Attackers are getting more sophisticated; here's an example of how they work and insight on how to stop them
The news just broke: Acme has completed a strategic acquisition of Landmark and both companies are being tight-lipped about the details. Should the acquisition proceed, that's bad news for Acme's toughest competitor, which would – as a result of the deal – be set to lose a clear market advantage.
That competitor could do what many do today when they need information. It's going to steal it electronically. It has contracted a black hat hacker, and that hired hacker now has three objectives: find as much information about the acquisition as possible; steal as much competitive information as possible; and, of course, not get caught.
First up for our nefarious attacker: find a target that will provide entry into Acme's IT systems. Thanks to the magic of social networking sites such as Twitter, Facebook, and LinkedIn, that task is easier now than ever. So, our attacker starts to troll online hangouts looking for anyone and any information that could be useful. Fortunately, (or unfortunately for Acme), a few searches on LinkedIn turned up Keith, a security analyst at Acme. Keith likes to Tweet. A lot. And he's been blabbering about his day at home with the kids after his return from Black Hat, the movies he intends to watch this weekend, and his excitement over the Landmark acquisition. This sets up the hacker's first approach in his mission. A familiar social engineering ploy that leverages the information Keith tweeted about himself: “Hi Keith, it was great meeting you at Black Hat. I'd like to add you as a member of my LinkedIn network” is all the note needed to say. Only that wasn't an authentic LinkedIn e-mail; rather it was a specially crafted e-mail. And when Keith clicked on the bogus LinkedIn invitation, a malware application was installed on his PC that gives the hacker full access to his workstation and network credentials.
Unfortunately, Keith doesn't know this. So, our attacker, with his newfound foothold, can unleash the full power of his arsenal and work to find any information about the Landmark acquisition, and any other competitive information that may be of use: he can take screenshots of the compromised workstation to make sure the malware has been deployed successfully on his target, or retrieve stored passwords from the browser for later use, or run a software inventory to find out all the applications on the compromised machine, or install a key logger and network sniffer to capture passwords and other activity from the user.
After all of that fun, our attacker now rummages through Keith's current contact lists, making note of a few VIPs. He captures Keith's current encrypted username and password and he now can pass these stolen credentials directly to additional servers and get immediate access, without even needing to decrypt or crack the password. And with that exact goal in mind, the attacker then opens a shell prompt to Keith's computer to try to discover if his computer is mapped to a network drive.
Fortunately for the attacker, Keith's system currently is connected to the network drive. That fact calls for a port scan from Keith's system. By doing this, the attacker will identify available ports, running system services on systems, and he'll spot network segments. With a network map now in place, the attacker goes back to one of the VIPs he previously took note of within Keith's contact list: Norman Devries, Acme CEO.
And our attacker needs to do nothing more than he did before, and that's to send an e-mail to the CEO – who also clicked on a link he shouldn't have. Once that action is complete, the attacker has access to the Landmark acquisition details ($53 million), product integration plans, new services to be launched as a result of the acquisition, and a number of other corporate secrets. He is able to do this because he was able to piggyback off of Norman's authentication credentials.
Until recently, attacks like the one we just described in our fictional example would have been considered as exceptional or rare. Not anymore. Consider the Operation Aurora attacks, which employed some of the tactics we touched on above in several leading companies.
Interestingly, the vast majority of attacks reveal that enterprises have the data on hand to stop, or at least mitigate, the risk long before most hacker breaches are uncovered. Consider the 2010 Data Breach Investigations Report from Verizon Business: it found that while 86 per cent of data breach victims had evidence of the breach in their audit logs, 61 per cent of those victims didn't uncover the breach themselves; they were notified by a third party. How embarrassing.
How do you put all of that data in your audit logs to work? And more importantly, how do you stop attacks like the one that befell Acme? Make sure that you capture the data that could detail security events on your network. You need to put into place the processes and possibly the technology necessary to cultivate your security logs and pinpoint the information needed to keep the infrastructure secure. Those efforts absolutely require some type of log management. Even better would be the installation of a Security Information Event Manager (SIEM) to capture and correlate that data.
It's also crucial to take that one step further and integrate that data with identity and access information. That way, in our hacking example, a number of alerts would have been fired off to security managers long before any of your proprietary data was accessed.
While you read about how security threats have grown more menacing, it's important to also remember that security defences also have grown more powerful. The critical thing is to take the necessary steps to protect your infrastructure and your data. That's where most businesses fall short. And it's a mistake that is growing increasingly costly to make.
(The author is Managing Director for India Development Centre and Vice-President for Global Engineering Strategy, Novell)