darkreading.com

APRIL 2013

Targeted Attackers

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

PLUS Handling targeted attacks: Experts speak >>

STOPAll cyber-attackers aren’t equal. Focus more attention on exploits made just for you. >>

By Ericka Chickowski

DOWNLOAD PDF

COVER STORYStop Targeted AttackersThe most dangerous attacks aren’t random, so focus on those that are created just for your company. p4

DARK DOMINIONHandling Targeted Attacks: The Experts Speak Security pros offer tips on preventing targeted threats. p3

CONTACTSEditorial and Business Contacts p11

Digital Business LeadersEngage with Oracle presi-dent Mark Hurd, NFL CIO Michelle McKenna-Doyle, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1.

IT Insights At InteropGet insights on BYOD security, cloud and virtual-ization, SDN, the Internet of things, Apple in the enterprise, and more at Interop Las Vegas, the tech-nology conference and expo series designed to in-spire and inform the world’s IT community. March 31 to April 4.

Security SmartsOur Security Services Tech Center provides the lat-est news, product information, analysis, and opin-ion on security services and outsourcing to help your organization make the right choices.

PREVIOUS ISSUESecure The CloudCloud security needn’t be an oxymoron. Here’s how to get it right.

FOLLOW US ON TWITTER AND FACEBOOK

@DarkReading darkreading.com/facebook

darkreading.com

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

April 2014 2

CONTENTSApril 2014 Issue 015 More From Dark Reading

This month’s digital issue on targeted at-tacks isn’t the first time Dark Reading has looked at this topic. On March 6, in conjunc-tion with our sister publication Information-Week, we conducted a half-day conference in Boston on targeted attacks featuring the industry’s best-known experts. The following are the key messages from that event.

Get to know your attacker. Most current defenses against targeted attacks focus on analyzing the unique malware used by the attackers. But there is a growing base of ven-dors that offers threat intelligence services that make it possible for your enterprise to not only identify the malware, but to isolate the methods and identities of the attacking group.

“If you understand your attacker’s meth-ods, you can improve your defenses against those attacks exponentially,” says George Kurtz, CEO and co-founder of CrowdStrike, who keynoted the Boston event.

A targeted attack isn’t necessarily a di-rect attack. Bad guys are discovering that

the best way to gain entry into a targeted network is by compromising the systems of third parties that have access to that net-work. The huge data breach at the Target retail chain in late 2013 has been traced to a small heating and air conditioning company that worked with Target.

“To build an effective defense, you also need to extend your visibility into your sup-ply chain,” says Kurtz.

A targeted attack isn’t always a new at-tack. While some high-profile cases of tar-geted attacks have involved zero-day mal-ware developed specifically for the victim, the majority of these attacks exploit known vulnerabilities.

“Many of these attacks involve years-old vulnerabilities that could have been pre-vented if the victims had just stayed up to date with their patches,” said JD Sherry, a security researcher from Trend Micro, in a presentation at the Boston event.

Most targeted attacks leave fingerprints. Like conventional criminals, targeted attack-

ers tend to develop “modus operandi” — a unique set of tools and practices they use over and over again. By identifying this M.O., enterprises can build customized defenses designed to stop these specific attacks.

Ninety-nine percent of targeted attacks are manually operated, which gives them an almost human quality that is quite different from mass-produced malware, says Harry Sverdlove, CTO of Bit9.

If you want to frustrate a targeted at-tacker, raise the cost of his attack. It may not be possible for an enterprise to “hack back” against a cyber-criminal, but you may be able to frustrate the bad guys by repeatedly expos-ing and interrupting their methods.

“The bad guy has to pull off an entire pro-cess without being detected,” says Tim “TK” Keanini, CTO at Lancope. “Interrupting this ‘kill chain’ is the key to making it more dif-ficult to complete the process.”

Tim Wilson is editor of DarkReading.com. Write to him at timothy.wilson@ubm.com.

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

April 2104 3darkreading.com

DARK DOMINION

Handling Targeted Attacks: Experts Speak T I M W I L S O N@darkreadingtim

Table of Contents

DOWNLOAD PDF

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Next Wave Of Business Tech

Engage with Oracle president Mark Hurd, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, former Netflix cloud architect Adrian Cockcroft, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. Click here for full agenda.

