Often when a business is the subject of a hacking attack, emotions run high. The automatic reaction is one that comes from an emotional place – with business leaders wanting to immediately know who would do such a thing and why. Right away, they want the infiltrator out.
However, once the background to nation-state hacking is understood and how these types of attacks operate, a change in the mind-set about how we protect IT to a reasoned and rational approach that sees attacks as part of doing business, is clearly needed.
It may not be a concept that many consider, but for most nation-state sponsored attackers, targeting foreign companies is a day job – for the simple reason that if it is economically more viable to steal research for $500,000 rather than spending $2,000,000 and two years to conduct the research themselves, then that is what they will do. The consequences are minimal, in part because accurate attribution is so difficult to achieve, but even when the perpetrator is identified, geo-political boundaries prevent any kind of direct action. So really, the primary risk to the attackers is the risk of getting caught, having their foothold removed and then having to get in again.
> See also: No one-size-fits-all approach to APTs
The game is stacked in the attacker’s favour for a few reasons: the attackers have unlimited time. The attackers have unlimited resources; there is little recourse that can be taken across multiple international borders; an organisation needs to focus on executing its business strategy, not solely pouring resources into its defensive capabilities.
It’s not all doom and gloom though, as there are a few rules that the attacker must play by as well: the attackers need their code to run inside the target organisation; the attackers need to communicate back out if they want to have control once inside, and the attackers need to maintain visibility on the areas of the organisation that hold the information of interest to them.
The attackers also, in general, are not physically present within the target organisation because the risk is much greater, as is the cost. Therefore, they can only see what they can access over the network. They are attempting to maintain access, so their biggest problem is being detected and then booted out of a system. Another driver for attackers, as such, is to attack only a few key points and keep presence down to a minimum footprint in order to avoid detection.
It is not uncommon to find the same strain of malware being used by attackers, irrespective of the size or sophistication of the target. It will be rewritten and upgraded, but the core code and functionality remain the same. It has been witnessed time and time again and what is also clear is that this malware can evade detection for years and be used to obtain large amounts of sensitive and valuable data.
In many examples that we investigate, malware infections were identified months after the initial infection and only a few machines were compromised. In addition, there were long periods of inactivity between the bursts of actual attacker activity and the techniques in use showed advancement over time. However, in the historic examples, simple and obvious methods of persistence and beaconing behaviour were seen.
Based on these factors, it is time companies start accepting that doing business means dealing with nation-state actors who will penetrate their networks by depositing malware through the likes of spear phishing and targeting specific, underused machines. Although, it is of course possible to detect these incidents, the length of time to get to that point can sometimes take years – often with attackers compromising a machine and letting it sit dormant until they choose to strike.
Attackers and malware are generally discovered at the point when they are attempting to make outside communications or when persistent behaviour is recognised. For many businesses the question of attribution rears its head. And this is usually based on misconceptions of how attackers operate. For example, there is still an element of naivety which is that the host country of the IP addresses that are seen to be conducting the attack must be that of the attackers.
The truth is that the IP addresses carrying out the attack may just be the last in a long chain of connections. It’s also likely that the country hosting the IP will not be friendly with the country of the victim machine, because then attempts to trace it further will likely fail. In short, every attempt at attribution comes with an element of uncertainty and thus is, on the whole, futile for anyone other than a government power.
Aside from the question of ‘who is attacking me?’ the next decision made is normally a knee-jerk emotional reaction which sees organisations immediately take the stance that there is someone on their systems trying to do something bad to them, and therefore they want it stopped and gone as soon as possible.
This is irrational for several reasons: firstly, the malware has likely been present for over a year. Anything it was going to do it has already done. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many examples that the attacker had deployed as backup methods of entry to the organisation.
> See also: Curing APTs: the cancer of the business world
A more fruitful approach would be to detect the threat actor and contain it. Monitor it. Know it is there without the attacker having any idea they’ve been spotted. That way, they are fooled into still thinking they have a foothold in the organisation, but in reality – you have the upper hand. At the same time, if you are also watching their traffic and able to read that traffic, you know exactly what impact they are having.
Your advantage immediately disappears as soon as you broadcast that you’ve spotted them, by removing their malware. They also disappear from sight leaving you with the challenge of finding them again when they inevitably return.
From experience of the victims of these attacks, we can see that there needs to be a change in mind-set in how businesses use and protect IT. There needs to be a fundamental transformation from seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, to one where these attacks are viewed as a part and parcel of doing business.
If this leap is made, then responding to these attacks with calm, measured actions driven from strategic thinking will be entirely possible. By accepting that the people who are intent on breaking into large and complex IT systems, will achieve it if they really want to, we can design architectures and networks to ensure that the things of most value to our business are those that are most protected.
This will make organisations more resilient to an attack and in a position to accept the minor losses and be in a world where incursions will be of less consequence in the board room, leaving time to grow business rather than a mounting sense of paranoia and despair.
Sourced from Mike Auty, senior security researcher, MWR InfoSecurity