A new NTT Security report underscores the need for more advanced tools to protect organizations’ data and networks from the evolving tactics, techniques and procedures (TTPs) used by cyber-attackers.
The attribution problem
A topic of considerable public attention is the ability to determine the source of cyber-attacks, to determine their credibility and motivation. The report cites hackers’ rampant use of “false flagging” to disguise the true source of an attack. For example, an attack may appear to have originated from a server in China or Russia when in fact the source may have actually originated from a source in the U.S. or other country.
This allows attackers to cleverly disguise their motivation, which may be establishing ongoing network access, stealing financial data or withdrawing funds directly from an organization
“Attribution is very difficult, primarily because you can’t always completely trust “source” information. Most attackers don’t want to be found so they go out of their way to cover their tracks,” Jon Heimerl, Manager, Threat Intelligence Communication Team at NTT Security, told Help Net Security.
A cybercriminal from one country might attack from a launching pad in another country (like a bulletproof hosting provider who cares more about revenue than what their services might actually be used for). A cybercriminal might also attack from a victim they have previously hacked.
An attacker might plant evidence to make it appear as though the attack was conducted by someone else, like a criminal from Ukraine using malware with Russian language settings, or using techniques and tools that are widely “known” to be used by Chinese hackers. This is called “false flagging”.
Heimerl explains that international ISPs and hosting providers feel no obligation to cooperate with investigations because:
- They feel the perception of being implicated in “hacking” activities could make them look bad in the eyes of their legitimate customers.
- They feel doing so could make them targets of revenge from their criminal customers.
- They are themselves unethical.
- They just don’t want to help “foreigners”.
Many international law enforcement bodies are not especially cooperative in investigations. For some, they do not view hacking activity which takes place in a foreign country as their responsibility. Some governments do not even consider “hacking” illegal as long as it takes place somewhere else.
Top targeted vertical markets for cyberattack
“Analysts observed a 35 percent decrease in the number of cybersecurity attacks during Q4 2016, which is certainly a positive trend; however, it is imperative that organizations not be lulled into a false sense of security,” said Rob Kraus, Director, Security Research and Strategy, NTT Security. “At the same time, the intensity and sophistication of these attacks are on the rise. Hackers are shifting their strategy from widespread attacks to a more focused effort to compromise specific targets they can leverage, opening the door for more malicious and potentially lucrative actions.”
Among the top targeted vertical markets for cyberattack, the Q4 report cites the retail industry as particularly attractive to attackers. This is largely due to the fact that most retailers process customers’ credit and debit card information through their systems.
Retail organizations can implement numerous best practices, such as deploying IT security tactics that are aligned with the Payment Card Industry Data Security Standard (PCI DSS), which can help increase controls around cardholder data and reduce fraud.
Increased client botnet activity driven by attacks on IoT devices
Recent developments have shown that we can expect more massive attacks driven by IoT-powered botnets.
“There are simply too many devices fielded with too many insecure passwords and services. It may very well be functionally impossible to secure them all in their current state. With hard-coded passwords and locked configurations, some of them are simply “unfixable”. Even if manufacturers evolve and begin making more secure devices, it is not sure the market will be willing to support the increased cost and complexity,” said Heimerl.
“Meanwhile, existing devices will likely remain connected in an insecure state, as manufacturers move on to new endeavors. While we may be able to improve future devices and make wiser use of some of these devices, the majority of IoT devices are going to remain vulnerable for many years,” he concluded.
Malicious traffic from Russia
Malicious traffic from Russian Federation hosts jumped from 10th place to the top 3. A significant amount of this increase was detections from the RIG exploit kit, hosted at IP addresses owned by ISPs in Russia. As the Angler, Neutrino and Nuclear exploit kits disappeared, activity from RIG has jumped dramatically, especially in Q4 ’16. Like all exploit kits, RIG targets vulnerabilities in end-user machines – user workstations, so these are ultimately attacks against users at these organizations.
“NTT Security observed increases in activity in our entire client base – across all industries, but manufacturing, non-profit, health care, education and finance showed increases elevated above other industries. Alerts associated with Russian sources also included activity from spyware, keyloggers and Trojans, such as the use of banking Trojans Gootkit and KRONOS, for gathering of credentials and follow on use,” said Heimerl.