How to defend against data-pilfering attacksDate: Jan 22, 2009
Has China really hacked U.S. government entities?
Kevin Mandia of security consultancy Mandiant Corp. takes you through "advanced persistent threats" and explains ways that malicious hackers can find valid VPN credentials, take advantage of vulnerable services, and send effective, targeted email attacks to your employees.
- Kevin Mandia reviews the most common hacks that are compromising retailers.
- See how cyberattacks have changed since Mandiant's CEO first began at the Pentagon.
- When it comes to breach disclosure, is it better to be fast or accurate? Kevin Mandia explains common incident response dilemmas.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact firstname.lastname@example.org.
How to defend against data-pilfering attacks
Kevin Mandia: Now let's take a look for the attacks for information. I call this data pilfering. No one really knows why these attacks are occurring but there's been some recent press about Chinese hackers, to include Republican Frank Wolf and Republican Christopher Smith. To be a congressman and say the Chinese have hacked you to steal your email to me is like saying you've seen a UFO. It's just not going to go over all that big, but these guys are convinced, and to be honest, they're actually right. We've responded to numerous government hacks.
I don't know what's going on, I don't really care. Bottom line
is this, there's a whole phrase on Capitol Hill now and in the government called the Advanced
Persistent Threat, and they're pinning China on a bunch of intrusions into government entities and
defense industrial based organizations and supply chains. It's getting some press, not a lot. The
bottom line is this kind of attack is so present right now that I just wanted to talk a little bit
about it at a high level because how you respond to it is very different.
When I just showed you the card breach, we can remediate that situation by: don't encrypt the PINs, don't do an e-PIN command at the HSM, take yourself off the internet for two hours and we'll fix stuff. Bottom line is remediation comes quick if you're a financial service and folks have stolen card data. Couple reasons why too: most of the time when the attackers target card data, they get the card data, and they get out of dodge so your IT security problem ends fast. In the advanced persistent threat, your IT security problem does not end fast and it redefines how we think of a win when responding to an intrusion. What makes it different, bottom line, is nothing. In reality, responding to the Russians hacking us in the 90s, and they were persistent, 80 hours a week, trying to hack our defense sites. Same thing with China. It's nothing fancy.
Long story made short, though, these attacks are ongoing persistent. They are not scripted, and what I mean by this is, I respond now and I always get the question, "How often do you respond to a victim machine and the bad guy's on it while you're responding?" Right now it's probably about 40-50% of the time. If you take out the financial hacks, it's like 90% of the time. I'm always responding to systems, and while I'm responding, the bad guy's on it. It's a human intelligence at the other end doing commands on a keyboard; it's not a scripted attack. There's active decision making. The attacks right now are coming out of the Asia-Pac Rim. The minute you know that you've got an intrusion on your network, there's actually three ways into your network, and all three of them require different remediation. So it's a real headache.
One, they're going to have valid credentials and they'll VPN into your network, because most firms say, "Here's the VPN software we use, and here's the client you need. Have at it. Work from home." Guess what? These guys already have your user IDs and pass phrases from a prior compromise, and "I'll just VPN in." So you have valid credentials to get in, they may have vulnerable services to get in, they've scanned your networks, they found a couple machines that are unpatched, unarmed and unprepared and they can break in with an exploit, or they've got back doors in place, and all three require different remediation that has to be planned and done in concert, and it's a real problem.
The fourth way in – and the way you know that they're not on your network right now – is you get a targeted email attack, about 10-15 of your employees get an email. A quick sidebar on this conversation, right now the hack du jour, let's just say if somebody said, "Today we need to hack Exxon," our behavior would be very different than ten years ago. First thing we'd do is Google @exxon.com and read about the employees.
We'd want to get a hierarchy chart, we'd want to know who's working where and who's working for who, and we'd probably find one sitting on a website somewhere. Everybody publishes their hierarchy charts. We get points of contacts of emails, we get people's MySpace accounts, we get CVs, and we learn about five to ten folks, and we'd send those five to ten folks the email. And that email could be as simple as, "Hey John. Here's our quarterly earnings. Take a look at these."
We're going to inject a stub program into that Word document. They're going to unzip the attachment – that puts them in their local security zone. If you just send a Word document and you double click on that attachment, you're still in Internet security zone. That's why attackers will zip the attachments. They'll send you the zip attachment, you'll double click on it. That creates a temporary copy of the Word document, and by opening the document, you inject the stub program on your machine that will download a back door.
That's how we'd get in, and I hate to say it, we'd probably get
in under four hours. No one's found the silver bullet. All you need is to spell every word
correctly in your email, be able to inject the payload into a Word or PowerPoint document, or not
even inject a payload if you use compiled HTML. Bottom line is it works. It works well. That's how
we'd break in. It's totally different, and it works well.
The days are gone when spam has 15 words misspelled and poor English. The attacks we're seeing are Windows systems. Bottom line is Unix machines are being compromised right now from the Asia Pacific Rim. It's just hard to find them because they're valid log-ons, meaning the attackers are just logging in. I hate the word malware, it's really malicious code. Long story made short, if we had to beat anti-virus, we simply can't, and anti-virus companies would tell you the same thing. They're probably paid not to. Long story made short, you have to have anti-virus, but from the attacker's perspective I could give you a four hour class, and you'd walk out beating anti-virus whenever the heck you wanted to.
One, the attacker can shut anti-virus off. Two, the attacker does everything the good guys do. In other words, if I'm the good guy, I upload things to your machine, download things from your machine, copy things around on your machine and delete stuff on your machine. I can use Microsoft Tools to do that, so do the bad guys. So the minute I can compromise your machine, why not use remote desktop and your Microsoft credentials to access the machine? Anti-virus will never trigger on a Microsoft tool- the attackers are using it. Bottom line, what they do looks so similar functionally to what the good guys do, the attackers are going to be hard to find.
Then there's the thing called packed binaries. We go through sine waves on whether the age of pack hackers are packing their binaries or not. What I mean by packed is binary executable files or DLLs, doesn't matter, portable executable files that are compressed or encrypted, or both. I think it's just kind of an arms race. It's fun to encrypt your executables, have them unravel themselves as they run and neat things happen, but that takes away the signature recognition that anti-viruses sometimes do.
Then a couple of other cool things that I've seen attackers do.
I've seen attackers delete the anti-virus database. That's kind of cool, if you think about it.
"I've compromised this machine, and I know anti-virus is on there. I just go to the Symantec
anti-virus database and delete the signature database." What'll happen is, the database is so big
the agent just won't go out and download the whole database. Instead the end user keeps getting
that window that says, "You are currently unprotected," and they just hit the 'X' every time, but
the security event log – actually it's the application event log in Windows that will record that.
So I've seen attackers erasing the database. Kind of a neat little trick.
The Asia-Pac hackers use PsExec a lot, but what they're really using is valid credentials. They'll compromise a host via the email, end user will click on the attachment, all in that one host, and in under five minutes, they'll have your domain admin credentials. They'll have at least the hash in hand and they'll have to crack it.
The other opportunity for them is, if they can't crack your domain admin account, a lot of times they just change the password for it instead. For those of you that don't know PsExec, their use of it has gone down in the last year, but PsExec is, now it's Windows owned, and it's a tool that allows someone, in one command line, upload and execute a file on another machine. Kind of neat. It'll log in, upload and run something in one command line. Good guys use it to upload patches, bad guys use it to upload malware. That's really all the depth I'll go in there. The cure to this intrusion vector is educating your end users, be careful about the emails you open. People are still chasing the magic bullet on this one and haven't found it yet.