There could be similar undetected small programs lying in their networks that are quietly transmitting their data and information out to their rivals
BANGALORE, INDIA: The harsh reality of cyber espionage came to the surface again when the ‘Flame’ malware was discovered recently by security researchers.
The advanced persistent threat (APT), which was targeting computers in the Middle East countries, was described by security experts as a highly sophisticated cyber-weapon. Flame, unlike most other malware, was neither designed to disrupt or damage the computers and the network infrastructure, nor was it meant to phish out banking details. The sole purpose of the malware was to stealthily siphon out the industrial design files (AutoCAD documents), PDF documents, and emails from affected computers. Not only this, Flame’s creators had designed the multi-module malware to be capable of sniffing the network, taking screenshots, logging keystrokes and recording conversations.
In addition, the malware could use the infected computer’s Bluetooth to connect to other discoverable Bluetooth devices like mobile phones to steal contact information from them. This gamut of intelligence seeking functions made the security researchers analyzing the malware believe that Flame is the complete attack toolkit designed for cyber espionage.
Now that the malware has been discovered, however, Flame’s creators have issued a self-destruct command to remove all its traces from affected computers. The self-destruct mechanism removes all modules of the malware and overwrites the disk with random characters to prevent researchers from studying the malware files. Even the antivirus and security companies have updated their solutions to detect the Flame malware now.
The plug being pulled on Flame, however, does not imply that businesses and even governments should not take any note from this. There could be similar undetected small programs lying in their networks that are quietly transmitting their data and information out to their rivals.
Protecting against Flame and other APT Attacks
Now that antivirus solutions can detect and remove traces of Flame , it is no longer a serious threat for companies that have up-to-date security solutions. The real danger stems from the hackers and cybercriminals who can learn from this cyber-espionage episode and develop stealthy malware that could take corporate spying to a whole new level.
Businesses can safeguard themselves from APT attacks by practicing the so-called holy trinity of security:
1.Educate Users and Keep Security Policies Relevant
Users are generally considered the weakest link of the chain by attackers, and are often the target of initial infection. Companies need to educate them on APT infection vectors and social engineering techniques. And, as that won't guarantee that employees will never open an infected document, IT managers should make sure each user only has the access rights that he/she needs and no more.
2.Maintain Up-to-Date Systems
The latest security patches must be applied. IT-wide signature maintenance, typically obtained through a security services provider, includes making the zero-day window as short as possible to reduce vulnerability and operational risk.
3.Adopt "Intelligently Redundant" Security Strategy
Enterprises need to take a multi-disciplinary and consolidated approach to secure all IT assets. Antivirus and intrusion prevention capabilities are essential but firms should consider data loss prevention (DLP) technologies too, and look at the big picture when it comes to the threat landscape. True mitigation results in a blend of policies and protection against the full threat spectrum. Antispam, Web filtering and application control all do their part to block APTs during different stages of attack. The rule of thumb is that no single security layer is foolproof, and integrating them intelligently helps ward off multi-vector threats.
Here are the layers that enterprises must have:
Effective protection against multiple attack vectors. This involves having security infrastructure that provides protection at a number of levels and vectors, and should include mail, IM, Web exploits, application, malware and botnets.
Robust in-depth asset hardening. This should cover networks, Web applications, data/databases, laptops and servers. The impact of zero-day attacks are best minimized by a combination of keeping patching windows as short as possible, hardening all such assets through robust configuration management based on best practices (e.g. ‘least privileges’), and judicious deployment of two-factor authentication to critical services.
Application control. This enables enterprises to exercise risk/threat-based application channel, peer-to-peer and botnet control. Employees will be able to safely access social networking platforms like Facebook. Botnet control is particularly important since most modern threats rely on an egress communication channel – blocking communication effectively mitigates many of these threats.
Monitoring. This includes infrastructure-wide monitoring to rapidly respond to any real or potential attacks, as well as up-to-the-minute threat signatures on applications, networks, data and DLP. There are far too many documented cases of threats laying resident on systems and eventually creating millions of dollars in damages simply because they were allowed to live for months and, in some cases, years.
APTs are continuing to surface. Flame is just the latest incident following Ghostnet, Operation Aurora and Stuxnet. It is high time for CIOs to assess their exposure to APTs and start taking preventive and remediation measures to stop espionage attacks that may be catastrophic to their business.
(The author is senior regional director, India and SAARC, Fortinet)