures and the Central Intelligence Agency) and Anonymous (which claimed responsibility for attacks against the Church of Scientology, HBGary Federal, PayPal, the U.S. Federal Reserve, and the Ugandan govern- ment in protest of its antihomosexuality bill). Attacks that make headlines These days, it seems that a day doesn’t go by without news of a major commercial or government cyberattack. The following sections summarize some recent data breaches that have made international headlines.

Attacks on companies You may have read about some of these high-profile attacks:

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 1111 77/1/13/1/13 112:452:45 PMPM 12 Advanced Threat Detection For Dummies

✓ Apple and Microsoft (February 2013): Microsoft announced that it experienced an intrusion in its Mac business unit originating from Java-based malware. This attack came just days after Apple stated that it had been victimized by Java-based malware that employees inadvertently downloaded after visiting a website for software developers. Neither Microsoft nor Apple dis- closed what, if any, data was compromised. ✓ The New York Times and The Wall Street Journal (January 2013): China has been accused of conducting cyberattacks against these two media giants in response to undesirable coverage of the Chinese government, including Prime Minister Wen Jiabao. ✓ Facebook, Twitter, and LinkedIn (2012–2013): Officials of each of these social media giants claimed that they were targeted by advanced cyberattacks. LinkedIn was first, with 6.5 million passwords stolen in June 2012; Twitter was next, with 250,000 passwords stolen in February 2013. Facebook followed soon after (with no reports of stolen passwords just yet). ✓ Citigroup, Bank of America, and JPMorgan Chase (September 2012): U.S. officials accused Iran of orches- trating attacks on the websites of these major U.S. banks in response to United Nations sanctions against Iran. PNC Financial Services Group, SunTrust, and BB&T were also targeted in January 2013.

Data breaches by the numbers In 2013, Verizon analyzed 621 data- ✓ 84 percent compromised their tar- breach incidents that occurred in gets in seconds, minutes, or hours. 2012, resulting in 44 million compro- ✓ 69 percent were discovered by a mised records, and came up with third party. some staggering statistics: ✓ 92 percent were perpetrated by ✓ 40 percent incorporated malware. outsiders. ✓ 52 percent involved some form of ✓ 95 percent of state-affiliated hacking. attacks employed phishing. ✓ 66 percent took months or more You can download the report for free to discover. at www.verizonenterprise. com/DBIR/2013.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 1212 77/1/13/1/13 112:452:45 PMPM Chapter 1: Surveying a World of Advanced Threats 13

Attacks on government agencies Unsurprisingly, governments are high-profile targets. Here are a few recent examples:

✓ NATO and European governments (February 2013): Officials of NATO and several European nations, includ- ing the Czech Republic, Ireland, Portugal, and Romania, announced the compromise of sensitive computer systems by advanced malware called MiniDuke, which exploits a flaw in Adobe Reader. ✓ U.S. Department of Energy (February 2013): In a major cyberattack, the personal information of several hundred DoE employees was compromised. The agency reported that 14 servers and 20 workstations were penetrated during the attack. ✓ South Carolina Department of Revenue (November 2012): A single malicious e-mail enabled a hacker to crack into state computers and access 3.8 million tax returns in what experts say is the biggest cyberattack against a state government. ✓ Iran (May 2012): A malware program called Flame, alleg- edly developed by the United States and Israel, was deployed to collect intelligence related to Iran’s nuclear program. Unlike , which was designed to sabotage an industrial process, Flame was written purely for espio- nage purposes.

This list of attacks just scratches the surface of what govern- ment agencies are experiencing. An official of a well-known federal contractor inadvertently disclosed at a company event that the U.S. Navy fights off more than 110,000 cyberattacks every hour — more than 30 attacks every single second! The Price of Failure Failing to detect a data breach before it’s too late is disastrous to any organization. The associated costs are difficult to quan- tify, as they’re spread across many areas, including these:

✓ Investigation and forensics costs ✓ Customer and partner communication costs

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 1313 77/1/13/1/13 112:452:45 PMPM 14 Advanced Threat Detection For Dummies

✓ Public relations costs ✓ Lost revenue due to damaged reputation ✓ Regulatory fines and civil claims

In 2012, the Ponemon Institute published its 2012 Cost of CyberCrime Study, which calculated the cost of data breaches for 56 U.S.-based enterprises. The report found the average annualized cost of cybercrime for each organization to be $8.9 million, with a range of $1.4 million to $46 million, a 6 percent increase (from $8.4 million) from the year before. To download a free copy of the report, visit www.ponemon.org/library.

Security researcher exposes potential source of global cyberespionage In February 2013, cybersecurity data from a single organization over a vendor and researcher Mandiant ten-month period. In the last two years (www.mandiant.com) published alone, APT1 has allegedly established a a report called APT1 that instantly minimum of 937 command-and-control turned heads throughout the infor- (CnC) servers hosted on 849 distinct IP mation security industry. In this addresses in 13 countries. The majority report, Mandiant claims to have of these IP addresses were registered conclusive proof that a government- to organizations in China. controlled organization in China is In a Forbes.com article written by the source of hundreds of advanced Richard Stiennon, Chief Security cyberattacks. Analyst at IT Harvest, Mr. Stiennon According to Mandiant, which has advised his readers responsible for investigated computer security the IT security of their organizations to breaches at hundreds of organiza- drop everything and immediately read tions around the world, the company Mandiant’s APT1 report. Although I has tracked more than 20 APT groups hope you continue reading this book, with origins in China, but a single orga- I advise that you do the same. nization, which Mandiant has dubbed To download a free copy of the APT1, is by far the most prolific. Mandiant APT1 report, connect In its report, Mandiant claims that APT1 to http://intelreport. stole 6.5 terabytes of compressed mandiant.com.

004_9781118658765-ch01.indd4_9781118658765-ch01.indd 1414 77/1/13/1/13 112:452:45 PMPM