Embed Size (px)
Citation preview
ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N
®
INFOSECURITYMAG.COM
I N F O R M A T I O N
�
ThreatMANAGEMENT
ESS E NT I A L G U I D E TO
I N S I D E
8 Become a Hunter
16 SCADA Insecurity
25 What APT Is (And What it Isn’t)
32 Under Attack
44 Enterprise Protection for Web Add-Ons
There’s a bull’s eye on your organization’s back. Attackers want yourcustomer data and intellectual property, and they’re going to extrememeasures to target your people and network. Are you ready?
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT22
F E AT UR E SBecome a Hunter8 TARGETED ATTACKS Fend off modern computer attacks
by turning your incident response team into counter-threat operations. BY RICHARD BEJTLICH
SCADA Insecurity16 CRITICAL INFRASTRUCTURE PROTECTION Stuxnet put
the spotlight on critical infrastructure protection, but will efforts to improve it come too late? BY GEORGE V. HULME
What APT Is (And What it Isn’t)25 ADVANCED PERSISTENT THREAT Think you know all you
need to know about the advanced persistent threat? We’ll define APT and dispel a few myths? BY RICHARD BEJTLICH
Under Attack32 BANKING MALWARE Cybercriminals are using increasingly
stealthy and sophisticated malware to hijack online business banking accounts. BY MARCIA SAVAGE
Enterprise Protection for Web Add-Ons44 WEB 2.0 WIDGETS Mini Web applications are complicating
security for business owners. BY N ICK LEWIS
contents
A L S OCyberspace Has Gone Offensive5 EDITOR’S DESK Stuxnet
opened a whole new avenue of offensive capabilities in cyberspace.BY MICHAEL S. MIMOSO
49 SPONSOR RESOURCES
tCyberspace Has Gone Offensive
Stuxnet opened a whole new avenue of attack capabilities in cyberspace. BY MICHAEL S. MIMOSO
TWO YEARS AGO, several prominent cybersecurity voices, including Paul Kurtz and MelissaHathaway, chose very public forums to talk about the need for offensive weapons in cyber-space. At Black Hat DC in January 2009, Kurtz implied the United States should think aboutmilitarizing cyberspace and the importance of linking intelligence from the armed forces, law intelligence and security researchers to combat attacks against critical infrastructure andthe financial industry. His notion was seconded by Hathaway later that year in a paper for theAtlantic Council where she said added that regulatory support and pressure from the SEC,FCC and FTC must flank any offensive strategies. Finally Alan Paller, who runs the SANSInstitute, said that the U.S. must turn to experts who understand offensive cybersecurity weaponryand attacks, such as the National Security Agency’s red teams.
“There has to be a shift from those who write policy, to those who understand attacks. Offense mustinform defense,” Paller said. “From my perspective,the most critical thing to do is to make sure we stopthe bleeding and get serious about international standards and change federal policies so agenciescan’t get away with just writing reports.”
All the while, Stuxnet was happening. According to a detailed article in the New York
Times in late January, President Bush approved aproject to attack the computer systems at a uraniumenrichment center in Iran. The ultimate goal was to delay or destroy Iran’s ability to build nuclearweapons. The end result was Stuxnet, a worm that by all accounts put a five-year dent in Iran’s hopes of joining the nuclear arms race.
A major campaign was carried out and won, andnary a shot was fired.
Whether Stuxnet ultimately was a joint Israel-U.S.initiative, as suggested by the Times’ article, the ques-tion still hovers whether a covert action like this is the way to go. Kurtz and others have calledfor transparency and ultimately Congressional oversight of offensive weapons by the U.S. incyberspace.
“We must begin by addressing the issue of attribution. We need to be able to fuse intelligencewith private sector information to determine where attacks come from,” Kurtz said. “If you linkwhat we know in the private sector with the intelligence community, you can come out with adeclaratory policy that says we will look to connect the dots and fuse information through all
EDITOR’S DESK
IN FO RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT
“From my perspective,the most critical thingto do is to make surewe stop the bleedingand get serious aboutinternational standardsand change federal policies so agenciescan’t get away with just writing reports.”
—ALAN PALLER, SANS Institute
3
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
the capabilities we have to better understand who is attacking the networks. That’s the beginningof a deterrent policy.”
That, however, isn’t happening. Right now the U.S. and Israel are backing off official ties toStuxnet, and won’t even say the worm’s name in public. That’s because the ground rules haven’tbeen set for such activities in cyberspace. This goes beyond cyberespionage—as was carried outin the Aurora attacks that introduced the advanced persistent threat (APT) acronym into ourlexicon. These were the equivalent of precision fighter jet attacks on Iranian facilities. These werethe ultimate targeted attacks, with malware pointed at process control systems manufactured bySiemens that the U.S. knew the Iranians were using in their uranium enrichment centers. As earlyas 2008, Department of Homeland Security experts,in conjunction with Idaho National Laboratories,were taking apart the Siemens machines looking for vulnerabilities, the Times article reports. Stuxnet,according to the article, not only damaged the plant’snuclear centrifuge systems, but did so while disguisingthe damage; to the plant’s operators, all systems werefunctioning normally while irreparable damage washappening behind the curtain of Stuxnet.
Michael Assante, president and CEO at theNational Board of Information Security Examiners,and former vice president and chief security officer atNERC and critical infrastructure protection strategistat Idaho National Lab, told SearchSecurity.com thatStuxnet was the cyberspace equivalent of the B-2bomber.
“The code was designed to be very modular, sothat its attack payload could be changed to be able to attack different systems,” Assante said. “It’s clear tome that the resources available to the authors of theworm were substantial. They designed it with highconfidence that the warhead would do exactly what itwas designed to do. That takes skill and resources.”
Stuxnet takes us into a whole new ballgame of offensive capabilities in cyberspace. Stuxnetdid its job to an extent and opened a new battlefield in cyberspace. We have our offensiveweapons, it would appear. And now we’re just as vulnerable to a similar attack using anotherStuxnet-like worm. What happens next is anyone’s guess, but it will be interesting to see whetherU.S. lawmakers will have the foresight to talk openly about offensive weapons in cyberspace inthe proper context and not be reluctant to take this one seriously.w
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on thiscolumn to [email protected].
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT
“It’s clear to me thatthe resources availableto the authors of theworm were substantial.They designed it withhigh confidence that the warhead would doexactly what it wasdesigned to do. Thattakes skill andresources.”
—MICHAEL ASSANTE, president and CEO, National Board of Information Security Examiners
4
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
iIT’S NATURAL FOR members of a technology-centricindustry to see technology as the solution to secu-rity problems. In a field dominated by engineers,one can often perceive engineering methods as theanswer to threats that try to steal, manipulate, ordegrade information resources. Unfortunately,threats do not behave like forces of nature. Noequation can govern a threat’s behavior, andthreats routinely innovate in order to evade anddisrupt defensive measures.
Security and IT managers are slowly realizingthat technology-centric defense is too easily defeatedby threats of all types. Some modern defensivetools and techniques are effective against a subsetof threats, but security pros in the trenches considerthe “self-defending network” concept to be market-ing at best and counter-productive at worst. Iftechnology and engineering aren’t the answer to security’s woes, then what is?
TARGETED ATTACKS
5
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Become aHunter
Fend off modern computer attacks by turning your
incident responseteam into counter-threat operations.
BY R I C HARD B E JTL I C H
To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise. These intruders cantake the form of external threats who maintain persistence or internal threats who abuse theirprivileges. Rather than hoping defenses will repel invaders, or that breaches will be caught bypassive alerting mechanisms, CTOps practitioners recognize that defeating intruders requiresactively detecting and responding to them. CTOps experts then feed the lessons learned fromfinding and removing attackers into the software development lifecycle (SDL) and configurationand IT management processes to reduce the likelihood of future incidents.
CTOps certainly requires application of engi-neering and technology, but the focus remains onpeople. People who know how to detect and respondto intrusions are the key to fighting modern threats.We will define what those people should do, as wellas how you can ensure your security staff is meetingthe challenge posed by modern threats.
An emphasis on CTOps should not come at theexpense of measures that try to remove vulnerabilitiesfrom the enterprise. Efforts to improve softwaresecurity through better coding, improved configu-ration, and sound business logic are the preferred way to build a sound foundation for enter-prise computing. CTOps practitioners are usually very supportive of efforts to rid the enter-prise of weak applications, because being a hard target frustrates intruders and reduces theoverall number of intrusions that defenders must detect and handle. Therefore, CTOpsencourages software security efforts that build security into applications.
JUSTIFYING COUNTER-THREAT OPERATIONSWhat does it mean to conduct CTOps? I recommend either building or repositioning the enter-prise computer incident response team (CIRT) as the home for CTOps. If the organization lacks a CIRT, or the CIRT doesn’t currently conduct CTOps, the first requirement is convincing man-agement that CTOps is necessary.
No single argument for conduct CTOps or building a CIRT will likely resonate with man-agement. Rather than relying on a single argument, CIRT builders may find one or more of thefollowing “13 C’s” to be helpful. Incorporating these justifications into a discussion may helpconvince those who have budgetary and organizational authority to facilitate construction of a CTOps-capable CIRT.
