In a growing number of cases, Internet-facing business systems do not always reflect a well maintained, up-to-date security profile, and, as one would expect they are, by inference, vulnerable to exploitation by miscreant people, and of course organized crime, and the cybercriminal fraternity.
Sadly, with this as a circumstance, it is my contention that most public/private-sector professional security installations enjoy a very healthy state of security and, in the majority of cases, are secure against drive-by, targeted or opportunist attacks, and associated compromises which could result from attracting the interest of cyber criminals.
However, as can be seen from the recent Shady RAT analysis produced by McAfee, it would appear that, despite this high level of resilience, some otherwise well-managed security installations are failing to deliver a 100 per cent security defense strategy – even some of the most secure places, where one would assert security is a given fact of life.
For those readers unfamiliar with the August release of Shady RAT (Remote Access Trojan) report, the broad brush strokes are that there have been a series of multi-year, multi-system attacks on at least 72 US and other Western-allied government, contractor and other server systems. However, thinking back to the attacks of 2007 under the banner of Titan Rain, are we really surprised at this – I really do hope not!
Regardless of which entities are behind the attacks, however, the reality is that conventional IT security defenses—when deployed alongside well-planned and executed security strategies—may no longer be considered sufficient to stop a determined and targeted attack.
This leads us into the interesting supposition that the majority of previous reports, many of which have been well-researched by industry professionals, may be operating on a rationale that is a little out-of-date, and, as such, may not be adding value in giving the reader a complete overview and explanation of the current state of play. It may also be that, whilst the security industry has been looking at, what were considered the threats of the day, they should have been looking forward in anticipation of the threats of tomorrow – anything less in this current age simply will not, in my opinion, do.
A second observation is that, whilst some of the report findings focus on the failings of current generations of defensive technologies, they do not account for the root causes of the problems caused by determined and targeted attacks. These causes, I believe, centre on everyday working practices and security configurations, which are not always included in the standard security mission in a typical IT systems environment.
There may also be further issues in the areas of security skill sets and a hands-on understanding, appreciation and anticipation of the potential for insecurity that may arise from adhering solely to the standard security mission of a given organization. Remembering that to have ISO 27001 certified status is a great place to start, however, possession of the standard does not dictate security is in place for the given environments and assets.
Is this a criticism of the current status quo that exists in most corporate IT security operations? Far from it. My objective here is to set the scene for my observations. Recently I was fortunate enough to have a meeting with an incumbent IT security manager in a large organization.
As part of the getting-to-know-you process on both sides of the table that all potential new candidates for IT security projects undertake, I was asked a number of key questions. Amongst these questions asked in connection for a senior IT security role were the following: (a) Do you know what access control is, and (b) Can you explain what “audit and log” means?
You may of course conclude that these were trick questions, but the reality is that these types of questions suggest that the person drawing up the list of primary searching confirmations of knowledge may not have been be fully conversant with the in-house IT security function (and that is likely a generous assertion).
This brings us to one of the biggest challenges of the current age of cybersecurity: Advanced Evasion Techniques (AETs). At their most basic, AETs are a logical means by which attacks can be engineered to exploit a known conditions by re-engineering and fine tuning the vector of attack, and so circumvent any currently deployed expectant defense, mitigation, or control, with the intention to invade, compromise and/or impact a trespass operational environment and its assets.
Developing a typical AET-enabled security attack is no mean feat, but the task is made easier by the fact that there are significant volumes of unintentionally published— but very available—intelligence on various IT platforms that can assist cybercriminals in what the design the attack profile of his/her AET should take, and how a hostile “footprinting” a potential target and collating information on the system they are considering attacking. This process then allows the hacker to decide network incursion can be engineered.
At this point I’d like to introduce a supposition, namely that all of the above events, skills and knowledge can be used to develop a highly effective data leakage strategy. By its very nature, data leakage is opportunistically invasive—and unless understood, will always be present in the background, trapping, recording, and then without any malicious intent, making the information available to unauthorized persons.
