In the past year, we have witnessed cyber attacks of unprecedented sophistication and reach. These attacks demonstrate that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens. If we are going to prevent motivated adversaries from attacking our systems, stealing our data and harming our critical infrastructure, the broader community of security researchers — including academia, the private sector and government — must work together to understand emerging threats and to develop proactive security solutions to safeguard the Internet and physical infrastructure that relies on it.
“Mobile applications are increasingly reliant on the browser,” said Patrick Traynor, GTISC researcher and assistant professor at the Georgia Tech School of Computer Science. “As a result, we expect more Web-based attacks against mobile devices to be launched in the coming year.”
Tension between usability and security, along with device constraints make it difficult to solve mobile Web browser security flaws. “The mobile vector requires special consideration when it comes to security,” said Traynor. “We still need to explore the significant differences between mobile browsers and traditional desktop browsers to fully understand the potential of emerging threats.”
- Traynor cites small screen size as just one of many device-related challenges to mobile security. To enhance usability, the address bar disappears above the screen so that more of the page content can be displayed. But this also removes many of the visual cues users rely on to confirm the safety of their online location. If a user does click a malicious link on a mobile device, it becomes easier to obfuscate the attack since the Web address bar is not visible.
- The varied existence of SSL icons on mobile browsers can also contribute to successful exploitation. “If you’re a security expert and you want to see the SSL certificates for a site from your mobile phone browser, it is extremely difficult to find that information — if it’s there at all,” said Traynor. “And if a security expert can’t verify a connection and a certificate, how do we expect the average user to avoid compromise?”
- Understandably, display security on mobile browsers is not as advanced as the desktop either. The way elements are laid out on a page and the actions that take place when a user touches something are all opportunities to embed an attack
Dan Kuykendall, co-CEO and chief technology officer for NT OBJECTives also worries about threats targeting mobile applications and mobile browsers. “One of the biggest problems with mobile browsers is that they never get updated,” he said. “For most users, their operating system (OS) and mobile browser is the same as it was on the phone’s manufacture date. That gives the attackers a big advantage.”
While computers can be manually configured not to trust compromised certificates or can receive a software patch in a matter of days, it can take months to remediate the same threat on mobile devices — leaving mobile users vulnerable in the meantime. According to the report, the software industry needs to modify the current patch and update model to integrate mobile devices for more complete coverage.
Gunter Ollmann, vice president of research for Damballa, notes that malware targeting mobile devices is constantly evolving. “The Zeus-in-the-Mobile (ZitMo) and several other examples of Android malware are acting more like traditional bots by communicating with a command-and-control (C2) architecture,” says Ollmann. “This marks an evolution beyond premium rate fraud and other tactics that do not rely on C2, and makes mobile devices as susceptible to criminal breach activity as desktops.”
Dmitri Alperovitch, independent security expert and former vice president of Threat Research at McAfee, is also watching the mobile space closely. “We’re already seeing an explosion of threats targeting Android and the iOS platform,” he said. “These devices will become major targets in the months ahead and are providing another avenue for data theft.”
One source in private industry that requested anonymity worries that mobile phones will be a new on-ramp to planting malware on more secure devices. “Let’s say you’ve secured a process control system within a nuclear facility and there’s no direct connection between that system and the corporate network,” he said. “Even with such security measures in place, someone who just needs to charge his phone can introduce malware as soon as it’s plugged into a computer within that location.”
While USB flash drives have long been recognized for their ability to spread malware, mobile phones are becoming a new vector that could introduce attacks on otherwise-protected systems. “A phone is also a storage device,” notes the industry insider. “I can see a sophisticated attacker writing code to exploit wireless connectivity technology that subsequently plants malware on a mobile phone. Now that phone is programmed to install a dangerous payload as soon as it connects to a targeted system.”
“Three or more years ago, botnet operators focused on stealing email and password credentials, which were useful to spammers,” said Gunter Ollmann, vice president of research for Damballa. “Now botnet controllers are building massive profiles on their users, including name, address, age, sex, financial worth, relationships, where they visit online, etc. They sell this information, where it ultimately finds its way into legitimate lead generation channels.”
Sites will buy the information stolen via botnets in bulk. The information may exchange hands for money several times. And eventually, a legitimate business may pay for the information for lead generation purposes, not realizing that it has been stolen. In some cases, a company might pay $20 -$30 for a qualified lead. Botnets can also play a role in auto-filling forms online that are used to compile lists for marketing purposes. The botnets already have all the personal information necessary to fill out the forms, and botnet operators can devise an automated process resulting in a sophisticated fraud scam that is difficult to detect and prosecute.
