Today we live in a world where the “giants” are lined up against us. Cyber Crime, Cyber Sabotage and Cyber Espionage is a daily fact of life. Whether we're talking about botnets, defacing of web sites, spear-phishing or theft of intellectual property, everyone seems to be defenceless against the relentless attacks that are targeting everything from your Facebook page to the SCADA systems controlling nuclear power stations.
Governments talk about the risk of Cyber-Attacks being more deadly that atomic weapons, and company after company are being pillaged for their intellectual property.
The technologies that have traditionally protected us are no longer able to provide any effective defence. Firewalls, Anti-Virus, and whatever other latest and greatest panacea that is being touted as the answer to our problems are all proving ineffective.
And yet every user, and organisation, has the means to stop every giant in their tracks, but most are, as the saying goes; ‘so blind as those who will not see.' The most deluded people are those who choose to ignore what they already know.
Stopping Malware and APTs Dead In Their Tracks
Breaches such as those discovered at Target, the NSA, or wherever, all follow a set pattern. Breaches are not a shot in the dark, but require careful planning and execution.
In the first instance, the attacker has to identify the target, essentially looking for the weakness in the defence. Multiple tools are available on the Internet that allow anyone to scan for systems or components that have vulnerabilities. Tools such as Nessus, and web sites such as Shodan provide an easy way for an attacker to identify a weakness.
Once the point of entry is identified, the next step is to gain entry. In other words, looking for access to a system which can then be used as an escalation point. Again tools such as Metasploit and others make it easy to do this on an industrial scale with brute force attacks.
“The attack process is usually focused on a particular system, or set of systems. We will then attempt to access the system, either through the use of an outright attack or using credentials that we have managed to gather from somewhere in the environment, through social engineering, or other means. Once we have an account on the system, we may need to escalate the level of access that we have in order to accomplish our goals. The target for such privilege escalation is often root or administrator level access, giving us relative freedom on the system. Given the needed level of access to the system, we can then exfiltrate any information that we wish to, cause damage to the environment in any way that benefits us, then install any measures that we need to in order to ensure future access.” - Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason Andress and Steve Winterfeld.
Getting the information out, and covering their tracks is relatively easy once a beachhead is established, using applications such as Corkscrew and others, and then using Tor or other deep web service to move the information. Additionally there are plenty tools available that make it possible to hide stolen data on USB drives, mobile devices etc.
And of course, as Aramco discovered, once in, the destruction of data, software and even systems is relatively straight forward. Again the applications are easily available on the net.
Faced with giants that guarantee zero day exploits, with a guarantee that vulnerabilities will not be detected for several months, and that promise that all leading anti-virus and threat protection technologies have been tested before the release of these exploits, technologies that protect us against these attacks are helpless. It eventually gets very tiresome to be continually be told by the security industry after the fact. It's like my wife always telling me after the speeding camera has flashed that we've just passed a camera! For once I'd love her to tell me where the camera is ahead of time.
Of course my navigation system tells me where cameras are, or rather tell where they were when the GPS software was installed, so it's equally useless!
But all malware and APTs have a chink in their armour. To be able to do their worst, they need privileged access to a system. Ultimately if they can't install something, they can't attack. The little pebble of managing privileged accounts, whether used by administrators, services, tasks, whatever, will stop them dead in their tracks. In other words, every organisation has the means to protect themselves if they simply enforce a policy of continuous monitoring and scanning, like the enemy, of components such as registries, daemons, tasks, hardware components, services and privileged accounts, and eliminate all vendor default accounts, they can win.
Pebble beats sword, pen beats sword, password management beats malware! It is just that simple!a
Contributed by Calum MacLeod, VP EMEA at Lieberman Software