How Three Cyber Threats Transform Incident Response:
Targeted Attacks, System Exploits, Data Theft, and You
I. Executive Summary
While we still use many of the same old names—viruses, Trojans, and worms—today’s malware deserves much more respect than many are giving it. Where traditional viruses mostly aimed to disrupt operations or win fame for their coders’ cleverness, today’s malware enables potent multistage attacks called advanced persistent threats. In these carefully sequenced attacks, criminals rely on custom and constantly changing malware placed where it will go unnoticed, returning the maximum value from their investment.
This paper describes how malware enables these advanced persistent threats. Three case studies explain how enterprise information security and incident response (IR) teams can employ cyberforensics tools to minimize the damage.
“More respondents report a breach than in any previous ISBS survey over the last two decades… The nature of the incidents reported in this survey are different from those seen in previous surveys, with big rises in confidentiality and data protection breaches, hacking and denial of service attacks, and ‘botnet’ and spyware infections.”
— INFORMATION SECURITY BREACHES SURVEY 2010 II. Beyond Your Average Malware: Advanced Persistent Threats A study conducted by PriceWaterhouseCoopers for InfoSec Europe found “the incidents reported in [2010] are different from those seen in previous surveys, with big rises in confidentiality and data protection breaches, hacking and denial of service attacks, and ‘botnet’ and spyware infections.”1
Today, the types of attacks are different, the timing is different, and the response must be different: • Types
The majority of threats—including the Operation Aurora, Zeus, and piracy examples we are about to discuss—seek sensitive data found on vulnerable endpoints. These subtle, often targeted threats implement multiple techniques as they work to penetrate the network and remove data, leaving only tiny artifacts to indicate activities and navigating deftly throughout enterprise infrastructure. Every system they touch can be loaded with malware, and some attacks incorporate dozens of different pieces of code, such as keyloggers, obfuscators, rootkits, and worms, that serve different functions in the attack. Polymorphism—changing each use—and custom code allow this malware to evade signature-based defenses. • Timing
Today’s targeted attacks may use serial stages to gradually penetrate a system. Criminals will test delicately for weaknesses and countermeasures and occasionally have code lie dormant on a system to escape notice by network and host intrusion detection systems until the right moment. Alternatively, botnet herders might strike through simultaneous parallel paths—email, web, and USB device—hoping to succeed through the right combination of malware, browser, and system
vulnerability. Of course, insiders still write their own timelines, but many act within a few weeks of leaving an organization.
• Response
Complexity and diversity make these threats difficult to predict, detect, or deflect and thus more likely to succeed. First, incident response teams must contain the visible phase of the attack, quarantining its victims. They must then assume that
there are other victims and other stages that must be identified, characterized, and remediated. In order to return to normalcy, enterprises need to know definitively that systems are clean. A clean bill of health requires removal of the full arsenal of malicious software tools and their hooks from all networked assets.
III. Technical Support for Tense Situations
Tools known as cyberforensics help enterprise information security and IR teams tackle these threats with confidence. Cyberforensics can be defined as the process of extracting or analyzing data from a computer or server in order to guarantee the integrity of both the system and the data. Cyberforensics tools augment proven forensics techniques with advanced computer security technologies to get complete visibility into the system and expose, analyze, contain, and remediate anomalies. Automation and centralization allow more to be accomplished in less time while maintaining court-worthy evidence controls.
Unlike traditional “dead-box” forensics, cyberforensics can work over the network to inspect data and software not only on the hard disk but also in memory. In analyzing the system, cyberforensics search for anomalous code, including rootkits, packed code, sensitive data files, auto-run software, and any related artifacts. Through this deep inspection and analysis, tools can quickly expose suspicious or inappropriate software and polymorphic code running on any desktop or laptop, as well as shared servers.
