Winning the war on web stealth attacks

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

The “National Strategic Assessment of Serious and Organised Crime 2014”, published in May by the UK National Crime Agency, listed DDoS as a major concern for business critical systems for the first time.

Starting in 2010, when the hacktivist group Anonymous had made DDoS its official protest tool, DDoS attacks have become one of the most common cyber attacks used, to the extent that almost every geopolitical dispute in the world sees different groups fighting each other using this cyber weapon.

Over the past year we have seen a change in the motivation behind the attacks. In addition to newsworthy geopolitical DDoS attacks that are still dominant (such as the recent cyber war between the Ukraine and Russia, and Operation Ababil of Islamic groups against US banks in 2013), and we have also witnessed criminals using DoS as a method of operation.

In most cases financially motivated cybercrime is all about manipulating data, for example transferring money from one bank account to another, or getting information and trading it – like trade secrets. But here’s the catch. On the surface it’s easy to think the DoS attack is designed to take down the victim’s network and start a wave of transactions. But in actual fact the problem is more far reaching in that when unexpected shutdowns occur, no other data or commands can be sent in or out to the victim’s data centre, allowing the hacktivists to access far more than money.

In the last few months, Radware’s Emergency Response Team (ERT) has faced a number of attacks where criminals have used sophisticated attack methods to get to the real honey pot – financial information. Two main criminal methods of operations are becoming prolific, what we refer to as “Die Hard’ and Stealth’ and we will see more and more of this in 2014, motivated by political and economic instability.

Die Hard: The cybercrime version
Every action-movie fan knows the trick. Criminals do something to catch the guards’ attention and at the same time, a splinter group from the gang get on with the “real’ job.

Cybercriminals use a similar modus operandi. Attacks start as a huge DDoS attack, coming from nowhere and with no real reason. This attack usually floods the victim’s network security command and control to the extent that most of the network security deployed solutions fail. Now here’s the real vulnerability: a critical requirement for most Internet critically dependent organizations, is that any deployed solution will be configured to “Fail-Open”. This means that once the simple DDoS attack saturates the resources of one of the network security solutions (e.g IPS, Firewall solution or others), the solution stops protecting the network, and everyone can get in, including the criminals.

This is where the attackers just send their simple SQL Injection, XSS Malware or any other attack vector and manage to maliciously get their desired sensitive information, or they manipulate an opportunity to change information in the data centre that grants them access to the highly coveted prize of sensitive information.

Killing Me Softly: The stealthy attack
Using this MO, attackers are using a soft, almost unnoticeable, DoS attack. One of the most common stealth attacks is a “Login-Brute-Force’ attack. Most Brute-Force attacks aim to get passwords or login credentials, and the way that targeted organizations usually block these attacks is by hardening their passwords. However, what’s actually going on is that the attackers are trying to saturate the login servers by creating bogus requests and locking out legitimate users. This creates a massive overload on the login servers, and in most cases also on the organizations’ call-centres, which receive calls from frustrated, legitimate callers that cannot log in to the site. Once the chaos is in place, attackers can use the same methods to steal information.

Fighting cybercrime: Five step plan
So if these attack methods are likely to be prolific in the next 12 months, what can you do to protect yourself? It comes down to knowledge and planning. The more the criminals perceive your organisation as their Holy Grail, the greater the sophistication and intensity of the attacks. Understanding how you can manage the exposure is critical.

Know your enemy: It is not just the NCA that publishes such cybercrime warnings, so do law enforcement agencies including the FBI, and government bodies such as CERT-UK. Work with them, monitor the law-enforcement cyber market and learn about new attack methods of operations and organised cybercrime groups.

Choose a single point of command: Use one Command and Control (C&C) that includes all aspects of the data-centre: Network, servers and applications. Some vendors provide a “Software Defined Architecture” where the detection, the call for action and the execution is determined automatically. Such solutions can prevent a cyberattack like the one made on Target on November 2013, where two different infosecurity groups detected the attack but failed to take the correct action.

Have an emergency response infrastructure and team ready to operate: This was recently recommended by the SANS Institute: “Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.”

Separate critical networks: The concept of network separation is relatively old and it is a requirement in both PCI-DSS v2.0 and PCI-DSS V3.0. Criminals are financially motivated and won’t waste their time and resources on a network that does not contain any information. Make sure that your sensitive data is stored on a properly protected network with no simple access.

Don’t be a domino: Following the first four steps will get you in good shape, but what of your suppliers and partners? For example if you’re an online retailer and your ISP is hit what will be the consequences for you? Understand every point of weakness both inside your organization and externally to those who you rely on.

When you have all the steps in place supported by fully documented processes and trained response teams, it’s vital that it is continuously reviewed. You only need one change of personnel for a process to break down and the network to become a target. It’s also important to ensure that knowledge becomes power. Every piece of information your organization gathers about the current trends needs to go through a “so what’ test – what does it mean for us and our customers, and our partners and suppliers?

There are so many examples where failure to have a single plan let alone a broader continuity plan have resulted in consequences to revenue and reputation, which only goes to demonstrate that in this cyberworld working together to stay ahead is the way to stay alive.