In many organizations, AET-enabled data leakage is a potential disaster just waiting to happen. What many might interpret as mere snippets of information can be leveraged by an experienced cybercriminal to launch a highly effective attack on an organization.
One of the biggest potential areas for data leakage in my experience lies in the hacker treasure trove that metadata has become. Because metadata is data-about-data, it is often classed as summary information, when, in fact the possession of metadata—along with other snippets of information about a given potential target—can allow an experienced, or even fledgling cybercriminal to develop one or more attack vectors. These attacks based on metadata have the same success potential as one based on an attack which had access to of all the underlying data “summarized” by the metadata.
But before we move on with this analysis, what is metadata? Metadata exists in all types of documents, and is present to assist the application, machine or user to manage the objects by, for example, allowing tagging or applying some other deeper hidden detail analysis which may assist with searching or document management. Despite its potential for darkware development, metadata’s underlying purpose is entirely above board.
Problems start to rear their insecure heads when the security implications of metadata are not fully understood. And it is here that we start to see the opportunities of data leakage starting to creep out of the security woodwork in a typical organization, often as a direct result of the many document formats that exist in modern IT environment: DOC, DOCX, PDF, PPT, PPS, XLS, XLSX, ODT, ODS, ODG, ODP and SVG, along with many others.
The sheer variety of data formats gives cybercriminals the ability to gain legitimate access to published documentation at their leisure, download it, and then subject the data to analysis in order to locate snippets of information, such as user names.
This can then lead to the identification of active user and/or email accounts, internal URLs, printer names, network and user paths, shared folders, and operating systems. And this is before we even begin to talk about NetBIOS names, IP addresses, GPS data and applications, all of which support “footprint” intelligence to the would-be attacker, who gains a ready insight into your network platform. What, who cares you may say. But remember one piece of standalone information may be of very low value, but apply the rule of aggregation and analysis and the bigger picture may look very different indeed.
Is this a threat? Most certainly yes; if we look at the following analysis of an organization’s Web site – gleaned after 15 hours’ research on around 28,600 files accessed from the site/servers – we can see that the amount of information we have gathered is significant and useful.
Is this a realistic assertion? I believe yes, as with this volume of diverse data at hand, it is then a relatively easy task for an attacker to analyse his/her initial points of interest and decide how to leverage the data leak information they have assimilated to cause compromise, or to effect an exploitation. This type of footprinting—which may come as a surprise to many network admins—is a very effective method of working out how organizations operate on the inside and, by manipulating data such as an Admin Account to produce BAU documents or to locate the use of legacy operating systems and their applications.
This is – as any network security professional will attest – a perfect environment to create a crafted AET attack process and, by definition, represent a clear and present danger to the organization’s IT system that is under the hacker microscope. And then add this to a little more investigative interest in the area of DNS, and the attacker, just could be onto a good thing.
In some of my own analysis and research, I have found it perfectly possible to gather sufficient intelligence to identify those sensitive assets that can be exploited through the use of externally gathered data. In one instance, this process methodology allowed the identification and extraction of files containing hard-coded user IDs and their associated passwords.
In another instance, my approach allowed the identification of some very sensitive servers and associated information assets that were hanging off of a third-party developer’s Web site, not to mention revelation of very sensitive documentation which had leaked over from intranet, to Internet.
As a conclusion, I believe that the issue of data leakage has become one of the most prevalent and misunderstood conditions of insecurity which can engender a potential threat in modern interconnected security landscapes. I am also of the opinion that data leakage is one of the primary reasons why organizations are falling easier prey to hacktivists, hackers and cybercriminals, and any one else who fancies a go.
A strong data leak prevention program, implemented with the proper governance and assurance considerations is absolutely critical; free guidance on how to implement one correctly is available from ISACA. If the associated insecurity of data leakage issues were addressed as a matter of routine cybersecurity housekeeping, I am not saying the world would benefit from instant 100% security. But what I am implying is, our industry, and business would enjoy a noticeable reduction in the success rate of AET-enabled data incursions.