- Johannes B. Ullrich
You're on your way to give a presentation at a conference when your phone vibrates, indicating a new email just arrived. Having some time, you check the message. An irate customer sent it, informing you that the email he received advertising the event directed him to the wrong hotel. As proof, he attached a PDF of a screenshot of the email. You open it, and it indeed lists a venue across town that the same hotel chain happens to own. It's almost time to get started, so you flag the message to deal with it later and forward it to the marketing person responsible for the event flyer.
This isn't just an angry email; it's a targeted attack. The recipient in this case was lucky, however. This was a test his organization's network security team conducted. Targeted attacks like this one are still infrequent; the vast majority use less-sophisticated methods. But like many attacks, customized email phishing is becoming easier and faster to execute thanks to automation.
Defending a large network has never been harder. Expensive perimeter protection systems, complex host-based malware detection and even whitelisting systems have crumbled as attackers perfect an almost unbeatable pair of attacks: spear phishing and watering holes. Both attacks apply an age-old strategy: If a defense is too complex to beat head-on, bypass it.
At the same time, social engineering, the Internet of Things and the combination of traditional Web applications, embedded applications and networked devices often with "versions" of Microsoft or Linux operating systems, present untold security challenges.
To have a chance of defeating these attacks, security organizations need to move away from an overreliance on large, static defenses. Your strategy, instead, should focus on a flexible, nimble approach that, combined with continuous network monitoring, can detect attacks early and allow timely defenses.
Mass customization mobilizes
Increasingly, Facebook and LinkedIn profiles are actively being harvested to identify trust relationships and craft more accurate phishing email automatically. In a widespread malware attack in December, a malicious website used geolocation techniques to craft a "voicemail" message with area code and city name matching the recipient. The email claimed to include a link to a WhatsApp voicemail. WhatsApp Messenger is a popular, cross-platform Voice over IP application for mobile devices. The victim clicked on the link and was presented with a program to run to listen to the voicemail.
This attack was made more plausible by using a phone number as the executable file name, which matched the area code of the IP address from which the email was downloaded: VoiceMail_Jacksonville_(904)4582213.exe appeared when the file was downloaded in Jacksonville, Fla., and VoiceMail_Wayne_(610)4582235.exe when the same executable file was downloaded from a server whose IP address (geolocation) is commonly associated with Wayne, PA.
Smarter bots crafting customized email to large pools of recipients is a trend that is expected to continue to evolve. The individual email will differ to evade spam and malware detection systems. Many of these emails will likely reach their targets and a sufficient number of recipients will click on the links or execute the attachments.
Continuous network monitoring to fight next-generation attacks
Continuous real-time network monitoring is less reliant on attack signatures. It focuses on outbound traffic to detect network abnormalities and traffic that may indicate compromise.
The following controls are the most useful—and overlooked—sources of information to detect compromise.
- Outbound firewall logs. Firewalls are one of the most fundamental and widespread security controls. In addition to enforcing network separation, firewall logs provide important data to detect compromised systems. Traditionally, firewall logs focused on inbound traffic. However, inbound firewall logs are hardly ever linked to actual breached systems. Instead, logs recording blocked outbound connection attempts tend to provide much more valuable data. Why is your Web server trying to connect to an IRC server? Why is a workstation trying to send email directly, instead of using the corporate mail server? These are the kind of indicators you are looking for.
- DNS logs. Firewall logs are useful because firewalls are installed to control network choke points. In many modern networks with their mobile clients, VPN connections and geographically diverse IT deployments, firewalls can be too dispersed to provide useful data, and the fidelity of the data is limited. In these cases, central DNS servers can present a great opportunity to monitor clients. One of the most useful reports to detect compromise is a daily list of the top 10 domains and host names requested that were not requested at all the preceding day. Attackers need DNS too and frequently employ fast DNS updates to support a distributed attack infrastructure, which leads to large numbers of DNS requests.
- Web server logs. Web servers tend to be the most vulnerable publicly accessible service in an organization. In particular, if custom code is deployed, Web servers need to be monitored closely. But to do so successfully, staff reviewing the logs has to understand Web applications and the attacks that may be used against them. It can be very helpful to request help from Web developers, or have Web developers regularly monitor Web server logs to better understand how applications are attacked.
- Web proxy logs. All traffic from an internal network to external websites should pass a proxy. The proxy inspects and filters requests as well as responses, and it provides a rich source of data to identify not only attacks but also vulnerable clients. Instead of just focusing on attack signatures, a proxy also inspects the user agent that the host sent and identifies out-of-spec responses, such as a system that wasn't updated or malware using its own user agent string instead of the standard user agent.
- IPv6 traffic. Just because nobody is talking about it doesn't mean you are not using it. IPv6 is enabled in all modern operating systems. Microsoft, for example, specifically recommends against disabling it. You need to monitor and control IPv6, or you may end up with native IPv6 traffic internally or IPv6 tunnels externally that evade your monitoring systems. At the very minimum, you need to be able to detect tunneled IPv6 traffic traversing your network perimeter.
-- Johannes B. Ullrich
Mass customized email attacks inevitably will become an everyday occurrence, inexpensive to deploy and as effective as targeted spear phishing attacks are today. This technique will likely be adopted soon by organized crime syndicates, who in turn will then use it in massive attacks on populations and organizations.
"Wait a minute—I don't click on links ever!" While that's hard to believe—even among security professionals—attackers will get you eventually because you do use Web browsers and visit websites.