April 2014 4

Not so long ago, the main threats in cyber-security were

random: viruses and worms that crawled across the entire Internet, or malware buried in spammy email blasts. Enterprises coped with the problem with protective screens that recognized and blocked these random attacks, as an umbrella keeps off the rain.

Today, the most dangerous attacks are no longer random. They are targeted specifi-cally to steal or damage data from a specific organization, or even from specific systems and people in that organization. The tar-gets aren’t always large companies or gov-ernment agencies; targeted attacks can be launched against government contractors, media firms, or even small businesses. Tar-geted attacks are the attack vector of choice

COVER STORY

Table of Contents

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

All cyber-attackers aren’t equal. Focus more attention on exploits made just for you.

Stop Targeted Attackers

darkreading.com

By Ericka Chickowski @ErickaChick

DOWNLOAD PDF

April 2014 5

COVER STORYSTOP TARGETED AT TACKERS

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

for sophisticated cyber-criminals, and against certain exploits, existing enter-prise defenses are about as effective as an umbrella against a surprise Super Soaker attack.

Targeted attackers sometimes spend months, even years, scouting their targets. They’ll probe for weaknesses and pinpoint vulnerabilities that can be used in a tailored

attack. That first vulnerability may get them the crown jewels right away, but typically, targeted attacks are a multistep process. Attackers start by gaining a foothold in the target’s infrastructure. Once inside, they’ll quietly scope out the network, looking for further points of attack and ways to access specific information.

The recent breach at retailer Target is a prime example of a targeted attack. Attack-ers were able to gain enough access within

the retailer’s network to install malicious software on its point-of-sale (POS) systems to collect the credit and debit card data of millions of customers as the transactions were being made.

The initial route into the network was circuitous, according to news reports. At-tackers got a foothold in Target’s network through a phishing attack against the company’s heating and air conditioning vendor. From there, the attackers used limited administrative connections from the vendor into Target’s network to worm their way further into the network of systems. The criminals running the attack did enough legwork to learn which ven-dors Target did business with and found one that would eventually give them the keys to a side door into the Target infrastructure.

This is just one very public example. “We’re losing this war, to be blunt about it,” says Dan Kaminsky, a noted security re-searcher and chief scientist for fraud detec-tion firm White Ops. “Five hundred of the Fortune 500 are under targeted attack. It’s a constant cat and mouse game.”

Targeted attacks test enterprise de-fenses because they defeat the old “um-

“We’re losing this war, to be blunt

about it. Five hundred of the Fortune

500 are under targeted attack. It’s a

constant cat and mouse game.”

— Dan Kaminsky, White Ops

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Education And Networking

Learn how cloud computing, software-defined networking, virtualization, wireless, and other key technologies work together to drive business at Interop Las Vegas. It happens March 31 to April 4.

Table of Contents

April 2014 6

brella” defense, which was designed to stop widespread, random attacks. Companies can no longer treat all types of attacks the same. They must instead prioritize defenses against the methods that targeted attackers are likely to levy against their businesses.

“We’re treating everything as if it were the same level of threat, whether it’s a targeted attack, a criminal, a teenager trying to port

scan your network. They’re all getting simi-lar levels of attention, and that’s not a sus-tainable model,” says Dmitri Alperovitch, co-founder and CTO of Crowdstrike, a threat detection vendor focusing on advanced and targeted attacks. “You have to prioritize.”

Understand The Attacker’s MentalityDeveloping a defense for targeted attacks

starts by understanding who these attackers are and how they operate. Now, that doesn’t necessarily mean working to identify your

attackers specifically. That’s a rabbit hole that won’t reap enough rewards for the effort, Ka-minsky warns.

“Even if you knew exactly who your attack-ers were, there’s a limited number of sce-narios in which you can do anything about it,” he says.

You’re not seeking out a specific name or identity. Instead, you’re identifying attack patterns common in your industry and look-ing to protect yourself from attacks against the data that a targeted attacker would want to steal. And that means understanding how attackers operate.

For example, some opportunistic financial attackers go after mom-and-pop point-of-sale systems by scanning the Internet looking for open pcAnywhere, virtual network com-puting, or remote desktop connections, says Lucas Zaichkowsky, enterprise defense archi- tect for the forensics and security firm AccessData.

