Honeypot Valentine
Honeypot Valentine

Several years I was compromised by a targeted attack which has had lasting effects; it has also taught me valuable – but extremely expensive - lessons.

I was just  “browsing” when I was lured into a completely innocent-looking  “honeypot”.  In retrospect I realised that I had been singled out as an attacker, so the plan was put in place to lure me in.  Afterwards I also realised that a botnet had been set up to get me. And several friends had fallen victim to the same botnet.

Completely oblivious to what was happening, a spear-phishing attack was initiated against me. Once you've been lured, the spear phishing attack becomes relatively easy.

Without being aware of what was happening, I had been infected by the “ILoveYou” virus, and once access had been gained, the escalation started. The virus actually attacked tens of millions of computers and did damage on the machine, overwriting image files, and sent a copy of itself to the first 50 names in the Microsoft Outlook Address Book.

Many of us fall victim to a similar attack, and generally it is too late before we understand that we have been compromised!

Understanding The Enemy

An attack requires careful planning to succeed. And the most successful attacks go undetected under the radar. Breaches such Target, TK Maxx, and the recent “Mask”, “Chewbacca”, etc, have all taken months to prepare, and years to discover. Attacks are usually executed using similar steps.

1.       Reconnaissance

Before commencement an attacker first identifies the target to understand how best to lure them in. Any and all information sources are used, whether family, friends or business associates. The Gh0st RAT trojan is, to many, the poster child of using selected recipients to distribute the malware using email.

2.       Scanning

Once the target is identified, the weak points are identified to gain access. In the recent attack of POS systems at Target, according to cybersecurity expert Brian Krebs, started using a malware-injecting phishing attack sent to employees of the third party firm by email, which had business relationships with Target.

Their response to enquiries was that their ‘IT system and security measures are in "full compliance" with industry practices', which is all that needs saying about industry practices! In my own case I have to admit that there were clearly weaknesses in my security because it didn't take much scanning to be breached.

3.       Access and Escalation

Once the weakness is identified, the next step is to gain access and then escalate. Cyber-Attackers do not advertise their intentions, and those who are most successful are always going to use subtlety.  In almost all cases the access is privileged, which allows the attacker to move freely within the environment. In my own case, the attacker gained access to the “domain controller” and once that was achieved there was complete freedom of movement within the infrastructure.

4.       Exfiltration

With the freedom to move around, the attacker is now able to get access to the “crown jewels” and at that point you are defenceless. In the case of AMSC and Sinovel, Sinovel were indicted for the theft of AMSC's source code, software, equipment designs and technical drawings. Although AMSC had taken “reasonable measures to maintain the confidentiality of its trade secrets and proprietary information such as restricting access to authorised personnel only”, it was a victim of an unethical insider. And this is a recurring theme. In my own case, much of the information gained by the attacker came from “insiders”.

5.       Sustainment

Once an attacker has gained access, sustainment or staying in place is very important. In the case of the TJX breach in 2006, the attackers installed new accounts using their already elevated privileges, so that they were no longer dependent on a single access point. Effectively the attacker was able to come and go as they pleased. In my own case, in hindsight it is clear that the attacker no longer needed to use me to get access to the whole environment.

6.       Assault

The assault is where it can become particularly nasty because the attacker may decide that they want to leave an indelible mark on their victim. Breaches such as Stuxnet, and Shamoon which damaged thirty thousand machines at Aramco are well known examples. And today there are serious concerns regarding the ability of attackers to target any infrastructure,  including energy, financial and health care. And the problem with the assault is that it is generally too late to defend yourself, because the attacker has effectively taken control of your environment and is anticipating your every move.

7.       Obfuscation

In many cases the attacker may want to hide the origins of the attack, using various methods to cover their tracks but this is not always the case. At Aramco the attackers choose to leave a calling card and often the victim is too embarrassed to admit that they have been breached. Failure to disclose breaches means others are unable to benefit from someone else's misfortune.

Is There Any Defence?

Every one of us is vulnerable, and the best defences on offer give little or no real protection. The key is to ensure that you have strong and managed Access Control. If you have the ability to control Privileged Access then the likelihood of a serious breach is reduced.

In my own case, as my wife told me many years later, once I had gone for the “honeypot” on Valentine 's Day many years ago, I was defenceless. The targeted attack started and before I knew it I was a granddad. Having got access to my mother, and become friends with my sisters, the inevitable assault was easy.  Mind you not all attacks are bad!

Contributed by Calum MacLeod,VP EMEA, Lieberman Software Corporation.