Targeted Threat Index: Characterizing and Quantifying

Targeted Threat Index: Characterizing and Quantifying

Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware Seth Hardy, Masashi Crete-Nishihata, Katharine Kleemola, Adam Senft, Byron Sonne, and Greg Wiseman, The Citizen Lab; Phillipa Gill, Stony Brook University; Ronald J. Deibert, The Citizen Lab https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware Seth Hardy§ Masashi Crete-Nishihata§ Katharine Kleemola§ Adam Senft§ Byron Sonne§ Greg Wiseman§ Phillipa Gill† Ronald J. Deibert§ § The Citizen Lab, Munk School of Global Affairs, University of Toronto, Canada † Stony Brook University, Stony Brook, USA Abstract creasing problem for CSOs. These attacks are not iso- lated incidents, but waves of attacks organized in cam- Targeted attacks on civil society and non-governmental paigns that persistently attempt to compromise systems organizations have gone underreported despite the fact and gain access to networks over long periods of time that these organizations have been shown to be frequent while remaining undetected. These campaigns are cus- targets of these attacks. In this paper, we shed light on tom designed for specific targets and are conducted by targeted malware attacks faced by these organizations by highly motivated attackers. The objective of these cam- studying malicious e-mails received by 10 civil society paigns is to extract information from compromised sys- organizations (the majority of which are from groups re- tems and monitor user activity and is best understood as lated to China and Tibet issues) over a period of 4 years. a form of espionage. CSOs can be particularly suscep- Our study highlights important properties of malware tible to these threats due to limited resources and lack threats faced by these organizations with implications on of security awareness. Targeted malware is an active re- how these organizations defend themselves and how we search area, particularly in private industry. However, quantify these threats. We find that the technical sophis- focused studies on targeted attacks against CSOs are rel- tication of malware we observe is fairly low, with more atively limited despite the persistent threats they face and effort placed on socially engineering the e-mail con- the vulnerability of these groups. tent. Based on this observation, we develop the Targeted In this study, we work with 10 CSOs for a period of Threat Index (TTI), a metric which incorporates both so- 4 years to characterize and track targeted malware cam- cial engineering and technical sophistication when as- paigns against these groups. With the exception of two sessing the risk of malware threats. We demonstrate that groups that work on human rights in multiple countries, this metric is more effective than simple technical sophis- the remaining eight groups focus on China and Tibet- tication for identifying malware threats with the high- related human rights issues. We focus on targeted mal- est potential to successfully compromise victims. We ware typically delivered via e-mail that is specifically tai- also discuss how education efforts focused on changing lored to these groups as opposed to conventional spam user behaviour can help prevent compromise. For two which has been well characterized in numerous previous of the three Tibetan groups in our study simple steps works [27, 42, 45, 52, 70, 71]. We consider the threats to such as avoiding the use of email attachments could these groups along two axes: the technical sophistica- cut document-based malware threats delivered through tion of the malware as well as sophistication of the so- e-mail that we observed by up to 95%. cial engineering used to deliver the malicious payload. We combine these two metrics to form an overall threat 1 Introduction ranking that we call the Targeted Threat Index (TTI). While other scoring systems exist for characterizing the Civil society organizations (CSOs), working on hu- level of severity and danger of a technical vulnerabil- man rights issues around the globe, face a spectrum ity [7, 17, 41, 50], no common system exists for ranking of politically-motivated information security threats that the sophistication of targeted e-mail attacks. TTI allows seek to deny (e.g. Internet filtering, denial-of-service at- us to gain insights into the relative sophistication of so- tacks), manipulate (e.g. website defacements) or moni- cial engineering and malware leveraged against CSOs. tor (e.g. targeted malware) information related to their A key to the success of our study is a unique method- work. Targeted malware attacks in particular are an in- ology, combining qualitative and technical analysis of USENIX Association 23rd USENIX Security Symposium 527 e-mails and their attachments with fieldwork (e.g. site in Section 4. Training and outreach implications of our visits) and interviews with affected CSOs. This method- work are discussed in Section 5. We present related work ology, which we describe in more detail in Section 3, al- in Section 6 and conclude in Section 7. lows us to both accurately rate the level of targeting of e- mail messages by interfacing with CSOs participating in our study (Section 4.2), and understand the relative tech- 2 Background nical sophistication of different malware families used in the attacks (Section 4.3). By combining the strengths of 2.1 Targeted Malware Overview our qualitative and quantitative analysis, we are able to Targeted malware are a category of attacks that are dis- accurately understand trends in terms of social engineer- tinct from common spam, phishing, and financially mo- ing and technical sophistication of politically-motivated tivated malware. Spam and mass phishing attacks are targeted malware threats faced by CSOs. indiscriminate in the selection of targets and are directed Our study makes the following observations, which to the largest number of users possible. Similarly, finan- have implications for security strategies that CSOs can cially motivated malware such as banking trojans seek employ to protect themselves from targeted malware: to compromise as many users as possible to maximize Attachments are the primary vector for email based the potential profits that can be made. The social engi- targeted malware. More than 80% of malware deliv- neering tactics and themes used by these kinds of attacks ered to Tibet-related organizations in our study and sub- are generic and the attack vectors are sent in high vol- mitted to us is contained in an e-mail attachment. Fur- umes. By contrast targeted malware attacks are designed ther, for 2 of the 3 Tibetan organizations in our study for specific targets, sent in lower volumes, and are moti- (with at least 40 submitted e-mails), simply not opening vated by the objective of stealing specific sensitive data attachments would mitigate more than 95% of targeted from a target. malware threats that use email as a vector. Targeted malware attacks typically involve the follow- Targeted malware technical sophistication is low. So- ing stages [24, 66]: cial engineering sophistication is high We find that Reconnaissance: During this stage attackers conduct the technical sophistication of targeted malware deliv- research on targets including profiling systems, software, ered to CSOs in our study is relatively low (e.g., rela- and information security defenses used to identify possi- tive to commercial malware that has been found targeting ble vulnerabilities and contextual information on person- CSOs and journalists [35,36,38] and conventional finan- nel and activities to aid social engineering. cially motivated malware), with much more effort given Delivery: During this stage a vector for delivering to socially engineering messages to mislead users. This the attack is selected. Common vectors include e-mails finding highlights the potential for education efforts fo- with malicious documents or links, or contacting targets cused on changing user behaviours rather than high-cost through instant messaging services and using social en- technical security solutions to help protect CSOs. gineering to send malware to them. Typically, a target of CSOs face persistent and highly motivated actors. such an attack receives an e-mail, possibly appearing to For numerous malware samples in our study we ob- be from someone they know, containing text that urges serve several versions of the software appearing over the user to open an attached document (or visit a web- the course of our four year study. These multiple ver- site). sions show evidence of technical improvements to com- Compromise: During this stage malicious code is exe- plement existing social engineering techniques. cuted on a target machine typically after a user initiated Since the start of our study we have participated in action such as opening a malicious document or link. a series of workshops with the participating Tibetan or- ganizations to translate these results into a training cur- Command and Control: During this stage the infected riculum. Specifically, we have educated them about how host system establishes a communications channel to a to identify suspicious e-mail headers to identify spoofed command and control (C&C) server operated by the at- senders and demonstrated

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us