It's not unusual for Web applications to rely on a dozen or more external websites to provide images, scripts and other content, such as news feeds. Efforts to reduce this reliance on external content are not always 100% successful. A compromise of any of these external resources implies a compromise of the site. An attacker may not have direct access to any of the content stored at the website, but they would have access to the people who visit it. Those individuals have (often unwittingly) extended their trust and security to other content delivered through the site.
More watering holes
Security researchers have reported an increase in watering hole attacks, and this trend is going to continue. A watering hole attack typically targets a group of individuals with common interests by compromising a website that's a shared trusted resource. Often, this is in a geographical area. The RSA Advanced Threat Intelligence Team coined the term "watering hole" after they identified a hacking attack that used these techniques.
In December 2013, the website of the Council on Foreign Relations (CFR), an independent, non-partisan think tank—along with some Washington, D.C., media sites—was compromised, allegedly to target individuals interested in U.S. foreign policy and international affairs. According to reports, a Trojan infected the CFR website and exploited a zero-day flaw in Internet Explorer, which enabled drive-by downloads for its victims.
The appeal of a watering hole attack is that it provides the attackers with a large attack surface. To target a group or an individual, the attacker has to find only one weakness in a large number of resources that the group uses. Using a combination of social and technical trust relationships, the attacker can abuse the trusted resource to access otherwise well-guarded applications and systems.
In late December and early January, people who visited Yahoo websites were met with malicious advertisements, or "malvertising," that, when clicked on, directed users to websites that tried to install malicious software. According to several reports, the Yahoo attack may be part of a much larger malware scheme (based on Web iFrames) that focuses on larger online communities. A security breach affecting a large network of sites like Yahoo is sometimes detected quickly. Smaller, more targeted compromises can go unnoticed for days, weeks and, in some cases, months.
Reverse engineering the Internet of Things
Large traditional Web applications, smaller embedded applications and networked devices combined also present an increasing threat to network security. Sometimes these devices (firewalls, security cameras, air conditioning controllers) are included in what is referred to as the "Internet of Things." Currently, it is estimated that 9 billion of these devices are connected to the Internet, and the number is growing at an alarming rate.
Recently, the tools and techniques to reverse engineer the embedded applications controlling these devices have substantially improved and become easier to access. Stringfighter, created by IOActive Inc., automates the search for embedded hard-coded passwords. The result is a long list of newly discovered vulnerabilities—from simple hardcoded administrative passwords and support backdoors to more subtle application vulnerabilities, such as classic buffer overflows and Web application-specific vulnerabilities.
Of late, many embedded system vendors' bulletins read more like the Open Web Application Security Projects "Top 10" list of Web application vulnerabilities. Even if a vendor releases a patch, these devices usually do not have an automatic update function, and applying patches can be tricky. At the same time, these devices are critical to network and business operations.
Along with device-specific vulnerabilities, we commonly see operating system vulnerabilities. Many of these devices use slightly modified and tuned versions of operating systems like Linux and Windows. As the landmark data breach at Target Corp. painfully illustrates, one favorite target for attackers has been point of sale (POS) systems or cash registers. With many transactions involving credit and debit card payments, POS systems can be a source of lucrative information for attackers, and their distributed nature makes it challenging to monitor and manage them centrally. In December 2012, Visa issued a security alert for merchants on "Dexter" malware that was targeting POS systems running Microsoft Windows. The malware stole the track data or strip from memory and sent it to malicious command-and-control domains and IP addresses.
Attackers can breach the POS system directly if it is reachable from the outside. If it is behind a firewall, but used for tasks like Web browsing and reading email, attackers may employ the same techniques they use to breach desktop PCs, such as spear phishing. They may also be able to infect these systems by usurping the network through vulnerabilities in devices used to manage the network.
Stopping invisible targets
As a defender, one of the most burning questions is how to protect your network against constantly changing attacks. The answer isn't to build large, static defensive entrenchments. Defenses have to be nimble, and they need to be informed by network monitoring and threat intelligence. Too few security people watch system and network traffic logs regularly. (See sidebar, "Continuous Network Monitoring to Fight Next-Generation Attacks.") Monitoring is often viewed as reactive and something that is recognized as valuable only after an attack happens.
To detect data exfiltration and the covert channels used in the process, it is very important to not only know what is normal in your network, but to also be able to assess weaknesses and vulnerabilities passively. This alleviates having to rely solely on periodic scans of the network alone.
Network monitoring can also be used to substantially simplify network traffic by eliminating "chatty" and unused services, making it easier to spot threats, reducing the attack surface and, likely, increasing network performance.
Current network monitoring is often incomplete and misses newer technologies, like IPv6, which are present in most networks but infrequently configured and managed appropriately. In the end, it will not be the machines and automated systems that are able to adapt to new threats; it will be a sufficiently staffed network and security group with skills to find these gaps, adapt defenses and close them.
About the author:
Johannes B. Ullrich, Ph.D., GIAC, GCIA and GWEB, is the dean of research at the SANS Technology Institute and head researcher at its Internet Storm Center. Follow him on twitter @johullrich.
How the rise in mobile payment systems will affect CFOs
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
How to prepare for potential IPv6 DDoS attacks
Using IPv6 atomic fragments for a denial-of-service attack
Planning for an IPv6 attack: DDoS, neighbor discovery threats and more
How to evaluate IPv6 network security with SI6 Networks IPv6 Toolkit