Many of these merchants and their POS vendors set these systems up and do port forwarding so the POS vendor can help the merchant troubleshoot remotely. Using that as a jumping-off point, targeted attackers of-ten have enough information to understand common POS systems and know where

credit card data is likely stored. “Most POS systems are encrypted these

days, but it’s all about knowing where the keys are,” says Zaichkowsky. “Or they’ll just drop in keystroke recorders or memory scrapers to grab the data as it’s in transit without even relying on it being stored any-where, and then it’s just automatically up-loaded or uploaded through batch to some

COVER STORY

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

STOP TARGETED AT TACKERS

19%

19% of all attacks analyzed in a 2013 Verizon reportwere perpetrated by state-affiliated actors — in otherwords, a form of espionage.

Data: Verizon 2013 Data Breach Investigations Report

Every company needs to remember

that it has an advantage

over the targeted attacker because

the company has an insider’s

knowledge of its own environment.

Click HereClick Here

Get Smart

Our Threat Intelligence Tech Center provides in-depth information on collecting and analyzing data on emerging cyber-security threats.

Table of Contents

April 2014 7

FTP server somewhere. And a lot of that stuff is done in a matter of minutes.”

Meanwhile, other extremely sophisti-cated attackers may target specific finan-cial organizations to “jackpot millions out of ATM machines,” says Zaichkowsky. Nation-state attackers may go after specific industrial

companies to gain intelligence information. At the lower level of sophistication, such as the POS example, attackers target common vulnerability opportunities. At the higher end, they target a specific organization’s weak-nesses by doing a lot of reconnaissance.

“The more targeted the attack, the fewer

obvious mistakes your attacker is going to make, because his attack is tailored to a particular environment,” White Ops’s Kamin-sky says.

To understand how targeted attack tech-niques apply to your industry or business, finger-in-the-wind Internet research won’t cut it. Instead, gather true threat intelligence about attacks occurring in near or real time within real world environments.

“Intelligence can help you identify both the risk to assets — by looking at the adversaries that may be motivated to go after your data —and can provide you with the understand-ing of the trade craft and the capabilities of those actors, so that you can start thinking about how to adjust your defense model to specifically meet the capabilities of those ad-versaries,” Alperovitch says.

Zaichkowsky explains how threat intelli-gence can help.

“Let’s say, for example, you know the state-sponsored Chinese guys are coming after you. You’ve got some intellectual property you know they want,” he says. “They tend to operate by spearphishing most of the time for initial point of entry. So being able to make sure certain file attachment types

COVER STORY

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

STOP TARGETED AT TACKERS

Threat Intelligence data is most effective when it is integrated directly with other security efforts. The data can inform both tactical security efforts, as well as more strategic governance and risk management processes.

Threat Intelligence Integration

Table of Contents

can’t be opened and installing next-gen solutions in line mode, you can [take actions that] actually prevent things as much as possible.”

Understand Your Own EnvironmentOf course, understanding who’s likely to

attack you and how is only a part of the puzzle. Internal data and system knowl-edge is just as important as knowing your

enemy, to paraphrase Chinese military philosopher Sun Tzu.

This means identifying what information assets your organization has — and what assets are most important to your business — because each company has different pain points and risk factors.

“Coordinate across business units to

identify the information that would be critical if my competitor or a threat actor were to take it,” says Jen Weedon, manager for the intelligence team at FireEye. “That gets you down the path of being able to know, ‘OK, I should protect X, Y, Z informa-tion with higher levels of security.’ ”

In other words, targeted threat protec-tion really starts with a targeted, internal risk assessment.

“Info about a negotiation on a multi-billion-dollar deal is probably a lot more valuable than info about a $200,000 sales opportunity,” Alperovitch says.

Similarly, organizations must under-stand what’s going on within their IT en-vironments, correlating that with the data protection priorities they’ve made and the threat intelligence feeds they receive about external dangers. This is why or-ganizations are investing more heavily in detection technologies than in traditional umbrella prevention techniques.

Detection is much more effective than prevention, says Kaminsky. The notion that vulnerabilities are instantly exploited and that all useful data is instantly removed simply isn’t true.