1. Crisis.When the enterprise suffers a devastating security incident, managers are usuallyready to take action. Although this is the worst way to justify a program because it comes afteran incident, and it is often very effective.
2. Compliance. Compliance requirements may contain the language necessary to constructa team. Beware applying resources in such a manner that the original CTOps mission is lost. Forexample, creating a team that does nothing more than monitor for configuration changes willnot result in finding advanced or even moderately skilled intruders.
3. Competitiveness.My blog post “Forget ROI and Risk. Consider Competitive Advantage”explains that preserving or enhancing competitive advantage often resonates with business people.
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT
People who know howto detect and respondto intrusions are the key to fighting modernthreats.
6
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Few people responsible for a profit and loss operation in an organization want to “lose thegame.” If these decision makers can frame perception of security in terms of competition, theymay understand the importance of CTOps and CIRTs.
4. Comparison. If your security team is 10 percent the size of the average peer organiza-tion, it’s not going to look good when you have abreach and have to justify your decisions. The blamefor under-resourcing the CIRT will likely rest withthe manager to whom the CIRT reports, so convincehim or her to fund the operation to deflect possiblefuture criticism.
5. Cost. It’s likely that breaches are more expen-sive than defensive measures, but this can be difficultto capture empirically. In regulated industries onemay be able to estimate the fines that could be leviedagainst a breach victim, and the costs of fundingcredit monitoring services and associated legal andhuman resource expenses. For example, the U.S.Department of Defense recovered $1.3 million of a $5.4 million Pentagon contract from Apptis Inc.Investigators claimed Apptis “provided inadequatecomputer security” due to a breach in a subcontractor’s system. (Contractor Returns Money toPentagon, Washington Times, July 25, 2009.)
6. Customers. It seems rare to find customers abandoning a company after a breach; peoplestill shop at TJX brands. Still, you may find traction here. Compliance is supposed to protectcustomers, but it often is insufficient.
7. Constituents. I use this term to apply to internal parties served by a central CIRT. Largecompanies often provide services to other business units, so a cross-company constituency mayask for help fighting intruders.
8. Controllership. A well-governed organization can often point to a centralized counter-threat center of excellence, such as a CTOps-practicing CIRT.
9. Conservation. This is a play on “green IT.”What has a lower carbon footprint: 1) flyingconsultants all over the world to handle incidents, or 2) handling them remotely by movingdata, not people? A properly resourced and equipped CIRT can rely on instrumentation thataccesses data needed to analyze intrusions, rather than sending people into the field to fightfires. See my blog post “Green IT” for more details.
10. Consolidation or Centralization. These themes are likely to enable specialization,more effective internal resource allocation, and improve defenses.
11. Confidence. Confidence applies to all parties involved. Can you trust your data? 12. Counting. Developing metrics is crucial for justifying a CIRT’s role. Managers often
want to know how regularly the enterprise suffers compromises, and how quickly the CIRT can detect and respond to intrusions.
13. [Securities and Exchange] Commission. A growing number of public security voices(for example, Melissa Hathaway) advocate disclosing significant security breaches in the 10-Kforms required of publicly traded companies by the SEC. Many companies already report seriousintrusions, as noted in my blog post “Publicly Traded Companies Read This Blog”.
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT
If your company securityteam is 10 percent thesize of the average peerorganization, it’s notgoing to look good whenyou have a breach andhave to justify yourdecisions.
7
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
SIZING AND ORGANIZING THE CIRTOnce management believes a CIRT is necessary to conduct CTOps, the next questions involve thesize of the CIRT and its structure. In order to help answer this question, I polled 12 organizationswith employee counts in the low thousands to the mid hundreds of thousands. I asked eachorganization to count the number of people they employed to detect and respond to intrusions.Based on this survey, I determined that the average number of detection and response roles forthese 12 organizations was five per 10,000 employees. In other words, if your company consists of 60,000 employees, you would likely have a CIRT with 30 people.
This 5 per 10,000 standard may sound fanciful to many readers, but consider the sorts ofroles one must fulfill to be able to truly combat threats to the modern enterprise. The last CIRTthat I built consisted of the following three teams:
• The Incident Response Center (IRC), responsible for the daily incident detection andresponse mission.
• The Security Assurance Team (SAT), responsible for Threat Intelligence and Reporting,Red Team engagements, and Technical Assistance (i.e., internal consulting).
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT8
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Five Reasons CIRTs Should Join FIRSTFIRST is the Forum of Incident Response and Security Teams, an
international organization with more than 200 members. Here’s why your organization’s CIRT should join:
5 reasons
1] Professional incident responders tend to be FIRST members. FIRST membership is similar to certification,but it’s not the result of passing a test. Rather, FIRST membership is an ongoing, dynamic relationship that demonstrates a certain level of maturity for each organization.
2] The FIRST membership application process may help justify some CIRT initiatives. For example, FIRSTmembership may help make the case for a separate, isolated malware analysis network and environment.
3] Applying for FIRST membership compels CIRTs to document a variety of processes. For example, FIRST requires applications to document how they handle sensitive information from third parties. Following the application process brings a certain degree of rigor and clarity to CTOps work.
4] FIRST membership is sometimes a differentiating factor when recruiting talent.
5] FIRST members share operational practices and information through mailing lists and conferencesw
—R ICHARD BEJTLICH
• The Support Group,responsible for designing, building, and running infrastructure usedby the IRC and SAT.
Within each CIRT sub-team, I divide responsibilities by skill level. All of these roles andexperience levels will likely vary depending on the nature of the organization hosting the CIRT.
The IRC consists of these team members:• Incident handlers are subject matter experts (8-12 years of technical experience) who use
unstructured analysis tools and techniques to detect and respond to the most advanced or com-plicated threats.
• Incident analysts (4-8 years of technical experience) are developing as subject matterexperts; they work with incident handlers to learn how to deal with advanced threats, but theyalso mentor event analysts.
• Event analysts (2-4 years of technical experience) are beginning their incident detectioncareers; they use structured analysis tools and techniques to detect and respond to well-under-stood threats.
The SAT consists of these team members:• Principal analysts are subject matter experts (8-12 years experience) who understand
and conduct advanced counter-intelligence work, fully simulate adversary activity, and/or lead
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT9
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Six Steps to Take Now
6 steps
1] Create a team logo.
2] Create a team name.
3] Be a leader, not a manager. Read my post Everything I Need to Know About Leadership I Learned as a Patrol Leader.
4] If you are not making progress on executing your vision within a year, or you encounter inordinate resistance, consider another role.
5] Create documents justifying your team and have them ready when management asks.
6] Use time-based metrics to explain workload. For example, if it takes two weeks for your analysts to review indicators, and that figure continues to increase, use that metric to justify additional hires. It’s similar to a manufacturing situation, except the output is incident reporting.w
—R ICHARD BEJTLICH
complicated security consulting projects.• Senior analysts (4-8 years of technical experience) are developing as subject matter
experts; they work with principal analysts on larger projects while mentoring Analysts.• Analysts (2-4 years of technical experience) demonstrate aptitude in security assurance,
but are learning how to offer these services.
The Support Team consists of these team members:• Developers write software and tools to help the IRC and SAT detect and respond to intruders.• Architects design systems and lead major projects in conjunction with Engineers who
implement tools and techniques.• Administrators care for the systems used by the IRC and SAT, as well as infrastructure
enabling the support team mission.I did not provide estimates of experience for each role in the support team, because system
administrators could have 20 years of maintaining infrastructure under their belt, whereas avery effective architect might only have 8 or 10 years of experience.
I recommend a person lead each of these three teams, with a single CIRT leader working asdirector of incident response. The director of IR should name one of the three team leaders ashis or her deputy.
SOCs vs CIRTsAt this point, it may sound like we are describing a security operations center (SOC). To a cer-tain extent the work of a SOC is pertinent to CTOps. SOC work tends to imply a more routineworkflow whereby security devices generate alerts for generally well known or recognizablesecurity violations. Analysts interpret the alerts, generate reports, and notify their constituen-cies. All of this work is necessary, but it is not sufficient to combat modern threats. SOC worktends to be somewhat passive, structured, and often not very creative.
In addition to performing SOC work, CTOps requires more active, unstructured, and creativethoughts and approaches. One way to characterize this more vigorous approach to detecting andresponding to threats is the term “hunting.” In the mid-2000s, the Air Force popularized theterm “hunter-killer” for a missions whereby teams of security experts performed “friendly forceprojection” on their networks. They combed through data from systems and in some cases occu-pied the systems themselves in order to find advanced threats. The concept of “hunting” (withoutthe slightly more aggressive term “killing”) is now gaining ground in the civilian world.
If the SOC is characterized by a group that reviews alerts for signs of intruder action, theCIRT is recognized by the likelihood that senior analysts are taking junior analysts on “huntingtrips.” A senior investigator who has discovered a novel or clever way to possibly detect intrudersguides one or more junior analysts through data and systems looking for signs of the enemy.Upon validating the technique (and responding to any enemy actions), the hunting teamshould work to incorporate the new detection method into the repeatable processes used bySOC-type analysts. This idea of developing novel methods, testing them into the wild, andoperationalizing them is the key to fighting modern adversaries.w
Richard Bejtlich is director of incident response for General Electric, and serves as principal technologist forGE’s Global Infrastructure Services division. Send comments on this article to [email protected].