Shared resources such as print, file, and email servers offer excellent targets for malware. Unlike heavily monitored endpoints, any unusual behavior on these systems often goes undetected for long periods, increasing the payoff for the botmaster. Malware on print servers has been seen in several recent attacks, including one where evidence was destroyed in the process of recovery: “the City of Norfolk, Virginia, suffered a massive cyber attack when hackers possibly launched malicious code known as a “time bomb” on the city’s computer systems, destroying data on nearly 800 PCs citywide…IT administrators determined the distribution source of the malware was a print server that handled printing jobs for Norfolk City Hall. However, the malicious code on that system may not be recovered, due to the fact that IT administrators destroyed it while rebuilding the print server.”2
Perhaps the most difficult step of cyber-incident response is actually determining the full extent of the attack. You must uncover all code that should be remediated—both known and unknown malware and errant sensitive data—reliably and in minimal time. Once the code has been identified on all compromised systems, the team can move to collect and preserve the data for analysis, to enhance future scans against re-infection, and, if necessary, as evidence (see sidebar).
Finally, you return the system to a trustworthy or known state. This has historically been a slow, measured process.
However, today’s threats do not allow time for a leisurely, hands-on approach. The velocity and volume of attacks coupled with distributed, non-stop enterprise operations mean that forensic analysis must now be centralized, hands-free, and:
• Lightning-Fast
high-performance, automated inspections to expose and contain threats on every system over the network
• Comprehensive
deep investigation and cleaning of all software on the system, including registry keys, to ensure no malicious code is left hidden to reemerge later
Knowledge is Power
While many response teams are more concerned about cleanup than evidence, detailed preservation of system and data changes can help with.
• Scoping the full extent of
an attack
• Improving scans to
ensure the threat is not re-introduced
• Construction of more
effective data handling and security policies
• Training for employees • Legal action
In recent years, law enforcement agencies have improved their abilities to prosecute international cybercrimes. For proof, consider the lengthy sentences handed down to Albert Gonzalez, the hacker convicted in the TJ Maxx and Heartland Payment Systems data breaches, and his network of enabling cybercriminals, including one now serving in a Turkish prison.
Source:
http://www.wired.com/ threatlevel/2010/03/ tjx-sentencing/
• Non-disruptive
operation “under the radar,” without manual intervention, to allow cost-effective execution and unobtrusive investigation of suspected incidents
Cyberforensics let information security and IR teams rapidly triage, scope, and remediate sophisticated threats. They also offer a rare way to get ahead of these threats: Gartner analyst Jay Heiser recommends security and response teams “plan for – or even deploy – remote forensic agents before they are actually needed, working with IT administrators to ensure compatibility with network, security, encryption and administrative privileges.”3
IV. Three Case Studies: Targeted Attacks, System Exploits, and Data Theft
The value of cyberforensics comes into focus when we look at responses to three increasingly common threat scenarios: targeted attacks, system exploits, and data theft.
Targeted Attacks Leveraging Malware: Operation Aurora (Google et al)
In January 2010, industry icon Google jolted the IT community and garnered headline news when it admitted it had been the victim of a very targeted attack, enabling someone to steal source code to Google’s password system, then access sensitive content related to Chinese human rights activists. Eventually, dozens of other security-savvy high-tech companies—Adobe, Intel, Juniper Networks, Symantec, and others—admitted that they had been compromised as well.4
This attack unfolded in multiple phases to penetrate deep into the victim’s infrastructure. According to the New York Times, “the theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program…By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.”5 This attack “used multiple malware
components, with highly obfuscated code designed to confound security researchers.”6
How could cyberforensics have made a difference?
Cyberforensics help you reveal, triage, and reliably remediate affected systems in the minimum possible time. Had you been on a victim’s IR team, you might have used cyberforensic tools to:
• Determine if malware were involved
• Track down malware planted on the compromised machines • Collect data from potentially affected machines for analysis • Bring the machines back to a trusted state
With cyberforensics, when you identify a suspicious system, you can compare its software to a profile of known binaries specific to your company, as well as publicly known good and bad code. After weeding out recognized software, you are left with the new, unknown, sometimes zero-day threats. Analysis tools help you understand the code’s capabilities, guiding you to find where else it might have penetrated your infrastructure and how best to remediate it. All the while, the inspection preserves the forensic state of the system and its data, including data both on the hard disk and in memory, helping you to comply with legal chain of custody standards and capture evidence required for court proceedings.
clean the system, purging files of malicious code, killing processes, and resetting registry keys to block re-propagation.