Researchers expect large-scale botnets and targeted, persistent attacks to share more common ground in the future. According to Georgia Tech Professor Wenke Lee, “Targeted attacks against a specific organization used to be perceived as isolated. But now we have evidence that some of these targeted attacks have roots in common botnets.”
When an operator creates a large-scale botnet, they have various options for monetizing the investment. In the past, the highest bidders needed the computational power to send vast amounts of spam or conduct a denial of service attack. But now, advanced persistent adversaries query botnet operators to identify compromised machines belonging to the company or organization in their crosshairs. The adversary may ask the botnet operator if he can run some queries against the machines to determine the OS, applications running, type of function they perform, etc., to gather information for creating a targeted, stealthy attack with the end goal of data theft. In many cases, adversaries will pay top dollar for the information, providing a new and extremely lucrative source of revenue for botnet operators.
While botnets are still responsible for some of the largest DDoS attacks to date (generating > 100 Gbps of traffic), security experts will focus on evolution of botnet command-and-control architecture in the year ahead.
“I think the evolution of botnets has more to do with the Command and Control (C2) architecture than the size of the attacks being launched,” said Barry Hensley, director of the Counter Threat Unit/Research Group at Dell SecureWorks. “We are starting to see a decentralized C2 architecture, namely Peer-to-Peer. Since IRC and HTTP C2 infrastructure still work well for bot operators, P2P is not yet widely implemented. Once the security space starts making an impact and decreasing the effectiveness of those two protocols, we’ll start to see botnet operators shift toward P2P and DNS. Until then, they’ll just use what works.”
On the positive front, botnet takedowns appear to be more common. “These efforts represent an evolution in the security community,” said Paul Royal, research scientist at Georgia Tech. “As highly motivated security professionals come together for a common cause, we expect to see more take-downs in the year ahead.”
Royal also cites the identification and arrest of malware authors as a positive step in combating the problem. “Taking away the criminal underground’s human capital can be very effective,” said Royal. “However, the security community is facing new ethical concerns related to takedowns that may threaten collaboration.”
Security researchers are currently debating whether personalization online could become a form of censorship. Websites, news media sites, social networking sites and advertisers are all sharing personal data about individuals with the goal of more effectively targeting information for those individuals. For example, a news media website might highlight several articles under the heading “Recommended for You” based on age, ethnicity, location, profession and items searched previously. If a user only received news under this heading, it could be limiting. The same principle holds for search engines that filter results according to algorithms that factor a user’s personal information.
“You may have the impression that search engines are neutral conduits, but the results you receive could present a restricted worldview,” said Feamster. “In the case of search filtering, most users are completely unaware and have no method to widen search results beyond what the engine supplies.”
“The original idea of browsing the Web from site to site without a global search capability didn’t scale,” said Greg Conti, associate professor of computer science at West Point. “Now we have search engines like Google with tremendous control over the flow of information. Actors are trying to influence the largely neutral search engine algorithms for their own benefit using search engine optimization and search poisoning techniques.”
While search poisoning has been around for years, it is still an effective technique for launching malware. In a recent 2011 campaign, increasing numbers of Google image search results were poisoned, redirecting users either to an exploit kit or rogue AV sites. Attackers compromised large numbers of legitimate sites and users had only to click on thumbnail images to launch the exploit.
In a typical search poisoning scenario, a user searches a term then clicks a particular link from among the search results. They are redirected multiple times and eventually land on a page with no relevance to the original search, which is used as a vector to deliver malware. Attackers are doing their own search engine optimization to try to get their malicious sites to rank highly in search results. Malicious sites are also getting better at hiding their bad payloads from the search engine crawlers. If they detect a crawler, they will present a clean Web page to remain undetected.
With the goal of controlling and monitoring information (as well as stealing data), hackers will develop combination attacks that affect DNS service providers and compromise certificate authorities. These sophisticated, effective threats will be increasingly difficult to detect and will obviate the need for attackers to place a “man in the middle.” Even security-conscious users will not be able to tell if they are on a malicious site if DNS provisioning systems are compromised. And if stolen certificate authorities are employed, attackers can create fake banking applications and more to control access to information, steal personal data and money.
