insights on it risks cyber attacks

Insights on IT riskMarch 2011

Countering cyber attacks

1Insights on IT risk | March 2011

Although companies worldwide have been dealing with opportunistic cyber attacks for years, many now find themselves the target of the advanced persistent threat (APT), which is characterized by more sophisticated and concentrated efforts. APT attacks are focused on a single target, lasting until they are in, and are meant to collect information over a long period of time. They leave few signs of their success, wanting to stay hidden for as long as possible in order to acquire large amounts of sensitive information.

The information targeted is specific. Attackers are not looking to just grab anything they come across — the target is an organization’s valuable intellectual property.

No single technology or process will stop the APT, and traditional security methods are proving to be ineffective against these threats. While many organizations are vulnerable to attack because they have under-invested in security in the past, simply shoring up existing and conventional defenses is not enough; new approaches and increased vigilance are required. Protecting against these types of threats requires several layers of defense, knowledge of the threat, and advanced skills to detect and react to ongoing and successful attacks.

• Recent high-profile attacks have gained the attention of many executives of large, global companies.

• These attacks are sophisticated and targeted against specific companies and often target specific employees to gain entry.

• The goal is unnoticed infiltration with a long-term presence to steal as much information as possible.

• Countering these attacks is complex and must involve prevention, detection and response.

• We are not aware of any organizations that have successfully stopped these threats. Smart organizations focus on effective detection and fast response.

• It takes time to develop a mature program.

• The threat landscape is changing, risks are increasing and companies need to change their mind-set and approach toward information security (i.e., establish a “new normal”).

2 Insights on IT risk | March 2011

The evolving threat landscape

Despite its roots as a collaboration between defense and research, the early internet was a place where users trusted each other. Bad behavior was generally more mischief than attack, and it typically was motivated by challenge or glory. But as the internet grew, it eventually came to resemble the real world, containing friends and business associates, playgrounds and workplaces, and good guys and bad guys.

Today’s internet serves as critical infrastructure for both government and commerce, and it has attracted a new class of attacker. State-sponsored entities are now targeting specific organizations, as opposed to the more opportunistic attacks that we’ve seen in the past. If one attack fails, another one will be tried — again and again. This persistent nature makes these groups more dangerous and defenses against them more important than ever.

Recent high-profile attacks against several enterprises have been a wake-up call for organizations and information security professionals alike in recognizing this new level of threat.

Unsophisticated attackers;targets are anyone with a

Increasing sophistication and organization; criminally Corporate espionage Advanced persistent threattargets are anyone with a

vulnerabilityorganization; criminally

motivatedCorporate espionage Advanced persistent threat

Ris

k

Resources and sophistication of attacks“Hobbyists” Advanced persistent threat (APT)Organized crime Corporate espionage“Hobbyists”►Fun►Challenge

Advanced persistent threat (APT)►Long-term pattern of targeted,

sophisticated attacks aimed at governments, companies and political activists

►Politically and economically motivated

Organized crime►Criminal intent►More coordinated attacks►Financially motivated (e.g., theft

of credit card numbers for use or sale)

Corporate espionage►Economically motivated►Theft of intellectual

property

►Well-funded, sophisticated resources

Threat — target landscape


The evolving threat landscape

Opportunistic threats: Opportunistic threats may be motivated financially, or simply by a desire for vandalism, but they strike at the softest targets available. Often initiated by simple vulnerability scanning, access to stolen passwords or discovery of misconfigured applications, the attacks are usually indiscriminate and strike once and move on. Denial of service attacks, web defacement and even the theft of financial information are types of opportunistic threats.

Advanced persistent threat: The APT collects information from a specific group of organizations. The population of target victims has clearly grown over the last several years, and the attackers will use any means possible to exploit the target. The APT is characterized by substantial reconnaissance to identify individuals within the organization, long periods of persistence (measured in years) and a desire to remain undetected for as long as possible.

Two main types of threats have established themselves: the opportunistic threat and the continuous and orchestrated APT. While the results may be similar — infiltration, unauthorized access and theft — the motivation behind each is entirely different.

Target industries Motivation

Government contractors• Theft of intellectual property (e.g., equipment test data)• Theft of government classified information

Technology providers• Theft of intellectual property to bring competing products to market with less R&D time and investment• Theft of corporate secrets to gain competitive advantage in negotiating contract and buying terms

Manufacturing• Theft of intellectual property to bring competing products to market with less R&D time and investment• Theft of corporate secrets to gain competitive advantage in negotiating contract and buying terms

Any organization with intellectual property that would be

useful in a growing economy is a potential target of the APT.

Who is a target?Originally, the APT targeted military and government entities before moving to softer targets that had military or intelligence value —namely western defense contractors. More recently, the APT has expanded to a new set of targets, including manufacturing, financial, energy and high-tech engineering companies. We have assisted numerous APT victims that are not defense contractors, but produce technology with an economic value — particularly to developing nations. The APT targets any company with useful intellectual property.


Drive security strategy based on the “new normal”Given the continuous and persistent threat posed by the new wave of attack channels and malicious actors, now is the time for businesses to establish a “new normal,” i.e., instill a new mind-set and approach into driving the organization’s security strategy.