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT10
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT11
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
SCADAInsecuritySTUXNET PUT THE SPOTLIGHT ON CRITICAL INFRASTRUCTURE PROTECTION BUT WILL EFFORTS TO IMPROVE IT COME TOO LATE? BY GEORGE V. HULME
mMARK WEATHERFORD will likely not forget the week of July 12, 2010. He’d just startedhis job as vice president and chief security officer at the North American Electric Relia-bility Corporation (NERC) that week. And as chance would have it, security researchershad recently announced the discovery of Stuxnet, one of the most advanced worms onrecord and widely believed to be targeting Iranian nuclear facilities. With NERC’s missionbeing to ensure the reliability of the North American bulk power system, it was a leapright into the fire for Weatherford.
The Windows-based worm, which contained a programmable logic controller(PLC) root kit, is the first known worm that can reprogram industrial systems, andwas crafted to breach Supervisory Control And Data Acquisition (SCADA) systems.SCADA systems are often used to control and monitor industrial processes, includingthose that help to manage power grids.
CRITICAL INFRASTRUCTURE PROTECTION
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT12
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Immediately, Weatherford put into place a “Malware Tiger Team” that could be leveragedto help NERC ensure that the information about Stuxnet that was shared among facilities wasaccurate and useful. The team was comprised of malware experts and representatives from anumber of federal agencies. Once the initial commotion over Stuxnet subsided, the team’s role faded, but not its ability to reconvene quicklyshould another threat against the power generationand distribution system materialize.
While the hope is that such a need never arises,the probabilities point to someday in the futurewhen the Tiger Team is called back to work. Theextremely sophisticated Stuxnet worm highlightedthe vulnerability of the critical infrastructure theworld relies on, and security experts worry it couldbe a harbinger of future attacks. That’s especiallytrue as nation-states increasingly invest in theiroffensive cyberattack capabilities. Just as concerningas the threat, experts say, is that efforts to secure theSCADA systems used to manage many of the critical systems for controlling electricity, waterdelivery and other essential services have been lax. The federal government and industry groupsare taking steps to secure the grid and the SCADA systems that support it, but many worry timeis running out before a significant attack hits.
RISING THREATSThere’s no question that concern over critical infrastructure security is growing. Consider the findings in a report released last year by the Center for Strategic and International Studies(CSIS), and funded by security firm McAfee, In the Crossfire: Critical Infrastructure in the Age of Cyberwar. Based on a survey of 600 IT security managers from critical infrastructureorganizations, the report found that 37 percent believed the vulnerability of the sector theyworked increased over the year prior, and two-fifths expect a significant security incident intheir sector in the next year. Only one-fifth of respondents to the survey believe their sectorto be safe from serious cyberattack in the next five years.
While there was no devastating attack that hit the IT systems that support the North Amer-ican critical infrastructure, 2010 will nonetheless go down as a decisive year for malware anddigital attacks. Cybercriminals (who themselves edged-out the hacker-hobbyist years ago) tooka backseat to the state-sponsored attacker. These attackers are well trained, well-funded, andprofessional. They pose perhaps the greatest threat we’ve yet to see face the critical infrastructure.In fact, the CSIS survey found 60 percent of those surveyed believe foreign governments havebeen involved in past infrastructure infiltrations.
Researchers at Moscow, Russia-based Kaspersky Lab, where two of the four zero-day vulner-abilities the Stuxnet worm exploited were identified, reported that Stuxnet’s mission was to
The extremely sophisticatedStuxnet worm highlightedthe vulnerability of the critical infrastructure the world relies on, andsecurity experts worry itcould be a harbinger offuture attacks.
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT13
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
infiltrate a specific industrial control system that both monitors and controls industrial, infra-structure, and many on-site processes. It certainly wasn’t considered an amateur job. “Theinside knowledge of SCADA technology, the sophistication of the multi-layered attack, the useof multiple zero-day vulnerabilities and legitimate certificates bring us to an understanding thatStuxnet was created by a team of extremely skilled professionals who possessed vast resourcesand financial support,” the company said in a bulletin.
“I view Stuxnet as a weapons deliverysystem, like the B-2 bomber,” says MichaelAssante, president and CEO at the NationalBoard of Information Security Examiners,and former vice president and chief securityofficer at NERC and critical infrastructureprotection strategist at Idaho National Lab.“The code was designed to be very modu-lar, so that its attack payload could bechanged to be able to attack different systems. It’s clear to me that the resourcesavailable to the authors of the worm weresubstantial. They designed it with high con-fidence that the warhead would do exactlywhat it was designed to do,” Assante says. “That takes skill and resources.”
That combination of well-heeled attackers and sophisticated malware means the stakes aremuch higher today than a few years ago when it comes to securing the critical infrastructure.This rise in the capabilities of cyber adversaries should be of concern to everyone. Civiliza-tion is dependent on the critical systems that control electricity, finances, communications,water delivery, food distribution, and manufacturing. And the management of many thosesystems themselves are largely dependent on SCADA systems. Years ago, however, whenthese SCADA systems were first developed, they weren’t designed to be resilient to today’ssecurity threats or heavy reliance on common and commercially available software applica-tions, operating systems or for communications over public networks such as the Internet.
IGNORING THE RISKSAs SCADA systems have become increasingly networked, many believe that the industry and the federal government have not taken strong enough steps to ensure these systems aresecure. “The industries that ignored cyber security, regardless of what the government said,are still doing just that,” says Alan Paller, director of research at the SANS Institute. “It’s afundamental market failure. The industry said it would take care of things, and it didn’t dothe job it said it would do.”
Others agree. “As long as there have not been any attacks [on their critical systems], it’s hardfor [insiders] to argue to make something more secure,” says Richard Stiennon, chief researchanalyst at IT Harvest and author of Surviving Cyberwar. “There were no attacks last year, and
“I view Stuxnetas a weaponsdelivery system,like the B-2bomber.”—MICHAEL ASSANTE, president and CEO,
National Board of Information Security Examiners, and former vice president and chief security officer at NERC
and critical infrastructure protection strategist at Idaho National Lab
Copyright © 2011 Hewlett-Packard Development Company, L.P.
For more information go to www.hpenterprisesecurity.com.
HP ArcSight Express instantly alerts you to the complex threats faced by organizations by correlating millions of events occurring across the enterprise.
Today’s cybercrime is world class.
are you up To The challenge?
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT15
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
there probably won’t be attacks next year. So we’re not spending on security because you say weshould,” is the typical response security professionals hear from their management, Stiennon says.
“Following Stuxnet, one would think that there would had of been a surge of activity toprotect the grid, but there wasn’t,” Paller says.
That apathy extends to the developers of industrial control systems, others say.“There is this climate where everyoneunderstands the potential for mischief, butno one is talking openly about it. And thepeople who are finding vulnerabilities inSCADA systems and report them to the vendors find themselves in an adversarialsituation,” says Shawn Moyer, principal consultant at FishNet Security who co-pre-sented a session on “Wardriving the SmartGrid” at BlackHat 2010. “What is going onin this industry today seems a lot like whatwas going on in the IT industry in the late1990s when most software companies simply ignored security.”
“When it comes to SCADA vendors, we are really early in the maturity curve,” agreesAssante. For instance, he says, while security administrators at critical infrastructure organ-izations would like to know how to best harden those systems, the vendors don’t alwaysprovide the necessary documentation that explains how to do so.
“The vendors understand that security matters, and they’re starting to work security intotheir development processes. Generally, however, their security engineers probably aren’t partof the developments teams,” he says. “Security is not built into their processes. Over the nextcouple years, critical infrastructure vendors are going to have to more tightly integrate securityinto their design and product support initiatives,” he says.
REGULATIONS IN THE WORKS The federal government and industry groups aren’t standing still when it comes to securingthe grid and SCADA dependent systems. And they’re helping guide the way to more secureand sustainable power systems. Last June, the Department of Homeland Security (DHS)released its Catalog of Control Systems Security Recommendations for Standards Developersthat aims to help facilitate the creation of security standards for SCADA, process control,distributed control, and other critical infrastructure systems. The standards help to detaileverything from how such industries can screen personnel to establishing physical securityand setting secure configuration management guidelines. NERC, for its part, maintainssecurity standards and guidance to roughly 2,000 public and private firms involved in electricity production and distribution in North America.
NERC’s Critical Infrastructure Protection (CIP) regulations were designed to help ensure
“FollowingStuxnet, onewould think thatthere would hadof been a surge
of activity to protect the grid,but there wasn’t.”
—ALAN PALLER, director of research at the SANS Institute
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT16
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
the reliability of bulk power generation and delivery. NERC CIP regulations comprise eightmandatory requirements that establish the minimum acceptable level of risk, and includesecurity log collection and analysis, access control, reporting, intrusion detection/preventionsystem, among others. “The standards have only been auditable for a couple of years, andwe are light years improved from where we were a few years ago,” says Weatherford. “Are wewhere we need to be? No. But neither was PCI DSS when it first came out. Today, PCI DSS isa fairly good standard.”
