[BreachExchange] Why You Need to Study Nation-State Attacks

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 28 19:21:15 EDT 2017


https://www.darkreading.com/vulnerabilities---threats/why-
you-need-to-study-nation-state-attacks/a/d-id/1329690

Thinking like a cybercriminal can help predict what methods attackers are
likely to develop in the future, so we can proactively build effective
countermeasures, as I’ve described in the past. Similarly, nation-state
attacks can help security researchers predict attacks against enterprises:
methods exhibit a clear trickle-down effect, with tricks first used in
nation-state attacks being seen in enterprise-facing attacks soon after.

One of the most important recent security developments is the rise of
sophisticated, politically motivated attacks, such as the one carried out
against Hillary Clinton's campaign chairman John Podesta during the 2016
presidential election. However, such attacks have been against a broad
spectrum of victims, ranging from individual lawmakers and staffers to
think tanks and nongovernmental organizations (NGOs). These attacks
involved clever identity deception methods combined with techniques used to
circumvent traditional content-scanning methods.

Another event is the sudden rise of ransomware attacks, whether targeting
lawmakers, health care institutions, transportation, or small businesses.
Whereas most ransomware attacks aim to extort money, some have recently
demanded nonmonetary "payments," such as forcing a government organization
to make a political statement.

What do such attacks have in common? They've become increasingly
sophisticated. For example, in the Podesta attack, the attackers cleverly
obfuscated some words (such as "password" and "account") by replacing some
of their letters with Cyrillic letters that look the same to humans, but
which thwart keyword-based filters. Another example was the post-election
attacks on think tanks and NGOs, in which malware files were cleverly
hidden from the view of traditional antivirus tools by sending the
corrupted files in encrypted zip files. Without access to the decryption
keys, the contents can't be scrutinized by traditional mail-filter
technologies.

The use of advanced techniques to circumvent security tools has recently
become much more common. What's interesting (and worrisome) is that not
just nation-state attacks use such techniques. That's where the techniques
were first used, but there has been a notable trickle-down effect, and
tricks first used in nation-state attacks have been seen in attacks against
enterprises a few weeks later. In a sense, this trend mimics the flow of
insights gained just as technologies developed for the space program found
themselves spun off as commercial products. This is why companies in the
private sector need to quickly determine whether they would be vulnerable
to these advanced attacks.

Take Active Measures Now
The security community should quickly roll out detection and protection
measures in anticipation of trickle-down versions. For example, obfuscation
attacks can be detected by automatically spotting deceptive mixtures of
character sets and blocking such messages. Encrypted zip files are easily
detected, but since they have important legitimate use, they can't be
blocked. One possible solution is for a security system that can "wrap"
them with a trusted executable as the messages are delivered. The task of
the wrapper is to request a PIN or password, then use this to decrypt the
wrapped file and perform a security check in real time. If the file is
determined to be safe, the user is given access to the plaintext file.

>From the user's perspective, nothing is different, except maybe for a short
delay caused by the scanning of the decrypted files. The wrapper approach
also works for other file types, such as encrypted PDFs. With this
approach, one can take back the advantage of time from the attackers, since
this enables on-the-fly scans of plaintext data without requiring
independent software vendors to coordinate the protection of an end user,
which is always difficult.

Even better, the wrapper can include information about the sender as well.
Was a malicious file sent by a trusted party? If so, then the trusted party
has been compromised and should be notified. The more we use contextual
information, the better our defenses get. And much of this context is to be
found in early attacks — so unless we study nation-state attacks and learn
from them, we implicitly help enterprise attackers.

Although the sophistication of online crime has changed in the last year,
and there is clear evidence of trends toward fraud becoming just another
business, other things have remained very much the same. For example, email
remains the principal attack vector. Similarly, identity deception is still
at the core of most attacks, be they phishing, business email compromise,
ransomware, or other malware attacks where the stolen identity is usually
from an authority figure, well-known brand, or a trusted party. While
attackers constantly try new ideas, one thing is clear: they don't mess
with a winning formula.

Moving forward, the security community must pay close attention to the
nature and strategy of nation-state attacks and quickly address them,
because the same techniques will be repurposed to attack enterprises. In
addition, we must expect that every newly found and disclosed vulnerability
will be used in attacks, whether by nation-state actors or
enterprise-facing attackers.

Finally, society must recognize that threats are constantly evolving — in
reaction to new-found adversarial opportunities as well as existing
security technologies — and traditional technologies are unlikely to
address them. In other words, if you think a spam filter is the answer to
your problems, you are mistaken.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170828/a18f0cc6/attachment.html>


More information about the BreachExchange mailing list