5 Lessons From Real-World Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security

5 Lessons From Real-World Attacks


Tales from the trenches show that even small organizations are in the bulls eye


INTEROP -- New York City -- Take it from Harry Sverdlove, CTO of security firm Bit9: No organization -- regardless of size or business -- is immune to todays attacks.
The security whitelisting vendor earlier this year
revealed details
of how attackers had stolen one of its digital code-signing certificates and then used it to sign malware attacks against three of its customers, who were the ultimate targets. It was an awkward and painful position for a security vendor, but Bit9 provided a detailed firsthand account of some of the key specifics of the attack, as well as the malware that was used.
Sverdlove here at Interop tomorrow will share five lessons from real-world attacks -- some of which are gleaned from his companys own experience getting attacked.
Obviously, everyone is a target. Its not pleasant to talk about ... but [our breach] was a supply-chain attack, Sverdlove says. There were multiple teams of hand-offs ... What we gathered on the campaign is that we werent the target.
[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See
Security Vendors In The Aftermath Of Targeted Attacks
.]
Lesson No. 1: Everyone is a target.
Sverdlove says mom-and-pop shops, suppliers, and other small businesses are getting hit. You dont have to be working on a secret nuclear weapons program. You dont even have to have information of value, he says. You just have to know people with information of value.
Cyberespionage actors are getting to their actual targets via their suppliers and business partners, he says. After the Flame cyberspying malware attack was exposed a year-and-a-half ago, one of Bit9s customers in the Middle East found it had been attacked by Flame. Bit9s software blocked an actual infection, he says, and it turns out the firm was targeted because it does business in the Middle East. They were a stepping-stone attack, Sverdlove says.
That doesnt mean small businesses dont have valuable information of their own that attackers want. A small tire-maker in Texas, for example, was breached, and the attack was traced to a sophisticated attack group, Sverdlove says. I asked him, Well, why were you attacked? and he said, I have a special way I make my tires.
Such proprietary information is attractive to cyberspies, Sverdlove says.
Lesson No. 2: Attackers are constantly raising the bar.
The bad guys are sharing intel they gather, and they also capitalize on any code thats published by the security community, such as the snippets of Stuxnet code that were posted in the wake of the discovery of the game-changing malware. Stuxnet just raised the bar for everybody, Sverdlove says.
Enemies are sharing the intel, and sometimes we facilitate it when posting and analyzing code, he says. Were doing our jobs. But the attackers download those samples, too, he says, as well as the Metasploit modules that are released in the wake of zero-day finds.
Metasploit is a great security tool for researchers, [for example], but that commercialization allows less sophisticated attackers to download it, and theyre performing zero-day attacks, he says.
Distributed denial-of-service (DDoS) attacks are getting exponentially more powerful and efficient, while waterholing attacks are becoming a popular way for cyberespionage attackers to more efficiently net their targets. Instead of emailing you, they go to a softer target, a website you frequent, and wait for you to come there, Sverdlove says.
Since many companies outsource their websites, they have less control over the security, for instance, he says. Plus organizations cant secure the Internet for all of the websites their users visit, he says.
How do the attackers filter out the unwanted catches? You can set up a watering hole attack and monitor the IP addresses and the machine names of the systems you have compromised, Sverdlove says.
In one such attack on one organization investigated by Bit9, the attackers established a foothold in multiple systems and went dormant in the ones they didnt want or need. They can tell the others to delete and clean themselves up and wait for the specific targeted users machine they were after, he says.
Several Chinese cyberspy gangs are broken into units, he says. They split the duties in their attacks: One group compromises the websites, filters out the targets, and hands them over to another group that handles the exfiltration of data. It allows them to do campaigns that are certainly longstanding and prolonged, Sverdlove says. Its not like they have one goal in mind; they have entire sectors they compromise and later, when they need specific information, they call in specific teams.
Lesson No. 3: Youve already been infiltrated.
You should be assuming you are infected, Sverdlove says.
These advanced attackers are in it for control and information, he says, so you have to assume you are under attack. Then you have to answer the question, If I were infected, how would I know?
Sverdlove says that requires changing your security program from prevention to protection and watching whats happening in your environment. And you need a response to an attack, he says.
Part of a security program, you have to have prevention, detection, and to monitor your ability on how quickly you can respond, he says, whether its to wipe a system or sandbox it and watch the bad guys actions, he says.
Response encompasses several parties, including public relations. It helps to have that PR agency on speed dial, he says. You have a process for escalation ... in the early stage, you bring in a security analyst, whos going to see whats going on. But then later, you might need to bring in executive stakeholders, legal, or law enforcement.
Lesson No. 4: Traditional security methods dont solve todays problems.
Default/deny signature-based technology doesnt stop sophisticated attacks. Companies that are getting hacked have had all of these technologies, including antivirus and firewalls, and still were infiltrated, Sverdlove says.
Theyre not stopping the attackers, he says. But even so, theyre necessary for known threat prevention.
Lesson No. 5: Dont despair.
Organizations can take steps to minimize their risk of a targeted attack, however.
Dont use home email for work. Thats the No. 1 way spearphishing happens, Sverdlove says.
Keep patching, he says, and set in place policies for risky applications such as Java, for instance.
A simple set of policies can reduce your attack surface area, he says. But policies require verification, too.
Take strong password policies. Bit9s security team regularly tests the companys users passwords. They use off-the-shelf password cracking tools, Sverdlove says. If they can crack a users password with the tools, the user is notified and given tips on creating a stronger one.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
5 Lessons From Real-World Attacks