Executive Summary
Organizations are increasingly finding themselves in a situation where existing information security defense strategies and solutions are failing. Attackers are bypassing defenses by crafting highly targeted attacks and advanced malware to achieve their goals.
This report discusses strategies for refocusing information security priorities and resources to protect the business’ valuable intellectual property. While automation is important, deploying strategies to increase the effectiveness of personnel, both information security-focused and otherwise, is a critical component of success.
Traditional Priorities
Traditionally, information security priorities have been focused on the idea that achieving a 100% effective corporate environment defense posture is feasible. The age-old practice of building our castle, with impenetrable walls and moat, and then watching closely those who cross the bridge is under more duress than ever.
The growth of highly scalable, effective cloud services and the diversity of devices used for everyday computing are putting a great deal of pressure on organizations to both distribute and protect valuable data assets at the same time. While the traditional perimeter-based approach has changed considerably, and many have adapted to a distributed approach, the perception that 100% effective defense is still possible is pervasive — and dangerous. Moreover, the significant downside to retaining the traditional approach is that advanced threats will be invisible and remain present (perhaps dormant) in environments for many months (if not years), continually surveying and ex-filtrating information.
Understanding the Attacker Mindset
Motivations of determined adversaries include ideologically driven hacktivism, political aims, espionage and sometimes nation-state-sponsored actions. The common thread is that computer system intrusion activities have a multi-faceted market with associated financial gain.
If we assume a determined adversary has a specific goal of ex filtrating some highly valued intellectual property with the motivation of corporate espionage, off-the-shelf common malware kits are not going to be very useful. In this environment, organizations should always be evaluating their information security priorities in the context of some first principal questions:
- What is the valuable data I am trying to protect?
- Who is interested in my intellectual property?
- What criminal adversaries do I have?
- Do I have nation-state adversaries?
An attacker interested in your intellectual property assets is more likely to use advanced custom malware techniques, akin to an effective penetration tester, as opposed to off-the-shelf, potentially noisy malware. They usually follow these well-known steps:
- Perform detailed reconnaissance activities about the target using all available information resources. The information gathered will include aspects of the physical and virtual world.
- Interact with the target environment in a lightweight and normal-looking fashion looking for potential vulnerabilities.
- Develop a targeted social engineering attack to deliver a highly customized malware payload. This could be in the form of a physical visit, telephone activity or email campaign. The primary goal here is to establish a small number of persistent command-and-control channels that reach back across the Internet to adversary-controlled resources.
- Fortify the established computing beachhead to persistently maintain access.
- Begin to laterally spread across the environment in search of the targeted data while covering tracks at the same time.
- Gracefully exit and clean up all evidence when the defined goals have been achieved.
In using these advanced techniques, today’s attackers are able to completely bypass endpoint protections, perimeter intrusion detection and perimeter firewall solutions, and effectively blend into the background. Attackers will retain an established footprint just large enough to persist, but quiet enough to go unnoticed.
Defense-Focused Tools Miss Key Adversary Behaviors
Organizations should consider that much known and researched malware focuses more on consumer endpoints, many of which are weakly secured in a residential broadband context. For example, cryptographic file system ransomware, key logging Trojans and credential interception malware all focus on obtaining access to multiple thousands of systems in volume, often to form a large distributed botnet. Given this volume-based approach, information security industry solutions have performed most effectively with known threats, i.e., threats that have specific software signatures, specific network traffic signatures and quite specific and well-defined behaviors.
Where the industry has not performed as well is in identifying adversary behavior and custom-generated malware. Techniques for generating custom malware include using highly obfuscated executable content, alternative scripting languages (e.g., PowerShell, Microsoft Office Visual Basic Macros, Python and more) and hiding malware in alternative locations such as the Windows Management Instrumentation (WMI) store, with most of these techniques either embedding shell code directly in legitimate-looking binaries and being able to inject the assembly shell code direct to memory. The nature of the shell code is to create a command-and-control channel back to one or more attacker-controlled workstations. Most of the available techniques can demonstrably evade endpoint protections, and in addition, use encrypted or obfuscated network communications to effectively blend into the background.