“There’s a period of time it takes to find

COVER STORY

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

STOP TARGETED AT TACKERS

April 2014 8

“We’re treating everything as the

same level of threat – whether it’s

a targeted attack, a criminal, a

teenager trying to port scan your

network – and that’s not a sustain-

able model.”

— Dmitri Alperovitch, Crowdstrike

Table of Contents

your target and determine how to exploit it,” Kaminsky says. “And it turns out that there are specific things that show up in the logs after the vulnerability has been found but before it’s been successfully exploited — and they can serve as a great signal [of an attack in progress].”

Every company needs to remember that it has an advantage over the targeted at-tacker because the company has an in-sider’s knowledge of its own environment.

“You don’t have to discover the proper-

ties of your environment in real time the same way that an attacker does,” Kaminsky says. “We do not use honeypots enough. We do not attempt enough to exploit the attackers’ real-time discovery of the net-works that they’re breaking into.”

Too often, says Zaichkowsky, organiza-tions “burn” the intelligence they may have about attackers rather than using it to identify their methods and stop them. For example, if a business learns from threat intelligence service providers

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

COVER STORYSTOP TARGETED AT TACKERS

April 2014 9

How concerned is your organization about advanced cyber-espionage, nation-state or other types?

9%

24%

30%

13%

24%

Cyber-Espionage Concern

Data: InformationWeek 2013 Strategic Security Survey of 1,029 business technology and security professionals at organizations with 100 or more employees, March 2013

1

23

4

5

67

89Not at all concerned

Slightly concerned

Moderately concerned

Very concerned

Extremely concerned

Table of Contents

that a list of IP addresses is being used to attack the business, its first instinct may be to just configure the firewall to block those addresses. But when you’re dealing with targeted attackers, as soon as they try to connect to you and it’s not working, they’ll just go to another IP ad-dress — and you’ve essentially burned your intelligence.

Instead, take that tactical intelligence and lay down “tripwires” to watch the at-tackers’ activity and remediate a little fur-ther down the line.

“Then when you actually remediate and you kick them out,” says Zaichkowsky, “you haven’t burned any of your intelligence. They’ll have to start guessing, ‘Well, how did they find me?’ ”

Frustrate Your AttackerUltimately, the goal is to make life very

hard for the targeted attacker and also to buy your organization enough time to respond to targeted attacks before the crown jewels leave the building.

“ Think of infrastructure hardening like building a maze,” says Zaichkowsky. “You’re making that maze more and more complex, which buys you time. In a tar-

geted attack, they’re going to get to what they’re after — it’s just a matter of time. So make that maze as difficult as possible and set up little tripwires everywhere to identify attackers as they’re progressing through it.”

Your team needs enough audit logs, fo-rensics artifacts, and monitoring tools in place to quickly scope out an attack when a tripwire has been tripped. But even more than that, companies should constantly adjust their defenses to make it expensive for the attacker to operate within their envi-ronments, Kaminsky warns. While creating a puzzle may make things more difficult for attackers, the reward might be great enough that the attacker will invest the time and resources to figure out that puzzle.

“You have to play a chess game,” Kamin-sky says. “You have to make sure there’s a cost to the attacker for getting detected, but you have to make sure the attacker thinks maybe it will work. But when it doesn’t work, they’re going to lose what they have within your network. If you don’t play the game, if you just try to make a puzzle, you’ve already lost.”

Write to us at editors@darkreading.com.

Table of Contents

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

darkreading.com

COVER STORYSTOP TARGETED AT TACKERS

April 2014 10

April 2014 11darkreading.com

Table of Contents

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

Online, Newsletters, Events, ResearchREADER SERVICESDarkReading.com The destination for the latest news on IT security threats, technology, and best practices

Electronic Newsletters Subscribe to Dark Reading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe

Events Get the latest on our live events and Net events at informationweek.com/events

Reports reports.informationweek.com for original research and strategic advice

How to Contact Us createyournextcustomer.techweb.com/ 2014-editorial-calendars/

Editorial Calendar informationweek.com/edcal

Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Reprints Wright’s Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com

List Rentals Merit Direct E-mail: svigliotti@meritdirect.com Phone: 914-368-1088

Media Kits and Advertising Contacts createyournextcustomer.com/contact-us

Letters to the Editor E-mail editors@darkreading.com. Include name, title, company, city, and daytime phone number.