Barry Hensley, director of the Counter Threat Unit at Dell SecureWorks, cites the 2011 DigiNotar Certificate Authority (CA) breach as a manipulation of security controls with the intent of controlling and monitoring private citizens’ information. In the case of DigiNotar, a hacker going by the handle of “COMODOHacker” seized control of CA servers, created fraudulent certificates and used them to execute “man-in-the-middle” attacks against hundreds of thousands of victims. The scheme enabled the hacker to access Iranian Gmail users’ messages and monitor much of their Internet traffic.
“The advanced persistent threat (APT) buzzword has become the most overused and misunderstood acronym in the IT security community” said Barry Hensley, director of the Counter Threat Unit/Research Group for Dell SecureWorks. “An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains to the threat actor’s determination and the resources he is willing to expend to achieve his objectives. It’s not a what, but a who?”
“When a person or group has the required cognitive abilities and resources at their disposal, and applies them with the singular aim of obtaining intellectual property, intelligence or personally identifiable information, it changes the game,” said Hensley. “It means the threat can and will adapt to your security posture until its objectives are achieved or the cost of the operation outweighs the perceived value of the target.”
While governments are important targets for espionage and intelligence gathering, computer systems, corporations and critical infrastructure are also attractive, high-value targets. Some nation-state sponsored attacks are targeting corporations specifically for their intellectual property, sensitive business negotiations and national security designs and technology.
Attack sophistication largely depends on the security of the selected target. If an attack on critical infrastructure or corporate data theft can be accomplished via traditional phishing and common exploit kits, adversaries will not use advanced techniques. The term, “advanced persistent threat” is also misused or confused with Hacktivists attempting to change industry or government behavior via organized cyber activity — typically denial-of-service campaigns or the posting of compromised sensitive data designed to publicly embarrass an organization or cripple operations.
“The tools, procedures and other controls used to defend commodity security threats are often ineffective against targeted APTs,” said Hensley. “When actors are focused on a specific target, they customize and adapt their tactics, techniques and procedures to predict and circumvent security controls and standard incident responses.”
According to Hensley, an organization can be plagued by a single APT exploitation for months or years — even after it is aware of the effort. The incident response drags on as threat actors continually respond to defensive measures and look for new security weaknesses. “Advanced persistent actors have clear objectives with centralized planning and often decentralized execution,” said Hensley. “These adversaries are highly resourced, methodical, adaptive, resilient, advanced enough and clearly patient.”
With such high stakes, critical infrastructure must remain highly alert with multiple layers of defense and constant user education.
“In the military, you’re taught that in a defensive position, you have a three-to-one advantage over an attacker,” said Greg Conti, associate professor of computer science at West Point. “But in security, it’s the opposite. The attacker has nearly a thousand-to-one advantage. We have to assume that a determined adversary can overcome the defender, it is just a matter of how long it will take.”
Unfortunately, end users tend to be the most common and hard-to-remediate weak point, and even security researchers struggle to address the problem. “You can’t patch users,” said Conti. “And there’s always a human being somewhere behind the security technology.”
One source working in critical infrastructure agrees, “People are always the most vulnerable part of the IT infrastructure,” he said. “We have so many security layers and defenses, from separating physical control systems from the standard business network, to DMZs, to limiting network protocols that communicate with physical systems, and securing all the primary UIs to the Internet. At the end of the day, there’s a person on the end of all that security that can make decisions that will have an impact.”
Some of the other concerns surrounding emerging threats to critical infrastructure and business in general include the move to cloud computing, the transition from IPv4 to IPv6, computing monocultures and hardware supply chains. Cloud computing is still relatively ill-defined yet highly complex, presenting a giant target for adversaries.
“The cloud complicates today’s traditional defensive techniques,” said Hensley. “A threat actor could build infrastructure in the cloud using highly available on-line developer tools, then use it to command-and-control exploited computers by hiding in what we thought was benign traffic.”
Experts agree that a cyber conflict with physical ramifications outside of a traditional kinetic conflict is unlikely. But they also believe the cyber vector is a new force multiplier in nation-state conflicts. Whether APTs are targeting infrastructure, corporations or governments, there is a strong need for public/private collaboration to improve security.
“Enhanced situational awareness based on reliable threat intelligence is critical to forming effective defense strategies against these advanced threat actors. Without a thorough understanding of the threat, defensive strategies and spending will be inefficient at best and ineffective at worst,” said Hensley.
Hensley advocates a layered security process and controls, continuously applied and updated based on ongoing visibility of evolving threats. Security processes and controls should include vulnerability lifecycle management, endpoint protection, intrusion detection/prevention systems, firewalls, logging visibility, network visibility and security training.