Weatherford has a number of areas where he’d like to see improvement. For instance, hewould like the CIP standards to move more rapidly and possibly be augmented with moreagile ways for covered organizations to manage their risk. “It takes years for these standardsto be agreed upon. That’s way too long for cybersecurity,” he says. Additionally, Weatherfordsays that a more dynamic risk management framework that can be used in conjunction withthe CIP standards would help facilities more intelligently manage risk. “Just as all systemsare not equally critical, the risk postures of different plants are not the same and can’t be
Powering Up SecurityUtility company implements network encryptors
to protect SCADA data and meet NERC requirements.
case study
WITH A HUGE POWER PLANT built back in the 1940s that covers a lot of square footage, the North AmericanEnergy Alliance faced a compliance challenge. North American Electric Reliability (NERC) standards require that wiring between physical security perimeters beenclosed in conduit or the data must be encrypted.For the NAEA, that would have meant a lot of conduitso it opted to encrypt, says Dominick Birolin, networkengineer at NAEA.
The company, which is based in Iselin, N.J., andowns a portfolio of 1,755 megawatts of electricityproducing power stations in the Northeast, looked ata variety of encryption options, including point-to-pointIPSec tunnels. But it determined that IPSec tunnelswould result in latency problems, Birolin says.
NAEA ultimately chose network encryptors from CipherOptics (now Certes Networks) for securing its SCADAinformation. CipherEngine Enforcement Points from CipherOptics are FIPS 140-2 Level 2 validated encryptionappliances.
“With CipherOptics, the latency was in microseconds as opposed to milliseconds. That was a big advantage,especially for SCADA systems,” Birolin says.
The technology helps NAEA meet its compliance obligations, but data encryption is an overall good practice,he says.w —MARCIA SAVAGE
“With CipherOptics, thelatency was in microsecondsas opposed to milliseconds.That was a big advantage,especially for SCADA systems.”
—DOMINICK BIROLIN, network engineer, NAEA
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT17
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
managed the same way,” he says. “We’ve just begun work on developing a more agile way fororganizations to leverage the CIP standards.”
Assante also agrees that critical infrastructure regulations should be risk based and moreagile to help better prepare critical infrastructures and the security teams that protect them.“Legislation should include the need for more sharply defined federal authority to address specific and imminent cyber security threats to critical infrastructures in the form of emer-gency measures,” Assante said in a hearing before the Senate committee on homeland securityand government affairs in November.
IMPROVING SECURITY OPERATIONS When it comes to critical infrastructure protection, information sharing and collaboration has been called upon for years. Last year was the first year the industry has seen real informa-tion sharing begin to coalesce. In November, the Department of Homeland Security (DHS)launched a cyber security information sharing center designed to more efficiently share infor-mation about cyber threats to the critical infrastructure. Dubbed the Multi-State InformationSharing and Analysis Center (MS-ISAC) Cyber Security Operations Center, it’s a 24-hour livewatchdog that will, hopefully, provide state and local government officials the same details asthose in the federal government.
According to DHS, The National Cybersecurity and Communications Integration Center(NCCIC) will head information sharing to the MS-ISAC Operations Center. States areexpected to use the MS-ISAC Operations Center to cooperate to enhance IT security defenseand response. The move is just one in a recent flurry of moves by the DHS to help bolsterinformation sharing and incident response.
DHS also announced that the Information Tech-nology Information Sharing and Analysis Center(IT-ISAC) will embed a full-time analyst and liaisonto DHS at the NCCIC. The IT-ISAC consists ofinformation technology representatives from theprivate sector and facilitates cooperation amongmembers to identify sector-specific vulnerabilitiesand risk mitigation strategies.
Also, this past fall, to test the nation’s ability towithstand an advanced cyberattack, DHS and a number of international security and intelli-gence agencies engaged in a cyberwar game involving 1,500 security events designed to seehow well federal agencies and more than 60 private sector companies in critical infrastructureresponded to a cyberattack. Cyber Storm III was used to test the newly developed NationalCyber Incident Response Plan (NCIRP), which is the government’s current cybersecurityincident response playbook. A report detailing the results of the exercise is expected soon.
“Government and industry aren’t standing still, but the question is are they doingenough, quickly enough,” says IT Harvest’s Stiennon.
“Government and industryaren’t standing still, butthe question is are theydoing enough, quicklyenough.”
—RICHARD STIENNON, IT Harvest
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT18
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
HELP WANTEDIn the future, it may not be budget, technological, or regulatory hurdles that prove the mostchallenging when securing the critical infrastructure; it could be finding enough skilled securityprofessionals. “It’s not that there’s a problem finding security superstars, there’s a lack of peoplewith basic security skills and knowledge,” says Vincent Liu, managing partner at the applicationsecurity firm Stach and Liu.
In its report, A Human Capital Crisis in Cyber-security, the CSIS found that there are roughly1,000 security professionals in the U.S. who havethe specialized cybersecurity skills needed to pro-tect the critical infrastructure. The report esti-mates the nation could need up to 30,000 similarlyskilled people to get the job done. “There’s nodoubt that we need to invest more in the securityworkforce. We need better training, and regularreassessments of their skill level,” Assante says.
NERC’s Weatherford agrees: “There are not many qualified, technical, cybersecurity expertsthat have experience in the power industry.” He says it’s part of a troubling macro trend affectingthe IT industry. “We’ve been talking about the retirement bubble for a couple years now. Westudied the issue when I was CISO at the state of California, and we found so many technicalstaff eligible for retirement within next few years that it became obvious that if we didn’t trainand recruit enough people, we were really going to have a problem,” he says.
Having the IT staff needed to keep operations running smooth is one thing, havingenough professionals trained in the still obscure IT security profession is another—andexperts warn we are running out of time. “These aren’t always highly-skilled attackers orsophisticated malware that manage to get through. I’ve seen traditional worms like Confickeron hardened controllers,” says Assante. “My greatest fear is that we are running out of time to learn our lessons. Stuxnet, although difficult to hijack or modify by others, may very wellserve as a blueprint for similar but new attacks on control system technology,” he adds.w
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota. Send comments on this article to [email protected].
“It’s not that there’s aproblem finding securitysuperstars, there’s a lackof people with basic secu-rity skills and knowledge.”
—VINCENT LIU, managing partner, Stach and Liu
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT19
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
tTHE TERM advanced persistent threat, or APT, joined the common vocabulary of the information security profession in mid-January 2010, when Googleannounced its intellectual property had been the victim of a targeted attackoriginating from China. Google wasn’t alone; more than 30 other technologyfirms, defense contractors and large enterprises had been penetrated by hackersusing an array of social engineering, targeted malware and monitoring tech-nologies to quietly access reams of sensitive corporate data.
Google’s public admission put a high-profile face on targeted attacks andthe lengths attackers would go to gain access to proprietary corporate andmilitary information. It also kicked off a spate of vendor marketing thatpromised counter-APT products and services that have only served to cloudthe issue for security managers and operations people.
In this article, we’ll define APT, dispel some myths and explain what youcan do about this adversary.
(AND WHAT IT ISN’T)Think you know all you need to know about the advanced persistent threat? We’ll define APT and dispel a few myths. BY R I C HARD B E JTL I C H
ADVANCED PERSISTENT THREAT
I N FO RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT19
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT20
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
WHAT IS THE ADVANCED PERSISTENT THREAT?The United States Air Force coined the phrase advanced persistent threat in 2006 becauseteams working within the service needed a way to communicate with counterparts in theunclassified public world. Department of Defense and intelligence community memberstypically assign classified names to specific threat actors, and use the term intrusion set todescribe activities by those threat actors. If the USAF wanted to talk about a certain intru-sion set with uncleared personnel, they could not use the classified threat actor name.Therefore, the USAF developed the term APT as an unclassified moniker.
It is crucial to this discussion to recognize that APT is a proper noun. APT refers to specific threat actors; APT does not refer to vaguely unknown and shadowy Internetforces. The term is most frequently applied to distinct groups operating from the Asia-Pacific region. Those knowledgeable about APT activities can conduct an honest debate as to whether the term should be used to refer ONLY to certain Asia-Pacific actors, or if it can be expanded as a general classifier. In other words, if adversaries in Eastern Europeoperate using the same tools, tactics, and procedures as traditional APT, should theseactors also bear the APT label?
The answer to this question depends on the person asking it. An information securitypractitioner in a private organization will typically not care if the threat actors attackingan enterprise originate in the Asia-Pacific or Eastern European regions. The reason is thatthe practitioner will likely take the same defensive actions regardless of the location ornationality of the adversary.
However, someone with the legal and/or national security authority to apply diplomatic,intelligence, military or economic (DIME) pressure would certainly want to identify theorigin of an attack. For the purposes of this article, aimed at information security practi-tioners, it is not necessary to answer the “who” question definitively. However, those whodo have elements of DIME power should take attribution statements by Google and othervictims seriously.
Most of those actively countering APT activity describe the adversary in the followingmanner:
Advanced means the adversary can operate in the full spectrum of computer
intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new
vulnerabilities and develop custom exploits, depending on the target’s posture.
