What if your data is ‘kidnapped’!

|May 19, 2015 0
As fictional or drama-syrup-ed as it may sound, security world is already used to words like Ransomware, MaaS etc. Welcome to the new underworld of threats

Pratima H

INDIA: Things were a tad skewed and slippery when security reports talked of two-factor authentications or perimeter encryptions.

However, that era of worries must feel like spring when compared to what we have started hearing today – what was ‘skewed’ has turned to capsized and what was just a teeny-weeny bit ‘slippery’ has been birled into into a super-fast, never-ending, and almost fatal nosedive.

For instance, look at what the latest Websense Security Labs 2015 Threat Report uncovers. When it canvassed trends, tactics and defense vulnerabilities, it pulled out new undercurrents – threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise; there are suddenly terms like redirect chains, code recycling and other anonymous-powered techniques doing the rounds; attribution time has become all the more consuming, difficult and ultimately unreliable; and the most jaw-dropping finding – older standards are coming in lieu of newer and more secure options which makes woes of a brittle infrastructure all the more bitter.

These are times when CIOs are not talking about SaaS, PaaS, IaaS as much as they are whispering anxiously about MaaS (Malware-as-a-Service). The report also peels off more layers like how MaaS allows even entry level threat actors to successfully create and launch data theft attacks thanks to greater access to exploit kits for rent and newer/way-easier opportunities to buy or subcontract portions of a complex multi-stage attack.

These malware authors were also spotted blending new techniques with the old, resulting in highly evasive techniques. What pops even more loudly is the part where we notice that even if source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element. No wonder, in 2014, 99.3 per cent of malicious files used a Command & Control URL that has been previously used by one or more other malware samples and that 98.2 per cent of malware authors used C&C’s found in five other types of malware. Of course, contagions like code base of Bash, OpenSSL, and SSLv3 also keep floating and gaining weight.

In a deep-cutting chat throbbing with a cross-section view of the security situation around enterprises, we get to understand more about these new symptoms, and also ask Surendra Singh, Regional Director – India & SAARC, Websense, Inc. other ‘what-to-do’s around the newest red flags, IoT’s (Internet of Things) weak immune systems, open source’s solar plexus points, end-of-ITware knee-joints, and of course, the big disease called ransomware. Grab a (strong) chair.

That report surely throws up some uncomfortable patterns. Like the one about how quality of attacks is gaining weight over quantity. Can you explain why is that happening and how strongly? Also, what is this ‘Kill Chain’?

Yes, threat actors have started to focus on the quality of their attacks rather than quantity. Websense Security Labs observed 3.96 billion security threats in 2014, which was 5.1 per cent less than 2013. But watch how the numerous breaches of high profile organizations with huge security investments attest to the effectiveness of last year’s threats. In simple words, attackers have restructured the methodology of attacks to reduce their threat profile. And they have done this by becoming less linear in following the traditional Kill Chain. If you are a hacker, what you would normally like to do is compromise a firewall. This is an elaborate chain created by hackers, for they know that employees are the weakest links in any security chain. Hence targeted attacks using psychology, topical content and social engineering.

That is what makes it all the more difficult for enterprises and vendors to stay away from dents, because an employee could be tempted so easily with a very precisely targeted spam or something. Also, these are more hard to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile.

How much damage have they been making?

Activity at any one stage of the Kill Chain varied widely. Just as spam probe activity focuses upon the first stages of the Kill Chain, other stages of the Kill Chain saw varying levels of activity. Some stages saw more activity; others had much less than the year before. Like, suspicious emails were up 25 per cent year-over-year, dropper files fell by 77 per cent, call home activity rose 93 per cent and exploit kit usage dropped 98 per cent, while malicious redirect activity remained flat.

What about Ransomware? Why is that pocket becoming so hard to ignore?

This is something that starts with employees or small organizations. Petty criminals make employees download a malicious software and that locks the data that the employee or organization needs in dire terms. Hence, the ransom part. These techniques are becoming more sophisticated so much so that entire cockpits can be paralysed.

How culpable is the role of end-of-lifecycle products here? Why is Bash, Open SSL etc a trend?

Two factors work in any security scenario – vulnerability and skills or complexity. In IT industry, speed is a crucial factor. Hackers are specialized people. In last ten to 20 years, IT systems have become more and more complex. Overall IT infrastructure security fabric has become very fragmented. Top enterprises have twenty security products with eight to ten from different vendors and these do not exactly communicate smoothly with each other. That’s exactly what criminals are taking advantage of.

Malware-AAS! Who could have thought of that?

Yeah, but it is not something new. It is just becoming bigger and bigger now. It is just an efficient marketplace for people with not very high levels of IT knowledge but with the means to buy it. So experts and kits can do things for you if you are on the wicked side. There is so much specialization happening here. For example – specific services in case you have a thing for compromising credit cards.

Why recycling?

Objects can be changes with a slight tweak in the signatures and Voila, now previous tools can work again. These tiny changes help to avoid anti-virus detection and while the security machinery can be kept busy with enough distractions, the criminal’s job is done.

In this post-Heartbleed world, can we assume that Open-source genre is weaker (or otherwise) when it comes to security-flaws?

Sometimes, we may think that Apple is safe but then does it not have a large and hence tempting footprint? Nothing is full-proof because every genre is being used somewhere and thus will catch the eyes of attackers. A lot of work has to happen.

What is worse – being ready for attacks or the attribution traps after that?

It is indeed particularly difficult to do attribution, given the ease by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous. Often, analysis of the same circumstantial evidence can lead to widely different conclusions; use the valuable time following an attack on remediation efforts.

Does email continue to be a soft target?

The report noticed that in 2014, 81 per cent of all email scanned by Websense fall into malicious category and this number is up 25 percent against the previous year. We also happened to detect 28 per cent of malicious email messages before an anti-virus signature became available. There were more than 3 million macro-embedded email attachments identified in just the last 30 days of 2014.

Why do you circle IoT as a threat multiplier?

Simply because it can magnify exploitation opportunities as it grows to an estimated range of 20-50 billion connected devices by 2020. IoT is a strong area to watch for as it offers previously unimaginable connectivity and applications, yet ease of deployment and the desire to innovate often override security concerns.

Any red flags that stand out for India here?

Globally, we have seen many significant breaches in last couple of months and incidents like the one at Target etc iterate that the level of sophistication has changed vastly. Today security is not about wrestling with a small-nuisance seeker, but about ensuring that the entire business does not vanish with just one attack. It is a Board level issue and CISOs are taking cognizance of its seriousness, investing in the right directions. It is a worldwide scenario and everyone has to get their act together.

We have to consider the part that with an anticipated global shortfall of 2 million skilled security practitioners by 2017, new approaches for utilizing resources and adopting technology are needed. Otherwise, it is inevitable that organizations will be out-maneuvered by their adversaries. Things have become less simple these days and insider threats persist as a risk factor for data theft, from both accidental and malicious actions by employees. In fact, it is worrisome that 2014 saw the threat landscape expand into the network infrastructure itself, as hidden vulnerabilities were revealed deep within the code base of Bash, OpenSSL, SSLv3 and others that have been in popular use for decades.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.