BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Experts say a zero-day attack hidden in a U.S. government website highlights key trends in contemporary targeted attacks: Organizations don't possess the layered security to ward off never-before-seen attacks, and they can't effectively respond until damage is done.
The bad guys are looking for the weakest animal in the pack.
CEO, Triumfant Inc.
On May 1, a vulnerability research team at AlienVault Labs reported a watering hole-type exploit on a U.S. Department of Labor website that serves as a repository for sensitive information used by the U.S. Department of Energy.
The attack exploited what Microsoft confirmed was a new vulnerability, designated as CVE-2013-1347, in its Internet Explorer 8 browser. The memory flaw allows an attacker to use IE to execute arbitrary code. Microsoft released a temporary fix for the vulnerability late Wednesday.
Security analysts said the exploit was mounted in late April from the Labor Department's Site Exposure Matrices website, a repository for a list of toxic substances found at Energy Department facilities. The information is used in an occupational safety program designed to compensate workers exposed to radiation at DoE nuclear facilities, which suggests that the malicious code was planted to target specific Web visitors interested in that information.
Security analysts rated the severity of the Department of Labor website attack as "high," adding that it may have included "advanced reconnaissance capabilities." In a blog post updated on May 6, Cisco Systems security threat researcher Craig Williams warned, "Given the nature of this vulnerability, additional exploitation is likely."
While no one is speculating on the origin of the attack, analysts agree it was sophisticated and was likely designed to sniff around for details on network defenses and vulnerabilities. That information could then be used in a future attack.
Whoever mounted the Labor Department exploit "clearly knew what they were doing, and this software had been tested" to ensure the success of a "one-shot" attack, Williams said in an interview with SearchSecurity.
Advanced attack-detection mechanisms lacking
One observer describes the current state of affairs in advanced cyberattacks as "cyber Darwinism."
"The bad guys are looking for the weakest animal in the pack," said John Prisco, CEO of Rockville, Md.-based security vendor Triumfant Inc.
The disclosures about another malware attack on a government website surfaced days before the Defense Department for the first time explicitly accused China's military of launching attacks on U.S. computer networks. The accusations came in an annual report to Congress on Chinese military modernization.
In releasing the DoD report on May 6, David Helvey, deputy assistant secretary of defense for East Asia, asserted that "numerous computer systems around the world, including those owned by the United States government, continued to be targeted for intrusions, some of which appear to be attributable directly to [Chinese] government and military organizations."
Security vendors have seized on the Department of Labor website attack and other recent attacks to highlight how current malware detection mechanisms no longer work. One reason, they warn, is that enterprises large and small simply can't keep up in a cat-and-mouse game characterized by increasingly sophisticated attacks.
Many see a need for enterprises to shift away from conventional technologies like antimalware and toward a growing number of new detection and analysis tools.
Security vendor Triumfant, for example, is betting the farm that detecting malware and fixing problems begin at the endpoint. "The battle has to be fought at the endpoint," CEO Prisco asserted. "You have to know [malware] is on your machine."
Triumfant is pitching a malware-detection and remediation tool operating on the assumption that, as Prisco asserts, "you can't block it." The tool includes an "agent" that utilizes a pattern-matching algorithm to collect as many as a half-million data points per computer.
The firm's statistical approach is designed to detect an attack quickly when other defensive mechanisms fail to prevent it.
"There is no silver bullet," Prisco concedes. "But if you use a statistical, mathematical approach, then you have a chance" of stopping a breach and protecting intellectual property or other company assets.
While vendors like Cisco promote layered defenses, or what Cisco's Williams called "defense in depth," others leverage detection and analysis tools to probe the behavior of known and future malware to prevent the success of malware.
Srinivas Kumar, chief technology officer at Cupertino, Calif.-based security firm TaaSera Inc., says "the pattern of attacks is emerging" and "not a single malware attack occurs without a human getting involved." A user might, for instance, click on an infected PDF file thinking they are reading it. In fact, the infected file serves as the transport mechanism for installing a file that launches a malware attack.
This is the type of behavior TaaSera has been focusing on, specifically the assumption that malware often needs to complete multiple steps successfully in its "attack chain" in order to steal data. A given piece of malware may be designed to do 10 things, Kumar said, and "you need to catch it before it gets to No. 10."
The result is TaaSera's 12-step program of sorts for fending off malware attacks that seeks to dissect the various segments of the "malware lifecycle," from inbound scan and attack to data breach.
The focus on the behavior of malware, along with the networks and endpoints under attack, is being offered as a way for enterprises to manage their risks rather than merely cleaning up the mess after an attack, said David Nevin, TaaSera's vice president of corporate development.
Heightened awareness about the dangers of malware in the wake of high-profile attacks on government and media websites just might be moving the needle on cybersecurity, experts say. Corporate information security spending might be moving away from current approaches like antivirus and signature-based tools, and toward more proactive approaches that spot breaches and try to fix them before they do further damage.
There is no shortage of new approaches -- and plenty of marketing fluff -- but many observers believe the security industry might be at a crossroads as the frequency and severity of attacks escalates.
"We are really in a transition phase in the vendor community," Triumfant's Prisco said.