They’re at your doorstop. In fact, they’re likely inside your network. You just don’t know it yet. There are several methods used by adversaries to infiltrate company networks and steal data, but there are several equally effective recommendations on detection and prevention.
If a person were to put themselves in the mindset of an adversary, what information would they be after? Intellectual property? Mergers and acquisitions (M&A) details? The latest emails between two executives? Information deemed valuable or essential to a company’s competitive advantage may be worth an adversary’s time to steal. This is especially the case for organizations in the technology, energy and manufacturing sectors, where stealing research and development (R&D) data is the cheapest and fastest route to manufacturing an equivalent or superior product at a lower price.
The Intrusion
Despite not being slick enough to be scripted by Hollywood, email tends to be the favorite attack vector used by adversaries targeting individuals.
Here’s how the attack works: The adversary will conduct research regarding the targeted person to determine what kind of email they would expect to receive. Social media can make it very easy for the adversary to learn about the target’s interests, organizations with which they are affiliated, people with whom they are connected, etc.
Based on that research, a legitimate-looking email will then be crafted to appear as if it came from a person or organization familiar to the target. The email will likely contain an innocent looking attachment or Internet link, which will actually contain malicious code that, if opened, will silently establish a line of communication to the target’s computer. That line of communication is then used by the adversary to download malicious software to the computer that may allow the adversary to have full access, including keystrokes typed by the target and snapshots of whatever is on the target’s screen.
Detection of the malicious email and subsequent intrusion can be extremely difficult, especially if the attack was well thought out. However, users who spend an extra two seconds to habitually hover over Internet links to verify the actual website they will be taken to if they click on that link, will have an advantage over not-so-savvy users.
Other common methods of intrusion revolve around vulnerable servers and applications that allow the adversary to compromise a system or data directly from the Internet. Such attacks take advantage of poorly coded Web pages, unpatched Web servers and weak passwords. To combat these attack vectors, it almost goes without saying that Web developers need to be trained on secure coding, systems need to be patched and passwords need to be complex.
Also highly recommended is deploying a Web Application Firewall (WAF) and Intrusion Prevention System (IPS) in front of Web servers to block a majority of attacks.
Drive-by attacks occur when a person merely visits a compromised website. The end result is compromised computers that can phone home to notify the hacker that they’re ready to receive commands. This method of attack can indirectly target certain types of individuals. So called “watering hole” attacks occur when a hacker compromises a website used by a particular type of professional. For instance, if the hacker wants to gain access to computers used by microchip designers, they might place malware onto a website that is frequented by such individuals.
Social engineering is yet another way that people can be duped into installing malicious software or divulging passwords to an unauthorized person. This method involves some role playing on the part of the adversary in an attempt to establish trust with their target, before asking them for their password or to install remote access software.
For example, “This is Tony from IT. Your computer is having some problems and we need to troubleshoot it. Can you please install this software?” or “Hey Carla, what was that password for the backup account?”
The above methods of intrusion are sometimes applied to the target organization’s partner networks, such as contractor and supply chain companies, with the goal being able to infiltrate the main target via one of these potentially more vulnerable networks.
Once the adversary has compromised the third-party network, they can then attempt to pivot into the target’s network. Therefore, it is important for companies to ensure their partner networks are secure and that their users are educated on security as well.
Gathering Your Data
At this point, if the adversary has been able to obtain access to its target’s computer, it will likely then install several pieces of custom “backdoor” software on various computers to maintain access in case one of the backdoors is detected and shut down by the information technology (IT) security department.
After establishing a foothold in the organization’s network, the adversary will use software to scan the network, looking for information of interest. Imagine a person walking into a new mall. Rather than going straight for what they are after, that person will have to do some browsing to discover what’s where and get oriented to the environment.
As the adversary moves around the network to look for data of interest, it will generate network traffic that should stand out above and beyond normal traffic. If someone is monitoring network traffic, that is. Detecting such activity requires adequate visibility into network traffic by an incident response team, which can be accomplished via network forensics or a similar solution. Otherwise, it will likely go unnoticed.
Bring Your Own Device (BYOD), a concept that makes security teams cringe, is becoming more popular and with it comes the increased risk of losing sensitive data via unmanaged devices. Companies are usually not able to inspect employees’ personal devices, which are often infected with malware. When those infected devices are used to access corporate data, that data can be compromised via malware that can take screen captures and log the user’s keystrokes, neither of which is prevented by “sandboxing” a BYOD app.
Even more troubling, companies usually don’t know the data has been lost via these unmanaged devices until the data is found lying on an Internet server long after it was stolen.
Stealing the Goods
What to do with all that data? After all, it could be gigabytes or terabytes worth of juicy company secrets.
After a period of pillaging, such data will often be aggregated to a central “staging” computer by the adversary, where it may be compressed into one or more files to make it more portable. It will then be uploaded to a server on the Internet. As the data is uploaded, there will be another abnormal increase in network traffic, this time on the outbound edge of the network.
By now, it goes without saying that monitoring network traffic is paramount.
Now a slight detour to talk about the insider threat. If an employee wishes to turn to the dark side and steal data from within, this presents a different dynamic to the situation.
Careful monitoring of what is copied to removable media (USB stick, mobile phone or tablet, DVD, etc.), uploaded to file-sharing websites, sent via email to webmail domains (Gmail, Yahoo Mail, etc.) or sent to a competitor’s email domain, can be accomplished via a Data Loss Prevention (DLP) solution that can monitor for such activity. If no one is monitoring this activity, it will go unnoticed as well.
A Word on Prevention
Though there is no silver bullet to prevent any particular attack, there are best practices that should be followed to achieve an effective defense strategy.
Time has proven that people are, and will always be, the key to successful security. Security awareness and discretion on the part of users will help a company’s security posture in ways that no security product or team can accomplish on its own.
Equally important is having an IT security team that is passionate about keeping its company’s network safe. Conversely, the lack of such attributes can be detrimental.
From a technical standpoint, it’s best if users do not have more access than what is truly needed. A person who has enough access to install software means that malicious websites and intruders can more easily compromise that person’s system.
Confidential data should be protected so that only appropriate users have access. It’s a matter of risk, and while this seems logical, it can be difficult to tackle due to the disparate locations of data around an organization’s network, as well as the lack of role-based access controls that are needed for this type of security.
Without restrictions in place for sensitive data, it is even more important to have visibility into the network traffic to or from the servers storing sensitive data. To help gauge where dollars should be spent in terms of security, it helps to first determine which data is most critical (or damaging, if stolen).
If cloud computing is being considered for the storage of sensitive data, it is essential that security be carefully evaluated. Security mechanisms implemented in a local infrastructure should have equivalent or stronger counterparts in the cloud. The challenge is that many cloud providers don’t offer sufficient security options yet, or they don’t have a seasoned security team watching for attacks on the underlying infrastructure and services.
The key point is that the adversary behind such targeted attacks is a motivated person or team, rather than just a machine. It’s a battle between that person or team and your organization’s security posture.
The more difficult and expensive it is for them to pull off a data heist the more likely they will be noticed, and the more likely they will move on to another target.
Vernon Habersetzer has 13 years of professional experience in the fields of incident response and computer forensics and holds a patent for equipment used in incident response.
This article first appeared in the July 2013 issue if Financial Executive magazine.