Persistent means the adversary is formally tasked to accomplish a mission. They
are not opportunistic intruders. Like an intelligence unit, they receive directivesand work to satisfy their masters. Persistent does not necessarily mean they need
to constantly execute malicious code on victim computers. Rather, they maintain the levelof interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. The opposition is a
threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
In brief, APT is an adversary who conducts offensive digital operations (called com-puter network operations or perhaps computer network exploitation) to support various
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT21
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
state-related objectives. APT is characterized by devotion to maintaining some degree of control of a target’s computer infrastructure, acting persistently to preserve or regaincontrol and access. Unclassified briefings by counter-intelligence and military analystsuse the term “aggressive” to emphasize the degree to which APT pursues these objectivesagainst a variety of government, military, and private targets.
WHY IS ADVANCED PERSISTENT THREAT MISUNDERSTOOD?Beginning in January and peaking in February and March, many elements of the digitalsecurity community focused their attention on APT. Unfortunately, some of those speakingabout the problem quickly found themselves echoing statements and questionable researchoffered by parties who were not familiar with APT. Several factors contributed to an overallsense of confusion, with some of the more trustworthy voices competing with parties whowould have been better advised to stay in the background.
Several factors caused this phenomenon:• Besides Google’s public statement, and subsequent secondhand reporting about
allegedly affected peer companies, very little original data was available. Without details todiscuss, the security community turned to almost anyone willing to talk about the incident.In too many cases, the speakers turned out to be vendors who saw APT as a marketingangle to rejuvenate slumping security spending. RSA Conference 2010 featured many com-panies selling counter-APT products, hoping to capitalize on the new hot topic of 2010.
• McAfee reported it was analyzing malware that it claimed to be associated with theGoogle incident, independently assigning the name “Aurora” to the affair thanks to a pathfound in the malware. In late March, McAfee blamed “the fog of war” for mistakenly con-fusing a Vietnamese-targeted botnet with Google incident malware. Unfortunately, byassociating this false lead with the Google incident, McAfee prompted a variety of securityresearchers to direct their efforts on code that likely had nothing to do with the Googleincident.
• Many analysts too narrowly focused on the elements of the incident that theycould best understand, regardless of the real nature of the event. For example, companiesspecializing in botnet research assumed botnets were involved, and talked about theGoogle incident in those terms. Others who focus on identifying vulnerabilities anddeveloping exploits, concentrated on a flaw in Internet Explorer (patched by MS10-002)presumably leveraged by intruders to gain access to Google resources. Unfortunately,botnets have nothing to do with APT, and vulnerabilities, exploits, and malware are only elements of APT incidents—not the core feature of them.
IS APT NEW?When the Google attack entered the public arena, many people wondered if APT wassomething new. The answer to this question depends on one’s perspective, plus under-standing some history. As mentioned earlier, the term APT is approximately 4 years old. It entered the common lexicon in early 2010 with the publicity garnered by Google’s bold
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT22
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
proclamation. However, consulting companies, particularly Mandiant have been conductingpublic webcasts and presentations discussing APT by name since 2008.
Prior to the 2006 invention of the APT term, news stories of Chinese intruders attackingmilitary and government organizations bore the label “Titan Rain.” For example, a 2005Timemagazine article by Nathan Thornburgh titled “The Invasion of the Chinese Cyber-spies” described battles fought by Shawn Carpenter, then defending Sandia National Labo-ratories. That story mentioned Carpenter’s experience with similar intruders dating backto late 2003. Even in 1998, when I served as a captain in the Air Force Computer EmergencyResponse Team, we encountered adversaries that many would now label APT.
Some would even argue that nothing about APT is new. To the extent that espionage isas old as warfare itself, some claim APT activity is just spying another form—and not evena new medium, given the history of computer espionage dating from Cliff Stoll’s work inthe 1980s.
I argue that APT is new if those asking the question move beyond two-dimensionalthinking. Considering APT activity in terms of offender, defender, means, motive, andopportunity, APT is clearly new. Points for the “old” camp include the identity of theoffender (nation-states) and the motive (espionage). Points for the “new” camp make a stronger argument:
Defender: I break APT targets into four phases: 1) late 1990s — military victims; 2) 2000-2004 — non-military government victims; 3) 2005-2009 — defense industrialbase; 4) 2009-present — intellectual property-rich targets and software companies.(Unfortunately there are clear examples of earlier victims, but these dates roughly covermost known cases.) The assault conducted during phases 3 and 4 is unprecedented,
O BJ E CTI V E S
APT ImpactAnalysts currently assess APT activities as supporting four main goals.
• Political objectives such as maintaining internal stability.
• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied andunderbid in competitive dealings, or fused with local research to produce new products and services more cheaplythan the victims.
• Technical objectives that further their ability to accomplish their mission. These include gaining access to source codefor further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worryinglyis the thought that intruders could make changes to improve their position and weaken the victim.
• Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.—RICHARD BEJTLICH
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT23
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
meaning entirely new classes of defenders must protect themselves from attackers previously a concern for the military.
Means: Too many critics focus on malware, ignoring (or being unaware) of theimpressive management and administration applied to repeatedly attempting to access, orpreserving access to target organizations. APT incidents are not hit-and-run, smash-and-grab affairs.
Opportunity: The explosion of Internet connectivity in the last decade and the extremedistribution of sensitive data to end points provides cheap, low-risk, remote access optionsfor intruders, unlike anything available to human spies.
On balance, I argue APT is new, at least when considered from the perspective of non-military targets, and remembering that phase 3 APT activity began in 2003 and became asignificant problem in 2005.
WHAT SHOULD DEFENDERS DO TO COUNTER APT?The majority of this article has focused on describing APT and its history, because battlingthis adversary does not require a technical solution. The most effective counter-APT weaponis a trained and knowledgeable information security analyst. Many security vendors haveadopted APT in their marketing literature. Some offer to find APT on a potential victim’snetwork. Others have even registered APT-themed domain names.
Tools are always helpful, but the best advice I can provide is to educate business leadersabout the threat so that they support organizational security programs conducted by com-petent and informed staff.
A second question one is likely to ask follows: How do I know if I am an APT target?Contact your local Federal Bureau of Investigation office. One of the biggest game-changersin counter-APT awareness developed during the last several years is taking the form of visits by FBI and military or counter-intelligence specialists to potential victims. It’s diffi-cult to deny a security breach when representatives from a national security agency revealexcerpts from proprietary data or intellectual property and ask “does this data belong to you?”If you have not already engaged your organization’s leaders in a counter-APT conversation,requesting a threat briefing from the local FBI office is an excellent way to promote mana-gerial attention.
On a technical level, building visibility in to one’s organization will provide the situa-tional awareness to have a chance to discover and hopefully frustrate APT activities. With-out information from the network, hosts, logs, and other sources, even the most skilledanalyst is helpless. Thankfully, obtaining such information is not a new challenge, andmost security shops should be pursuing such programs already. The goal of counter-APToperations should be to make it as difficult as possible for the adversary to steal intellectualproperty; “increasing the cost per megabyte,” to quote the NSA’s Tony Sager, is the goal.w
Richard Bejtlich is director of incident response for General Electric, and serves as principal technologist for GE’s Global Infrastructure Services division. Send comments on this article to [email protected].
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT24
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES aAT FIRST, it was hard to tell what was causing the “phantom” money transfers from the onlinebank account of a small North Carolina company. Investigators didn’t know if the fraudulentwire and Automated Clearing House transfers were caused by an insider or malware, recallsDon Jackson, director of threat intelligence with the Counter Threat Unit at SecureWorks, anAtlanta-based security services provider.
But the cause became quite clear when Jackson and his team examined the bookkeeper’scomputer: an infection by the Zeus Trojan. “In the past, Zeus was just spyware and wanteduser names and passwords,” he says. “This was the first banking version of Zeus. It got intothe browser and changed things on the fly.”
UNDERUNDERATTACK
Cybercriminals are using increasingly stealthy and sophisticated malware to hijack online business
banking accounts. BY MARCIA SAVAGE
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT24
BANKING MALWARE
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT25
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
The malware caused the business to lose nearly $98,000, Jackson says. That was in late2007. Today, criminals are using the Zeus crimeware kit with astonishing success, pulling offsix-figure heists from the online bank accounts of scores of small businesses, municipalitiesand nonprofits. The Federal Deposit Insurance Corporation estimates losses from fraudulent electronic funds transfers in the third quarter of 2009 at about $120 million. Theattacks have been mounting over the past 18 months or so and haven’t slowed, experts say.
Zeus is among an emerging brand of stealthy malware that steals online banking andother sensitive credentials with ever changing capabilities to evade detection and defeatsecurity controls. Bought and sold on the Internet and continually upgraded with newfeatures, Zeus and its ilk represent the evolution of malware into a vast commercial enter-prise. Banker Trojans accounted for 61 percent of all new malware in the first quarter of thisyear, according to a recent study by PandaSecurity. It’s become an arms race withthe criminals behind these malware-fueled business operations, says JoeBernik, CISO at Fifth Third Bank.
“They’re constantly looking for waysto improve the functionality to overcomewhatever technical controls the financialservices industry or whatever industrythey’re targeting puts into place,” he says.