Subscriptions E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Tim Wilson Dark Reading Site Editor timothy.wilson@ubm.com 703-262-0680

Kelly Jackson-Higgins Dark Reading Senior Editor kelly.jackson.higgins@ubm.com 434-960-9899

IT TARGET: INFORMATIONWEEK, DARK READING, NETWORK COMPUTINGWestern US (Pacific and Mountain states), Central/Midwest

VP & National Co-Chair, Business Technology Media Sales, Sandra Kupiec (interim contact, N.M., Ariz.) 415-947-6922, sandra.kupiec@ubm.com

Wash., Ore., Mont., Wyo., Idaho, Nev., and So. Calif. — Account Director, Matthew Cohen-Meyer 415-947-6214, matthew.meyer@ubm.com

No. Calif., Utah, Colo. — Account Director, Vesna Beso 415-947-6104, vesna.beso@ubm.com

Texas — Strategic Accounts Director, Michele Hurabiell 415-378-3540, michele.hurabiell@ubm.com

Central/Midwest, Account Executive, Silas Chu 415-947-6105, silas.chu@ubm.com

Account Executive, Lynn Van 415-947-6157, lynn.van@ubm.com

South, Northeast US; Canada and International

VP & National Co-Chair, Business Technology Media Sales, Mary Hyland 516-562-5120, mary.hyland@ubm.com

Eastern Regional Sales Director, Michael Greenhut 516-562-5044, michael.greenhut@ubm.com

Southeast — District Manager, Jenny Hanna 516-562-5116, jenny.hanna@ubm.com

Northeast, Eastern Canada — District Manager, Stephen Sorhaindo 212-600-3092, stephen.sorhaindo@ubm.com

Mid-Atlantic, R.I. — Account Director, Matt Payne 415-489-6307, matt.payne@ubm.com

Fla., Western Canada, International — Account Executive, Anna Maria Charalambous 212-600-3193, annamaria.charalambous@ubm.com

Sales Associate, Joseph Van Scyoc 212-600-3387, joseph.vanscyoc@ubm.com

Strategic Accounts

Strategic Account Director, Vanessa Tormey 805-252-4357, vanessa.tormey@ubm.com

Strategic Account Director, Jennifer Gambino 516-562-7169, jennifer.gambino@ubm.com

Strategic Account Director, Amanda Oliveri 212-600-3106, amanda.oliveri@ubm.com

SALES CONTACTS—CREATE MARKETING SERVICESDirector of Client Marketing Strategy, Jonathan Vlock 212-600-3019, jonathan.vlock@ubm.com

Senior Manager, Client Marketing Strategy, Blake Cohlan 415-947-6379, blake.cohlan@ubm.com

SALES CONTACTS—EVENTS VP, Events, Robyn Duda 212-600-3046, robyn.duda@ubm.com

MARKETING VP, Marketing, Winnie Ng-Schuchman 631-406-6507, winnie.ng@ubm.com

Director of Marketing, Monique Luttrell 415-947-6958, monique.luttrell@ubm.com

Marketing Assistant, Hilary Jansen 415-947-6205, hilary.jansen@ubm.com

UBM TECH Paul Miller CEO

Marco Pardi President, Events

Kelley Damore Chief Community Officer

Tom Spaeth CFO

David Michael CIO

Simon Carless Exec. VP, Game & App Development and Black Hat

Lenny Heymann Exec. VP, New Markets

Angela Scalpello Sr. VP, People & Culture

Copyright 2014 UBM LLC. All rights reserved.

Rob Preston VP and Editor In Chief rob.preston@ubm.com 516-562-5692

Jim Donahue Managing Editor james.donahue@ubm.com 516-562-7980

Chris Murphy Editor chris.murphy@ubm.com 414-906-5331

Shane O’Neill Managing Editor shane.oneill@ubm.com 617-202-3710

Lorna Garey Content Director, Reports lorna.garey@ubm.com 978-694-1681

Debee Rommel Senior Art Director debee.rommel@ubm.com

Business Contacts