The New Anatomy of a Hack

A recent question I received from a journalist who was frankly perturbed by the spate of successful attacks: “How can companies protect themselves from targeted, socially engineered attacks?”  

Of course he was referring to the sophisticated attacks against the likes of Epsilon, Google, the IMF and most importantly, RSA the security division of EMC. Originally, the “anatomy of a hack” had four steps:

1. The attacker researches, or conducts a footprint analysis, of the target to determine their exposed networks;
2. Inventories where machines and ports are scanned to discover vulnerabilities;
3. Exploits those vulnerabilities to gain a foot hold and;
4. Steals information, install backdoors, and overall, does damage. 

In our business, methodology changes at lightning speed. Today, there is a new, new anatomy of a hack. It is much simpler to execute and much harder to stop. 

Step one: Today, reconnaissance replaces foot print analysis. The attacker has already determined the information they are after: design data for the Joint Strike Fighter, oil and gas reserve data, or the super secret seeds to RSA SecureID tokens.  In this first step, key employees are identified who might have access to the target data. 

Step two: Customization of malware. The attacker uses one of many tool kits to generate a package that exploits either a known or zero day vulnerability, and bundles it into a PDF or other common file format. 

Step three: Delivery. The package is emailed to target employees with a socially engineered message. (Or, as in the Google Aurora attack, a message from a “friend” on Facebook) Anyone receiving an email from HR with the subject “Your New Benefits Package” would have no qualms about opening it.  They are immediately infected with a dropper that connect to a command and control server where it gets new instructions for downloading a keystroke logger, or other malicious package.

Step four: Penetration. Once an attacker has a foothold within the organization, they escalate by using whatever privileges the infected user has to infect additional users. The goal: get on the machine of the person responsible for administrating the critical resource they are after.

Step five: Exfiltration. Grab the data and run. Compress it, encrypt it, and exfiltrate it.

The reason the RSA attack is so spooky is that it now appears the theft of seeds for their SecureID tokens was merely the means to more targeted attacks against Lockheed Martin, L3, and Northrup Grummin (so far).  Talk about targeting and execution. 

So how do you protect yourself against these attacks?  Authentication is a good step and here is where I would normally say “deploy one-time password tokens!” but, in light of the RSA compromise that is no longer enough and frankly once an attacker has gained access to the user’s device, OTP tokens are useless. 

The answer is to harden those systems against the delivered malware. Harden them by enforcing whitelisting. The malware is going to be new, unknown software. A whitelisting solution will block it. Game over. 

There are often repeated objections to whitelisting: it’s too limiting, it creates false positives, it’s difficult to manage. But these products have been evolving. Customers have driven change to accommodate real world environments. Most enterprises that deploy whitelisting solutions run them on top of traditional antivirus. That hybrid approach may eventually become the standard but I hope not since whitelisting could free the desktop (notebooks, pads and smart phones too) from the overhead of constant scans and downloads of signature updates. 

Regardless of the perceived drawbacks, there will come a time when the threat of compromise from targeted custom malware will outweigh those drawbacks. That time is now.