Malware has surpassed phishing asthe top threat, says David Shroyer, vicepresident of online security and enroll-ment at Bank of America. “The speed of evolution and the shifting of threatvectors are astounding. It’s light speed,so we have to be on our toes to protectour customers and our industry,” he says.“What I’m seeing in the industry is this is now the big thing we’re all worriedabout and we’re cooperating like we never have before.”
Let’s take a closer look at Zeus, its emerging competition in the banking malwaremarket, their impact, and how the financial services industry is responding.
ESCALATING BATTLEMalicious code designed for banking fraud has been around as far back as 2003, says JamzYaneza, threat research manager at Trend Micro. Most early banking malware came in the form of keyloggers, which captured all kinds of sensitive information, not just onlinebanking credentials.
In the U.S., banks stepped up their defenses against spyware and keyloggers with addedsecurity, particularly two-factor authentication. In 2005, federal banking regulators issuedauthentication guidance for online banking, and regulators say attacks dipped for a coupleyears. Criminals had to figure out a new method of attack.
“They’re constantlylooking for ways toimprove the func-
tionality to overcome whatevertechnical controls the financialservices industry or whateverindustry they’re targeting putsinto place.”
—JOE BERNIK, CISO, Fifth Third Bank
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT26
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
“Banks and online providers have done a good job putting in place authenticationmethods that made it hard for the criminals to make money,” says Laura Mather, co-founderand CEO of Silver Tail Systems, a Palo Alto, Calif.-based provider of fraud prevention systems. “The bad news is the criminals didn’t give up. They had to employ even moresophisticated technology in order to subvert the protections that have been put in place.”
Fraudsters shifted their focus to malware because their returns from phishing werediminishing, says Sean Brady, identityprotection and verification productmarketing manager at RSA, the securitydivision of EMC. “The more sophisti-cated groups were willing to put theextra investment into Trojans becausethey demonstrated return,” he says.
To circumvent strong authentica-tion methods, criminals have to imper-sonate the victim, Mather says. “Insteadof just having a password, they have tolook just like the victim, so they’reaccessing the victim’s account from thevictim’s own computer, which meansthey have the correct IP address. It’svery difficult for the bank to tell the difference between the malware and the legitimate user,” she explains.
The Silentbanker Trojan, whichsurfaced a couple years ago, had this interception functionality but Zeus and othernewer banking Trojans have honed it, experts say. Today’s banking malware attacks a victim’s Web browser instead of the online session, Bernik explains: “It modifies and inter-cepts the data that is being passed to the browser and it can actively modify Web pages.”
Criminals have used Zeus to add fields to obtain additional data for authenticatingto a bank website and to alter balances to hide fraudulent withdrawals. Researchers havedetected variants of Zeus that have used the Jabber instant messaging protocol in orderto use stolen credentials in real time and circumvent the security provided by one-timepassword tokens. Victims often receive an error message as the fraudster uses his or hercredentials behind the scenes.
These kind of man-in-the-browser attacks are much harder to detect than the olderman-in-the-middle attacks where the hostile party inserts itself between the authenticatingserver and the valid user, Bernik says.
“It becomes increasingly difficult for financial institutions to detect because some ofthe defense mechanisms we were using such as device ID and geo ID have limited valuewhen dealing with a man-in-the-browser attack,” he says.
A FORMIDABLE FOEZeus, also called Zbot, has been the most pervasive and damaging banking malware sofar to date, researchers say. According to Microsoft, infections by Zeus have skyrocketed
“The bad news isthe criminals didn’tgive up. They had
to employ even more sophisti-cated technology in order tosubvert the protections thathave been put in place.”
—LAURA MATHER, co-founder and CEO, Silver Tail Systems
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT27
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT27
in the last two years. (see chart, below). The malware spreads via phony emails that pretend to notices from legitimate
organizations like NACHA, the association that oversees the Automated Clearing House(ACH) network, spear phishing emails targeting specific individuals and containinglinks to malware-rigged websites, and drive by downloads. Researchers believe criminalsin Eastern Europe, particularly Russia and Ukraine, are behind the Zeus-fueled attacks.
The Zeus crimeware kit has three components, according to an analysis by Trend Micro:the Trojan, a configuration file, and a drop zone where stolen credentials are sent. After theZeus Trojan is executed, it downloads its configuration file from a predetermined locationthen waits for the victim to log in to a particular target included in the configuration file,Trend Micro researchers say. Criminals conduct extensive research on banking websites to hone their attacks.
“They will do extensive research on the sites—logging in, understanding the page flowsand thresholds to perform transactions with, down to the HTML code of the actual pages
STATI STI C S
Zeus Infections Skyrocket Microsoft data shows the number of reported Zeus (also called Zbot) infections shotup early this year.
Source: Microsoft Malware Protection Center Chart illustrates the number of times Zeus was detected by a Microsoft security product.
Win32/Zbot Family
0 50,000 100,000 150,000 200,000 250,000
March ’10
December ’09
October ’09
June ’09
March ’09
December ’08
Report CountReport Count
212,954
128, 064
60,669
33,894
38,040
52,104
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT28
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT28
because they will frequently use that knowledge to manipulate the page in the user’s browser,”Brady says.
The highly configurable nature of Zeus is one of its most powerful aspects, experts say.“Zeus is a lot of different botnets,” Mather says. “Criminal A can buy Zeus and have his owncommand-and-control and his own botnet, and criminal B buys Zeus and has his own botnetthat will be different from criminal A’sbecause it’s targeting victims in SouthAmerica while the other is targeting victims in Europe.”
Earlier this year, security firmNetWitness reported finding a 75GB cache with stolen data, including creden-tials for online banking sites and socialnetworks, from more than 74,000 Zeusinfected systems; the company named the infected PCs tied to the Zeus attacksthe Kneber botnet. In March, securityresearchers reported ongoing efforts toshut down Kazakhstan-based Troyak.org,an ISP serving a large chunk of a Zeusbotnet. Spanish authorities in Decembershut down the Mariposa botnet, whichstole banking and other sensitive databy infecting 12.7 million computerswith Zeus and other malware.
East European cybercriminal opera-tions using the Zeus malware kit havecapitalized on the recession to success-fully recruit “money mules” in the U.S. to move money siphoned from businessonline banking accounts, experts say.Fraudsters lure money mules over the Internet with bogus work offers and use them toreceive the stolen funds, instructing them to wire money overseas after deducting a commis-sion. Oftentimes, the money is stolen in amounts less than $10,000, apparently in an attemptto not to trigger Suspicious Activity Report (SAR) requirements.
Jackson and other researchers at SecureWorks have been tracking each new version ofthe Zeus Trojan, which is constantly updated with new functionality. In March, they wrotethat the latest version featured a level of control they hadn’t yet seen in malware: a hard-ware-based licensing system so the malware can only be run on one computer. “Once yourun it, you get a code from the specific computer, and then the author gives you a key justfor that computer,” wrote Jackson and Kevin Stevens, security researcher at SecureWork’s CTU.
A beta version of a new Zeus variant they examined this spring featured polymorphicencryption, which allows it to re-encrypt itself each time it infects a computer, makingeach infection unique and harder for antivirus systems to catch, Stevens says.
Various modules, including a Firefox form grabber, a Jabber chat notifier, and Windows
“They will doextensive researchon the sites—
logging in, understanding thepage flows and thresholds toperform transactions with,down to the HTML code of theactual pages because they willfrequently use that knowledgeto manipulate the page in theuser’s browser.”
—SEAN BRADY, identity protection and verification product marketing manager, RSA, the security division of EMC
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT29
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT29
7/Vista support, for Zeus are available on the Internet for prices ranging from $500 to$6,000, according to SecureWorks.
The developers behind Zeus alsoare very sensitive to detection rates oftheir malware by antivirus systems,says Mickey Boodaei, CEO of onlinesecurity provider Trusteer. “Each variant they release goes through akind of quality assurance process tomake sure it’s not detected by manyantivirus solutions,” he says.
New York-based Trusteer released a study last fall that showed the ZeusTrojan infecting PCs with updated antivirus software 77 percent of the time.
THE COMPETITIONWhile Zeus has proven the most popular toolkit for criminals targeting online banking,the Clampi Trojan has also done its share of damage. Jackson says it’s the number twothreat to online banking after Zeus, but isn’t available for sale like Zeus; rather, it’s usedby one criminal group in Eastern Europe.
Like Zeus, Clampi has advanced man-in-the-browser capabilities and uses state-of-the art polymorphic cryptors to conduct fraudulent ACH and wire transfers, according to Jackson. SecureWorks last summer documented the Clampi Trojan and how it targetedthousands of websites, including large banks, small banks and mortgage companies. Thosebehind Clampi use encryption adeptly, making it difficult for researchers to track it,Jackson says: “It flies under the radar a lot.”
Last fall, Finjan researchers reported a new bank Trojan that criminals used to inter-cept online banking sessions and steal thousands of euros from German accounts lastsummer. URLzone minimizes the risk of being detected by banks’ antifraud systems bysystematically transferring random, moderate amounts of money from compromisedaccounts. According to RSA researchers, the Trojan uses money mules in a highlysophisticated way in order to foil researchers trying to identify the mule accounts it’susing: It if detects that a computer isn’t part of its botnet, it delivers a fake mule accountto the researcher’s computer.