Malware and Botnets Exploiting Systems: Zeus
One of the strengths of forensics-grade tools is that they look beyond the obvious. Sometimes you know that something is wrong because systems are simply behaving unusually. Sometimes the governance council wants proof that their infrastructure hasn’t been affected by the latest publicly discussed cybercrime innovation. When standard anti-virus and vulnerability assessment tools fail to find anything wrong, cyberforensics may be your only way to restore full confidence that your systems are clean.
For instance, malicious code may be connecting your systems to a botnet. Each compromised machine, or zombie, could send spam or be used to prey on other businesses, placing your organization at risk of liability and damage to your reputation. Some companies only find out about zombies when their network traffic is flagged and dropped as “risky” by services that calculate Internet reputations. These services block or drop traffic from IP addresses that are sending spam or otherwise misbehaving. Having your web and email traffic refused puts a damper on smooth business operations, and restoring your online reputation adds hassle and complexity to incident response. The Zeus botnet is the most prevalent and dangerous financial malware on the Internet, with a zombie network and set of techniques being used again and again to target online accounts and bank account data. The Zeus malware infects the PC, changes the registry, waits for the login, then forwards login data to a command and control center. It is both virulent and frightening since it can bypass strong (multi-factor) authentication and transaction signing, operating unseen while users assume they are protected. By changing itself every few uses, it skirts ant-virus services that look for repeated instances of code.7
How would cyberforensics make a difference?
The deep inspection of cyberforensic tools will help information security teams expose system integrity issues caused by anomalous or unknown code, including dormant code, allowing you to remediate these risks. One strategy rapidly gaining favor in enterprises uses cyberforensic tools to establish a “gold build” profile for systems and then run regular scans to expose any anomalies. A typical process includes:
• Create baseline “trusted” profiles, documenting known good code and approved applications
• Expose unknown data residing on any networked system
• Analyze any unknowns, leveraging commercial databases to quickly pinpoint suspicious content, such as malware or unapproved processes
• Return configurations to their trusted states by remediating malware, inappropriate data, and unauthorized software
Consistent endpoint scans—reviews performed automatically throughout networked
endpoints—shine a spotlight on unknown threats and noncompliance with corporate policies. You can immediately detect anomalies and treat them as formal events, allowing your incident response processes to take prompt and appropriate action.
Data Loss or Theft: Regulated Data and Intellectual Property
Our final case study reflects the market value of sensitive and confidential data. Through deliberate
What IS Your Exposure?
Most organizations
underestimate their risk and vulnerability to advanced persistent threats. Evaluate your organization:
• Are you concerned that
advanced malware such as Zeus or Aurora may be lying hidden on critical servers?Improving scans to ensure the threat is not re-introduced
• Has the increased threat
of attacks altered your organization’s security posture? Training for employees
• Are your employees trusted
to access sensitive or regulated data using laptops or desktops?
• Could sensitive information
be lying exposed on your organizations’ email servers or in employee email archives?
• Can employees use copy
machines to duplicate sensitive information?
• Are false positives
overwhelming your alerting technologies?
If you answered YES to any of these questions, visit www.guidancesoftware.com/ cybersecurity to learn how EnCase Cybersecurity exposes and eliminates unknown risks and threats to data security.
action or accident, it’s easy for regulated data (such as customer and employee databases and corporate financial records) and intellectual property (such as source code, designs, or business plans) to be saved in violation of policy. For example, the PCI data security standard (DSS) directs that credit card data should only be stored if there is a legitimate business need.
“Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves. For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data.”8
Sometimes policy violations happen to get around operational obstacles, like USB sticks used for sneakernets, and sometimes they occur for profit. A 2010 insider threat survey reported “insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. The 2010 CyberSecurity Watch Survey uncovered the fact that data is often downloaded to home computers or sent outside the organization via email. This may lead to damaged organizational reputations and may put organizations in violation of state or federal data protection laws.”9
While breaches of regulated data require notification, data leaks and pirating of intellectual property carry an extra penalty: lost income. “A security leak at a large music company led to the deliberate prerelease leaking of a superstar artist’s latest album. As well as losing the company revenue of more than £100,000, there was also the embarrassment of the media coverage to contend with.”10 Some
artists have had to change release dates in response to these losses, reimagining carefully laid launch plans at great expense.11
While many have worried about laptops being lost—creating a market for automated encryption tools—a common exfiltration today happens as a result of malware harvested inadvertently from a compromised website. By injecting an iframe or keylogger in a seemingly normal site, a thief can gain access to the visitor’s system, taking it over and copying account information, files, user actions, and anything else it might be interested in. Often, it moves laterally to vacuum data and account information from other machines on your network.
How would cyberforensics make a difference?
The key to reducing data loss and theft is to reduce the availability of data for exposure. The strategy is straightforward: after legitimate access and use is over, you ensure the data is deleted from an endpoint where it is susceptible to misuse. The same cyberforensics software and similar processes used in the previous case studies help this time to identify and wipe sensitive information from unauthorized endpoints. Instead of looking for malicious code, the tools look for confidential or regulated data. The steps are a bit different, but the results are the same: systems returned to a trusted state.
• Create search parameters based on multiple search criteria, keywords, date ranges, hash values, or general expressions
• Search out sensitive intellectual property and personally identifiable information (PII) from any desktop, laptop, or server on the network, exposing risk and enabling cleanup
• Apply data retention policies and remotely retrieve sensitive data, capturing its metadata for legally-admissible evidence
• Repeat the process regularly using automated, scheduled scans
network-based cyberforensics, they were able to launch a search throughout their network spanning 91 countries and discover source files that matched the leaked version. Since the tools worked in the background, the company was able to avoid alerting the perpetrator until the investigators were ready to act.
V. Conclusion
Today, cyber attacks are inevitable, despite the billions of dollars spent annually on security solutions. Cybercriminals succeed by crafting custom, specialized code that broad-based signature-driven tools don’t recognize and employing cocktails of techniques that consciously, laboriously, maneuver around layered defenses. Given this reality, the goal must be to prepare for and minimize each attack’s impact. Information security and IR teams can use advanced cyberforensics tools to ready themselves and their software environments and reduce the chance of a successful attack, system exploit, or data loss. Prompt, effective application of cyberforensics can both shrink the attack surface and reduce damage through complete mitigations of active threats.
Notes
1 http://www.ukmediacentre.pwc.com/Media-Library/PwC-ISBS-report-2010-6bb.aspx
2 http://www.crn.com/security/222900741:jsessionid=05T004MTZXUADQE1GHRSKHWATMY32JVN
3 Jay Heiser, Gartner, Remote Forensic Software, 4 November 2009
4 http://googleblog.blogspot.com/2010/01/new-approach-to-china.html 5 http://www.nytimes.com/2010/04/20/technology/20google.html?scp=6&sq=google%20attack&st=Search 6 http://www.theregister.co.uk/2010/01/19/google_china_attack_malware_analysis/ 7 http://www.malwarehelp.org/find-and-remove-zeus-zbot-banking-trojan-2009.html 8 https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf 9 http://www.cert.org/archive/pdf/ecrimesummary10.pdf 10 http://www.ukmediacentre.pwc.com/Media-Library/PwC-ISBS-report-2010-6bb.aspx 11 http://www.mirror.co.uk/celebs/news/2010/06/08/eminem-s-recovery-iphone-4-wolverin-and-the-top-10-things-that-have-leaked-early-online-115875-22319387/
Our Customers
Guidance Software’s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC, UnitedHealth Group and Viacom.
About Guidance Software (NASDAQ: GUID)
Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to eDiscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase® Enterprise platform is used by more than half of the Fortune 100, and thousands attend Guidance Software’s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from Law Technology News, KMWorld, Government Security News, and Law Enforcement Technology.
©2013 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
For more information about Guidance Software, visit www.guidancesoftware.com.
This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice.
