Following his keynote speech on “The idiot's guide to destroying a Global 500 company for £500” at Infosecurity Europe 014, Kevin Kennedy, senior director counter of the security business unit at Juniper Networks, explained to SCMagazineUK.com how companies need to raise the barriers to entry for attackers.
“You can now go on the web and with no technical background, you can buy the malware you need, get toolkits to the spec you request, and view the instructional videos to learn what to do, so that for an outlay of less than £600 you can start stealing information. With a little bit of social research on Facebook you can tailor your phishing attacks and get your malware inside the target company.”
Kennedy suggests that the approach of simply building higher walls no longer works, and that the way to tackle the issue of attacks being low-cost and low-risk is to increase the time, effort and skill level that an attacker would need to make a successful intrusion.
“Relatively few of the attackers actually have the higher sophisticated skill sets – most are either entry or mid-level, so we can design our networks to increase the difficulty of successfully exfiltrating useful information," he said.
Many of the approaches are well known, but still need to be implemented more widely. So any new computer logging into a network could be sent an SMS requesting authorisation to access, with validation codes required in case credentials have been stolen. This would also drive down the value of stolen credentials, if there is a good chance that they are going to be useless for attackers. This would extend to mobile devices, where all corporate applications used should use encrypted content so that if it is stolen, the hacker gets nothing.
“Don't sit and wait for an attack,” says Kennedy, “Prepare for it as you would in the physical world. Use deception and counter intelligence techniques to get the attackers to identify themselves.”
These techniques, already widely used in the military and intelligence communities, would include the creation of tar-traps and fake attack surfaces.
So a seemingly interesting file may be one that no legitimate user would have a requirement touch, but it would attract an attacker, thus identifying them. You can then decide how you want to respond. They can be led down complex false trails, tying them up and consuming more and more time for no gain. They can even be fed false information, which if they sold it, would prove useless, thus damaging their own reputation in the criminal fraternity. By watching those who respond to honeypots, Kennedy suggests that their infrastructure can be identified and monitored.
Potentially this could be used to implement command and control but Juniper does not promote 'hacking back', because of the potential negative consequences as the hack may have been committed via a bot-net involving innocent parties, such as a hospital, where the consequences for bringing down services could be catastrophic.
One of the big problems involved in tackling attackers and holding them accountable for their actions is the cross-boundary issue of laws being different in different jurisdictions, as well as the willingness (or not) of authorities to take action where laws are being broken elsewhere, thus whose jurisdiction is it? Kennedy sees this as another reason to hit the attacker financially and make the attacks less worthwhile economically.
The way to do this, says Kennedy, is to ‘productise' honeypots, so they are built into web apps from the outset. He says that spam has been stopped where the server infrastructure has been brought down, and with Visa as a global brand, joining in the efforts to make it difficult to process illegal payments.
Digital currencies can facilitate illegality, thus Liberty Reserve contributed as the transactions had no transparency – and other currencies such as Bitcoin potentially serve the same purpose. Here Kennedy called for regulation, compliance, transparency and enforcement to avoid abuse and illegality. But again, different countries have different ideas, so Norway and Sweden do not regulate use of digital currencies.
“What we need is a BitCoin with compliance, oversight and control to deter criminal behaviour,” says Kennedy, adding that while technology can contribute, the industry also needs to promote such regulation.
Kennedy also suggested that one of the biggest difficulties was defining, ‘What is a crime?' When does free-speech criticism become a DDoS attack, and if possession of malware became a crime, how would legitimate pen testing happen, or research?'
He adds that the lack of international norms does mean that what is legitimate in one jurisdiction is illegal in another – just like in the physical world. But unlike in the physical world, the criminal can stay at home, use assets in a second country to steal from a third and put the proceeds in a fourth – and when the asset is information, it is copied rather than taken, so the victim may not even know they have suffered the loss – until they reap the consequences.