Traditional approach The new normalResponse to security incidents limited to the “how?” (“How did the attacker get into the network?”)

• Organizations must answer the questions “what?” and “why?”. Start with a threat-centric analysis by understanding the attacker, and therefore identifying what data the attacker wants to collect.

• Start by focusing your protection, detection and response efforts around this highest-risk data.

Assumption that the corporate infrastructure is secure until evidence is presented to prove otherwise

• It should be assumed that there are pockets of the corporate infrastructure that have already been infiltrated.• This shift in mind-set will drive an intelligence-based approach that is necessary to build a solid strategy to

identify and combat the continuous threat of the new wave of malicious actors.• Develop detection mechanisms that go beyond AV (antivirus) and IDS (intrusion detection systems), and

proactively seek evidence of compromise.

Outcome of projects in the security portfolio is based on the procurement and deployment of security tools

• Well-trained, expert incident detection and response staff provide a defense against today’s complex threats. Ongoing security efforts must continuously incorporate actionable intelligence from the threat team to engineer and fine-tune automation achieved by assessment and identification tools.

• Projects in the security portfolio must be justifiable based on results presented by the threat team.

“Red Team” is another term for the capability to counter routine attack and penetration

Red Teams add new value when used to validate existing detection and response mechanisms. When conducted regularly, they can serve as a gauge for effectiveness and a way to measure improvement.• The scope of Red Team activities should go beyond technical assets to include the protection of high-risk

personnel and executives.• Red Team efforts must not be hindered by corporate bureaucracy. Executive leadership should grant Red Team

activities greater autonomy to investigate, assess and respond to critical events and suspicious activity.

Emerging attack vectors are an academic endeavor

The tactics used by the more sophisticated attackers are increasingly geared toward channels that bypass perimeter controls. These tactics are no longer an academic projection of the future but a current reality. As such, the following should be included in the portfolio of security projects:• Hardening of web browser, laptop and mobile device configurations, especially for high-risk personnel, including

executives.• Further enhancement of application security assessment and developer training efforts, incorporating emerging

attack vectors that aim to create channels to bypass perimeter controls.• A solid approach to security controls and monitoring of cloud applications and services.

Countering the evolving threat landscape


Countering the evolving threat landscape

The new normal• Organizations should strive to identify why particular elements of the business are of interest to the enemy.

• It should be assumed that there are pockets of the corporate infrastructure that have already been infiltrated.

• Red Team efforts must not be hindered by corporate bureaucracy. Executive leadership should grant Red Team activities greater autonomy to investigate, assess and respond to critical events and suspicious activity.

• The tactics used by the more sophisticated attackers are increasingly geared toward channels that bypass perimeter controls. These tactics are no longer an academic projection of the future, but a current reality.

Adv

ance

d Disconnection from internet

Outbound gateway consolidation PC virtualization

Refocused patching and configuration management efforts

Sensitive data “airgapped”

Proprietary email scanning Sensitive data/networks segregated

Searchable event repository

Counterintelligence operation

Constant phishing simulationProxy authentication

Network instrumentation

Improved access control

Build incident response capability

Inte

rmed

iate

Thre

at le

vel

Degree of response

Basi

c


An example of an APT attack

A recent APT attack analyzed by Ernst & Young was executed in two parts: 1. malicious software (malware) download and 2. hidden execution. The malicious code exploited an unknown vulnerability in the Internet Explorer web browser known as a zero-day exploit. The nefarious aspect of a zero-day exploit is that traditional signature-based antivirus tools are unable to pick up the attack because attackers test their malware against commercial packages. To load the malware, attackers rely on end users clicking on a hyperlink or opening an attachment in which the browser is forced to download the malware. While the company did not detail how the payload was delivered, this part of the attack can be achieved in a number of ways:

• Using specifically crafted emails (phishing or spear-phishing) to entice a recipient to click on a link in the message or open an attachment

• Embedding hyperlinks (URLs) in instant messaging conversations

• Compromising a website and replacing legitimate links with links that now contain the malware

• Spoofing a website either by using a similar name (famous example: whitehouse.com instead of whitehouse.gov) or by hacking a victim’s DNS server such that legitimate hyperlinks now point to the attacker’s server

• Compromising a user’s social network credentials (e.g., MySpace, Facebook, LinkedIn), by posting URLs or TinyURLs that encourage friends to go to that link

The number of methods to induce a user to click on a link is limited only by the creativity of the attackers.

Once the malware is in, it can take on different forms and functions. In the example attack, it morphed and split itself into the final version of the malware, maintaining itself in an encrypted form until it needed to be executed. The basic function of the malware in this attack was similar to previous APTs: creation of a backdoor communications channel to the attacker’s home systems over an encrypted channel, retransformation of the malware, duplication, search of the enterprise and remote removal of targeted information.

What should be noticed is that while the payload itself is advanced and extremely sophisticated, the means by which the malware is inserted into the environment is not. Phishing, social engineering, hacking a website and user credential theft were all issues long before the APT appeared.

How does the attack unfold?

Reconnaissance Attack Run malware Pivot Exfiltrate

How

?

