Mike is a Senior Security Researcher at MWR InfoSecurity. He has spent time in both industrial and academic settings where he has gained experience working with technologies as varied and diverse as VoIP, Bluetooth, RFID, Sat-Nav devices and Firewire. Mike's Firewire research has led him into the world of volatile memory forensics, where he has become a developer on the open source Volatility project. In his spare time Mike has volunteered as a Gentoo developer which has given him an in-depth knowledge of Linux systems and software, as well as headaches.
Following a breach, emotions often run high. The immediate reaction tends to be an emotional one - "how could somebody do this to me?" "Who did this?" And ultimately, the organisation wants the infiltrator gone. However, once we understand the background to nation-state hacking and how these types of attacks operate, it’s necessary to develop a reasoned and rational approach that sees attacks as a part of doing business.
It’s rarely considered that for most nation-state sponsored attackers, targeting foreign companies is a day job –it is more economically feasible to steal $500,000 of research rather than spending $2,000,000 and their own time researching. The consequences are negligible, partly as accurate attribution is so tricky to achieve; even when the perpetrator is identified, geo-political boundaries mostly prevent direct action. So realistically the main risk is getting caught and then having to start over.
Malware is one for the easiest ways in for attackers. The game is stacked in their favour for several reasons:
· They have unlimited time.
· They have unlimited resources.
· Across multiple international borders there is little recourse that can be taken.
· An organisation doesn’t tend to solely focus on pouring resources into its defences.
There are, however, a few rules that the attacker must play by as well:
· The attackers need their code to run inside the target organisation.
· To have control, they need to communicate back out.
· The attackers need to maintain visibility on the areas of the organisation that hold the information they want.
Generally, the attackers are not physically present within the target company because the risk and cost are far greater. Therefore, they can only see what they can access over the network. They are trying to sustain access, so their biggest predicament is being detected and then booted out.
It’s common to find the same malware strain being used by attackers, regardless of the target size. It will be rewritten and upgraded, but the core code and functionality is the same. It has been witnessed numerous times and what is also clear is that this malware can attain large amounts of sensitive and valuable data whilst evading detection for years.
In many examples that we investigate, malware infections were identified months after the initial infection and only a few machines were compromised. In addition, there were long periods of inactivity between the bursts of actual attacker activity and the techniques in use showed advancement over time. However, in the historic examples, simple and obvious methods of persistence and beaconing behaviour were witnessed.
Based on these factors, companies should accept that doing business means dealing with nation-state actors who will penetrate their networks with malware by the means of spear phishing and targeting specific, underused machines. Although these incidents can be detected, it can take years to get to that point– often with attackers compromising a machine and letting it sit dormant until they strike.
The point of discovery is usually when attackers are trying to make outside communications or when persistent behaviour is seen. Based on misconceptions of how attackers function, many businesses raise the question of attribution. There is still an aspect of naivety; the thought that the host country of the IP addresses seen to be conducting the attack must be that of the attackers. When actually the IP addresses carrying out the attack could just be the last in a long chain of connections. It’s also probable that the country hosting the IP will not be friendly with the country of the victim machine, making attempts to trace it likely to fail. Basically, every attempt at attribution comes with an element of uncertainty and thus is, on the whole, futile for anyone other than a government power.
Aside from the question of ‘who?’ the next decision made is normally a knee-jerk reaction that sees organisations immediately take the stance that there is someone on their systems trying to do something bad to them, and so they want it stopped and eradicated as quickly as possible.
This is irrational for several reasons: firstly, the malware has likely already done anything it was going to do. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many that the attacker had deployed.
A more successful approach would be to detect and contain the threat actor. Monitor it, know it’s present without alerting the attacker that they’ve been spotted. This fools them into thinking they still have a foothold when in reality you have the upper hand. If you are also watching their traffic and are able to read that traffic, you know their exact impact.
You lose your advantage as soon as you reveal that you’ve spotted them and remove their malware. They disappear from sight leaving you with the challenge of finding them when they inevitably return.
There needs to be a fundamental transformation from seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, to one where these attacks are viewed as a part and parcel of doing business.
If this leap is made, then responding to these attacks with calm, measured actions driven from strategic thinking will be completely possible. By accepting that the people who are intent on breaking into large and complex IT systems, will achieve it if they really want to, we can design networks to ensure that the things of most value to our business are those that are most protected. This will make organisations more resilient and in a position to accept the minor losses and be in a world where incursions will be of less consequence in the board room, leaving time to grow business rather than a mounting sense of despair and paranoia.