The Silon Trojan, meanwhile, targets only customers of major U.K. banks and hasmanaged to infect thousands of computers, according to Trusteer. Silon steals bankingcredentials, bypasses specific security controls and can update itself to counter banks’defensive measures.
Earlier this year, SecureWorks researchers discovered a new banking Trojan designed to facilitate fraudulent ACH and wire transfers. Bugat’s capabilities include many of thosecommon in banking malware, including Internet Explorer and Firefox form grabbing andstealing and deleting IE, Firefox and Flash cookies. Bugat mainly targets regional banksand smaller national banks, Jackson says. “It’s fairly sophisticated, but not up therewith Zeus and Clampi,” he adds.
However, the emergence of Bugat indicates the strong demand for malware to commit
“Each variant they release goes through a kind of qualityassurance process to makesure it’s not detected by many antivirus solutions.”
—MICKEY BOODAEI, CEO of online security provider Trusteer
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT30
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
financial fraud, according to SecureWorks. Indeed, the competition for Zeus appears to beheating up, especially with the emergence of SpyEye. According to Symantec, the first version of the malware kit appeared for sale on Russian underground forums in December.Retailing for $500, “it is looking to take a chunk of the Zeus crimeware toolkit market,”Symantec researchers wrote.
The SpyEye toolkit is similar to Zeus in many ways and is updated regularly with newfeatures, including one called “Kill Zeus” designed to delete Zeus from an infected systemand leave SpyEye running, Symantec researchers noted.
THE FALLOUTGovernment agencies and financial services associations began sounding the alarmabout a sharp increase of fraudulent ACH and wire transfers hitting small and midsize
A D V I C E
New ApproachesVendors offer alternative technologies to secure online banking from fraud.
AS CRIMINALS USE increasingly sophisticated malware to commit online banking fraud, new technologies have appearedto combat the problem.
Trusteer’s Rapport product is a browser security plug-in that works to prevent malware from tampering with online bankingsessions. While traditional desktop security products try to prevent malware, “we’re locking down the session,” says TrusteerCEO Mickey Boodaei.
Desktop protection products like Rapport and a similar technology from Prevx provide another strong layer of securitybut many banks are reluctant to go that route, says Avivah Litan, vice president and distinguished analyst at Gartner.
IBM offers an alternative technology to foil online banking fraud: a USB-attached hardware device called Zone TrustedInformation Channel (ZTIC) that runs the TLS/SSL protocol to create a proxy for connecting with banking websites; the SSLsession bypasses any malware on a PC. IronKey recently launched Trusted Access for Banking, a USB device with a virtu-alized operating system and secure Web browser.
“We’re creating a separate secured operating environment on your computer without you needing a separate computer,”says David Jevans, CEO of IronKey.
Both IronKey and IBM are offering locked down computing environments but the technologies still use the keyboard,Litan says: “You could still record the keystrokes, so there’s still an issue.”
Silver Tail Systems offers a different approach with technology that watches for changes in how a website is used andalerts website owners to possible fraudulent activity. “We watch the behavior of the Web session to identify whether wethink the behavior is a normal way to interact with a website,” says Laura Mather, co-founder and CEO.
Litan says many of the alternative technologies, like ZTIC, aren’t new but are getting more attention now. “There’s nothingnew under the sun but the situation is getting so bad that people are looking at these solutions,” she says.
Litan recommends that financial institutions take a layered approach to fighting online fraud, including fraud detectionthat monitors transaction behavior and desktop protection.w
—MARCIA SAVAGE
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT31
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
businesses last August. In November, the FBI estimated that the fraudulent activity hadresulted in approximately $100 million in attempted losses.
“We’re not hearing about it as much on the consumer side. It does happen, but thesebad guys are going after the big fish,” says Bill Nelson, president and CEO of the FinancialServices Information Sharing and Analysis Center (FS-ISAC). “They’re sending spearphishing emails to individuals at businesses they’ve checked out.”
Investigative reporter Brian Krebs has documented many cases in which small busi-nesses and municipal agencies have lost thousands of dollars through fraudulent moneytransfers. Oftentimes, Zeus is cited as a culprit, such as in the case of small New Yorkmarketing firm that lost $164,000 after a Zeus infection. Business banking customers hit by online banking fraud typically lose out because they don’t have the same regulatoryprotections to limit losses from fraudulent electronic funds transfers as consumers.
The fraud surge has led to a spate of lawsuits. For example, Bullitt County in Kentuckysued its bank, First Federal Savings Bank of Elizabethtown, last summer after cybercriminalsstole $415,989 through fraudulent ACH transactions, according to court documents obtainedby The Courier-Journal. The bank, which claims the county’s security failures led to a Zeusinfection, refused to reimburse the county for $310,176 that wasn’t recovered.
In another case, which has been widely reported, Hillary Machinery of Plano, Texaswas sued by its former bank, Dallas-based PlainsCapital, after being victimized by onlinebanking fraud in 2009. Hillary countersued the bank over the cyberheist, in which crim-inals stole about $800,000; PlainsCapital recovered almost $600,000.
For the financial sector and other industries, customer education has been a majorweapon in successfully beating back phishing to the point where it’s not the threat it wasfive years ago, Bank of America’s Shroyer says. But customer education is less powerfulof a weapon against stealthy malware that is constantly finding ways to avoid detection,he says.
Malware also is trickier from a customer resolution standpoint, Shroyer says: “I canfix a customer who’s been exposed to phishing in a matter of minutes. A customerexposed to malware is a very difficult conversation. I can’t just tell them to change theirID and passcode. I have to tell them that their endpoint, their PC, has been compromisedby something that isn’t just impacting their Bank of America relationships, but their Yahooemail account and other financial accounts like PayPal.”
Banking malware is a newer problem in the U.S., Shroyer adds, noting that banks inAustralia, Brazil and the U.K. have been combating sophisticated banking Trojans for longer.
Mather, a former director of fraud prevention at eBay, says phishing was the top concernwhen she worked at the company; malware wasn’t much on the radar. “Now when I talk tobanks and other large organizations, they’re having to assume the customer’s computer iscompromised. That’s a very different way to look at your customers than worrying aboutwhether they’re going to give away their passwords.”
INDUSTRY REPSONSEFinancial industry groups, keenly aware of the critical need to preserve confidence in the online banking channel, have provided a slew of recommendations for fending offmalware attacks.
FS-ISAC, NACHA and the FBI, in their joint advisory last August, recommendedfinancial institutions implement strong authentication, fraud detection and mitigation
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT32
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
best practices including transaction risk profiling, out-of-band transaction authenticationtogether with fraud detection, and network defense in depth.
They also advised banks to educate their corporate and small business customersabout security, including: reconciling accounts on a daily basis; initiating ACH and wiretransfers under dual control (with one person initiating the transfer and another author-izing it); and possibly carrying out all online banking from a locked down, standalonecomputer with email and Web surfing disabled.
“We’re emphasizing an integrated, layered security strategy,” FS-ISAC’s Nelson says.“Any single defense you come up with they can circumvent…If you implement a layereddefense strategy, you have a better chance of defeating these bad guys.”
American Bankers Associationbacks the layered approach, says DougJohnson, vice president of risk manage-ment policy for ABA. “One of the mostimportant lessons we’ve learned fromZeus is that sometimes we hang our hat too much on security technologicalfixes,” he says, adding that internalcontrols like dual authorization alsoare critical.
The association is working withother industry groups to address theproblem on an ongoing basis. “It issomething we take very seriously because it gets to the heart of the relationship between thebank and its commercial and municipal customers,” he says. “Obviously, we need to coun-teract anything that could disrupt the trust that’s built up between those two parties.”
Fifth Third Bank’s Bernik notes that new technologies are emerging to deal with thechallenge of the compromised host (see p. 29) but adds, “There’s no silver bullet to solveall the challenges when it comes to the online channel.”
Fifth Third, aiming to be a “trusted advisor” to its customers, provides them witheducation and certain technologies to combat the malware problem, he says. Makingsure customers are aware of security best practices is critical, he adds.
Citing security concerns, Shroyer declines to detail strategies and techniques thefinancial services industry is using to fight the malware problem. But he says that Bankof America is in the process of requiring customers to upgrade their online IDs andpasscodes to meet its security requirements, and recently rolled out a browser upgradefor its customers to upgrade from older, vulnerable browsers. Customers can be resistantto change, but the uptake was surprising and heartening, he says. “We’ve got to drive themessage that we’re here to help you protect your assets.”
In the wake of the malware attacks, though, the industry is coming together like neverbefore, Shroyer says. He’s having weekly calls with other banks in which they discuss whatthey’re seeing and possible solutions. “You would not have seen that before,” he says. “Butnow we have that collaboration.”
Malware, he says, is “going to drive us towards an opportunity to react faster than wehave in the past out of necessity.”w
Marcia Savage is editor of Information Security. Send comments on this article to [email protected].
“One of the most important lessons we’ve learned fromZeus is that sometimes wehang our hat too much onsecurity technological fixes.”