The first line of defense endpoint protection suites have adapted through adding some heuristic techniques but, ultimately, the race to identify “known bad” using signature techniques at the endpoint is lost. Command-and-control channels established through network perimeters are using sophisticated techniques such as covert channels over well-known protocols (DNS and ICMP tunneling techniques), often direct Transport Layer Security (TLS) communications that resemble HTTPS transactions or even through steganography techniques using services like Twitter and Pastebin.
With covert transmission, strong encryption, steganography or a combination of techniques, the challenge of identifying known bad traffic is equally difficult to that of malware content at rest. As such, it is clear that our defensive technologies must continue to adapt and move in the direction of examining endpoint behavior in comparison to peers.
Hunting for Compromise Activity
An approach that embraces the idea of “good citizen” behavior versus “bad citizen” behavior in the context of the overall collective, and uses artificial intelligence techniques to encompass a baseline and correlate multiple bad behaviors is more likely to succeed.
While point solutions have been popular in the past, our information technology environments have grown to such a scale that the multitude and magnitude of data from all of the various infrastructure and point solutions is extremely difficult to manage for security analysts. Evolving solutions will likely encompass more of a machine learning approach to sift through the haystack and reduce the noise to a more humane, manageable level. It is likely that evolving solutions will leverage large-scale computing capacity as offered by cloud providers to accommodate both the complexity of a heuristic and artificial intelligence approach, and be able to manage the potential scale of metadata that is required to be processed.
It is more likely that such solutions will be branded as anomaly-based and thus will have a false negative and false positive challenge. False negative and false positive challenges will be a result of the increased use of heuristic, statistical and artificial intelligence-based technology that will be focused on sifting through data to highlight possibilities rather than arriving at distinct conclusions. Such a direction should not be considered as a replacement for effective signature-based technology but as a complement to assist in human scaling.
Think Like an Attacker and Refocus Your Defenses
Given a world whereby your determined adversary is circumventing traditional information security defense solutions and targeting your assets for monetary gain, what are some steps you can take to get in the right mindset and begin to out-think and outpace the attacker to re-focus your information security defense posture? Consider:
- Performing reconnaissance on your own organization. A criminal is going to learn about you from the same public information sources we all use. Why not have a portion of your information security team create a regular information flow regarding exactly what your public Internet presence looks like?
- Focusing a portion of your team specifically on the tasks of actively searching for compromise in your environment. This form of anomalous activity hunting should be guided by information security professionals who are expert in intrusion techniques. Many of these professionals can tell you exactly what trail of breadcrumbs they leave through targeted phishing, exploitation, pivoting and exfiltration activities.
- Implementing an active user education program that informs users of the potential virtual threats they will experience. A targeted social engineering campaign is often designed to elicit an emotional response to trick the end user into certain actions. It is this first step that is used to establish an attacker’s base camp. Consider building an incentive system for your end users to report unusual activity. Your people are ultimately the first line of defense.
- Locking down your end station environment. In the Windows endpoint context, do your end users really need access to PowerShell or access to the command line? Do your end users really need access to the “NET” suite of commands? An adversary certainly finds these tools useful. If your users don’t use command line tools, then restrict access and trigger alerts if these tools are accessed.
- Collecting logging information from your user workstation endpoints. Remember, determined adversaries are more likely interested in your data assets and may not even seek privilege escalation. They may well spend all of their time on a subset of weakly secured endpoints and not even touch the core information systems. After all, a lot of interesting information is often available exclusively through shared file systems.
- Asserting control over your data on mobile platforms. Does your intellectual property exist on personal mobile devices? Do you have specific controls to manage those devices, and policies in place to deal with data leakage through a lost or stolen device, for example? Corporate data should be contained in encrypted containers if it resides on mobile devices at all. Policies should be in place and require users to immediately report a lost or stolen device. Software should be in place that allows for a remote device wipe if corporate data exists on any mobile device.
- Pursuing good computing environment hygiene. You cannot protect your data assets without knowing what hardware and software entities are managing and processing that data.
Overall, thinking like a defender is important, but thinking like an attacker is just as critical, if not more so. If you continue to stay focused on protecting your most valuable data assets and assume there will always be a certain level of compromise activity, you stand a better chance of managing your environmental threats on a continuing basis.