—DOUG JOHNSON, vice president of risk management policy, American Bankers Association
w
EnterpriseProtection forWeb Add-Ons
Mini Web applications are complicating security for business owners. BY N ICK LEWIS
WIDGETS, or mini Web applications, are popular tools or Web add-ons for users to express them-selves on different Web 2.0 applications, such as Facebook or Twitter, or for organizations toaccess content from other websites. But there are some serious security implications that enter-prises may need to defend against as Web 2.0 applications and Web add-ons become entrenchedin the way business is done.
We’ll explain how assessing the security of the widgets in Web 2.0 applications beforeincorporating them into their Web 2.0 environments can protect businesses Web visitors, inter-nal users and, ultimately, their corporate reputations. Though there are legitimate business usesof Web 2.0 widgets, particularly for incorporating content from third-party sites like Facebook,Twitter, Google and others, these widgets can all too easily distribute malware and malicious code,or potentially advance other attacks.
Web 2.0 widgets explainedWidgets are independent applications or snippets of code from third-party sites that can be usedindependently or included in other websites and Web applications. They often display content,like news items or press releases, for example, but they can perform other actions too, like displaya Twitter feed or include a recent blog post from another page or site. Twitter widgets let usersdisplay individual tweets on websites that can serve as real-time updates for site visitors. Similarly,Facebook widgets allow content from Facebook to be served when visiting a third-party website.
Widgets can be developed with a variety of development languages. Ajax-based widgets usethe Google Ajax APIs for displaying Google Maps or other Google content. Many widgets useembedded snippets of JavaScript to allow organizations to display new products or news on the
WEB 2.0 WIDGETS
IN FO RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT33
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Web. A Twitter profile widget, for example, displays recent tweets on a website. The JavaScriptsnippet is simply embedded in the place where the user wants the tweets displayed. The JavaScriptis executed in a visitor’s browser and the tweets are visible on the webpage. Basically, the websiteinstructs Web browsers to execute code from multiple different Web servers simultaneously tocreate the webpage.
Security threats from Web 2.0 widgetsMalware authors started taking advantage of widgets as an attack vector several years ago, asnoted in a 2008 advisory from Fortinet Inc.’s FortiGuard Center, which highlighted the Zangomalware that was distributed by a malicious Facebook widget. Such threats aren’t exactly new,but similar ones are plentiful in the wild today, and like Web 2.0 applications themselves, theyare constantly evolving.
Web 2.0 widgets not only pose a security risk to enterprises, but also to individual websitevisitors. Risk scenarios to the enterprise vary depending on specific widgets used, but typicallyan individual employee would fall prey by accessing malicious widget content on the Web thataffects his or her computer by planting malware that seeks to infect the network or steal sensitivedata stored on the user’s computer.
Similarly, an enterprise faces risk with the Web 2.0 widgets it may incorporate into its ownWeb 2.0 applications for customer or public use. This is becoming an increasing concern asmore companies seek to appear trendy by integrating Web 2.0 widgets from social networkingplatforms into their own websites and mobile applications. If those third-party Web 2.0 widgetsare malicious or compromised, a company’s Web visitors may execute malicious JavaScript ormobile code from multiple different websites, even though it looks like it is coming from alegitimate source (your organization’s website). Suddenly a company can find itself in a liabilityscenario, unknowingly spreading attackers’ malware to its Web visitors and customers.
Web 2.0 widgets: Enterprise defense strategyDespite these threats, there are ways to securely allow widgets to be used in the enterprise, bothby users for their own consumption and when building mashups for external use. To protect an organization’s Web visitors from malicious Web 2.0 widgets, there should first be a securityawareness program in place for enterprise Web developers when including third-party widgetsinto websites they develop. Developers should be made aware of the potential risks from suchwidgets and taught to evaluate the security of the widgets before publishing them, a step easilyforgotten given how simple it is to publish a new widget to a site.
From there, each individual widget’s functionality should be validated in a test environmentto ensure basic malicious content cannot be distributed. Developers can evaluate the security of a widget by accessing the JavaScript code and carefully reviewing its functionality. To test formalicious content coming through a widget, like a Twitter stream, set up a Twitter account ona test website to see what is displayed by the widget when a variety of potentially maliciouscontent is posted. An automated process can also check an organization’s website for maliciouscontent delivered via widget. One such process might include a script running on a computer
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT34
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
where multiple antimalware products are running. The script would download all of the contentreferenced from the widget to determine if any of the antimalware products generate an alertfrom the content. You could test this by publishing a link to the EICAR test file virus sample,and see if your automated process detects the sample virus. This may not be possible in everywidget, especially if the widget is a pre-compiled binary, but validating the output should stillbe possible.
To protect internal users from putting company networks and data at risk, use the standardantimalware protections. A combination of network and endpoint defenses will protect usersfrom most malicious content encountered via a widget. Various network appliances—often thesame devices your organization may use to block basic malware, Web proxies, etc.—include protections for social networking. Some devices offer this in the base functionality, but othersrequire additional licenses or modules to monitor for these types of threats.
Awareness of the potential threats and ensuring that adequate antimalware protections are inplace are critical to protect against Web 2.0 widget threats. Malicious or hacked Web 2.0 widgetscan easily distribute code from third parties that can harm your infrastructure, steal your sensitivedata or abuse the trust consumers Web visitors have in your organization. Going forward, it’scritical that your enterprise not only realize that these mashups can be dangerous, but alsoimplement the proper protections and practices to prevent them from causing harm.w
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecom-munications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nickworked at Children’s Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threatquestions.
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT35
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
I N F O RMAT I O N S E C U R I T Y • ESSENTIAL GUIDE • THREAT MANAGEMENT36
TABLE OF CONTENTS
EDITOR’S DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE
PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
ECURITYSI N F O R M A T I O N
®
EDITORIAL DIRECTORMichael S. Mimoso
SENIOR SITE EDITOR Eric Parizo
EDITOR Marcia Savage
MANAGING EDITOR Kara Gattine
NEWS DIRECTOR Robert Westervelt
SITE EDITOR Jane Wright
ASSOCIATE EDITOR Carolyn Gibney
ASSISTANT EDITOR Maggie Sullivan
ASSISTANT EDITOR Greg Smith
UK BUREAU CHIEF Ron Condon
ART & DESIGNCREATIVE DIRECTOR Maureen Joyce
COLUMNISTSMarcus Ranum, Bruce Schneier,
Lee Kushner, Mike Murray
CONTRIBUTING EDITORSMichael Cobb, Eric Cole,
James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer,
Ed Skoudis, Joel Snyder
TECHNICAL EDITORSGreg Balaze, Brad Causey,
Mike Chapple, Peter Giannacopoulos, BrentHuston, Phoram Mehta,
Sandra Kay Miller, Gary Moser, David Strom, Steve Weil,
Harris Weisman
USER ADVISORY BOARDPhil Agcaoili, Cox Communications
Richard Bejtlich, GESeth Bromberger,
Energy Sector ConsortiumChris Ipsen, State of Nevada Diana Kelley, Security Curve
Nick Lewis, ACMRich Mogull, SecurosisCraig Shumard, CIGNA
Marc Sokol, Guardian Life Gene Spafford, Purdue University
Tony Spinelli, Equifax
INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS
Amy Cleary
VICE PRESIDENT/GROUP PUBLISHERDoug Olender
PUBLISHER Josh Garland
DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver
DIRECTOR OF MARKETING Nick Dowd
SALES DIRECTOR Tom Click
CIRCULATION MANAGER Kate Sullivan
PROJECT MANAGER Elizabeth Lareau
PRODUCT MANAGEMENT & MARKETINGCorey Strader, Andrew McHugh,
Karina Rousseau
SALES REPRESENTATIVESEric Belcher [email protected]
Patrick [email protected]
Sean Flynn [email protected]
Jennifer Gebbie [email protected]
Jaime Glynn [email protected]
Leah Paikin [email protected]
Jeff Tonello [email protected]
Vanessa Tonello [email protected]
George [email protected]
Nikki Wise [email protected]
TECHTARGET INC.CHIEF EXECUTIVE OFFICER
Greg Strakosch
PRESIDENT Don Hawk
EXECUTIVE VICE PRESIDENTKevin Beam
CHIEF FINANCIAL OFFICERJeff Wakely
EUROPEAN DISTRIBUTIONParkway Gordon
Phone 44-1491-875-386www.parkway.co.uk
LIST RENTAL SERVICESJulie Brown
Phone 781-657-1336 Fax 781-657-1100
Information Security’s Essential Guide to Threat Management is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111;Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright © 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.
TECHTARGET SECURITY MEDIA GROUP
RESOURCES FROM OUR SPONSOR
See ad page 14
• Explore some of the most prolific digital asset threats and risks facing organizations today
• Read the results from the Ponemon Institute’s Second Annual Cost of Cyber Crime Study
About HP Enterprise Security:HP is a leading provider of security and compliance solutions for modern enterprises that wantto mitigate risk in their hybrid environments and defend against advanced threats. Based onmarket leading products from ArcSight, Fortify, and TippingPoint, the HP Security Intelligenceand Risk Management (SIRM) Platform uniquely delivers the advanced correlation, applicationprotection, and network defense technology to protect today's applications and IT infrastruc-tures from sophisticated cyber threats.