• Recent conference attendees

• Executive biographies

• Previously stolen emails

• The APT probably knows which users hold sensitive data better than you do.

• Phishing email• Vulnerability scan• Removable media

• Web application

• Although initial attacks are sophisticated, they are not frequently needed.

• Add new accounts• Increase

permissions• Install back door• Exfiltrate SAM file• Install scanning

tools and scan

• From this point forward, APT can and will be using legitimate accounts. IDS or AV will be oblivious.

• Malware can sleep to avoid detection.

• Use stolen accounts to strengthen foothold

• Attack newly discovered vulnerable devices

• The APT will lie low and pivot as needed. They will re-establish footholds if they detect their presence is in jeopardy.

• Log onto target system remotely, using stolen credentials

• Package data in password-protected archives

• Exfiltrate data to intermediate servers via company proxies

• Malware is usually not on the target devices.

• Exfiltration is staged carefully and executed very quickly.

Chal

leng

e


• Assess environmentAssess environment• Identify and remediate gaps• Develop incident response plan

Plan

• Harden environment• Improve authentication

• Computer Incident Response Team (CIRT) staffed and t i d Improve authentication

• Manage privileged accounts• Limit unnecessary

communication

trained• CIRT chartered with authority

to drive response• Response and remediation

ProtectRespond

• Potentially reduce user privileges

• Response and remediation cycle times are measured

D t tDetect

• Network security monitoring program in place — not just IDS

• Key network egress points monitoredL hi d d l d• Logs archived and analyzed

• Key host information collected

Useful PowerPoint graphicsPage 1Next stepsGiven the continuous and persistent threat posed by the new wave of attack channels and malicious entities, now is the time for businesses to establish a “new normal,” that is, to instill a new mind-set and approach toward the organization’s security strategy. Organizations need to better understand the threats and their potential risks (e.g., are they a likely target for an APT or just an opportunistic threat?). Based on a better understanding of their risks, companies should examine their current security strategy, controls, and maturity of controls to determine their gaps and weaknesses. This may seem like an obvious first step, but recent experience shows that many companies have defined their security programs and required controls based on compliance requirements as opposed to risk. A compliance-driven approach to security may not only increase cost due to repetition of activities, but the core notion of reducing enterprise risk is often absent. Organizations that merely focus on third-party requirements and regulations in lieu of a holistic approach to business risk end up driving compliance, not security.

If you think that you may be the target of an APT, consider the actions you should take. Remember that your security program needs to include elements to protect against these threats, detect an ongoing or successful attack, and be able to effectively respond to the attack. Given the nature of the APT, no one control or countermeasure is likely to be effective; a defense-in-depth strategy is paramount.

Finally, if you are a high-risk organization, take action as if you have been compromised. Given the ability of APT malware to evade normal prevention and detection mechanisms, if you haven’t taken specific measures to protect yourself, you may already be a victim and not know it.

Ernst & Young’s incident response services

Ernst & Young has proven experience in handling advanced threats and building incident response capability. We assist clients in building a sustainable in-house capability to plan for, protect against, detect and respond to cybersecurity incidents, and we provide investigation and remediation services in the event of a breach.

We offer a proactive APT assessment to evaluate vulnerability to common APT attack vectors and to identify whether an APT or malware attack has occurred.


Why Ernst & Young?

Ernst & Young is the most globally integrated professional services organization in the world, with more than 141,000 professionals working in 41 countries. World-renowned for our assurance, tax, transaction and business advisory services, Ernst & Young is also a global leader in the field of information technology risk and security.

For more than 20 years, our clients have benefited from an extensive portfolio of professional services in assessment, remediation, design and implementation of effective enterprise security services. Ernst & Young brings together an unparalleled team of highly experienced industry, security, privacy and risk management professionals, to meet the complex needs of some of the most data-intensive organizations in the world. We have developed proven industry leading methods, tools and resources to address our clients’ information risk management challenges and to support the ongoing security, integrity and availability of our client’s information assets and processes.

As a large established professional services organization, Ernst & Young’s name and experience lend weight to each project we undertake: we provide a broad business risk perspective that will enhance a project’s value with your senior management and your audit committee.

Companies choose to work with us because of our intense client focus, and our deep technical and sector-based business knowledge. We have earned a reputation as a leading innovator because we invest heavily in our people, our processes and in our technology capabilities.

Our IT risk and assurance professionals assist clients to use technology to achieve a competitive advantage. They advise on how to make IT more efficient and how to manage the risks associated with running IT operations. They focus on helping clients improve and secure their technology so that it serves the business effectively and enhances results: this includes several focused competency groups, including application controls and security, third-party reporting and IT risk advisory.

Our privacy advisors assist clients with enabling the governance, risk and compliance efforts related to the use of personal information, assessing enterprise privacy risk, leading privacy internal audits and inventorying the use of personal information in business processes, technologies and third parties.

Our Information Security practice offers a wide range of management, assessment and improvement services. Our targeted security services help our clients maintain the appropriate alignment between their security, IT and business strategies, enabling them to maintain their focus on their business needs while addressing their security and risk issues.


Contacts

Global Norman Lonergan (Advisory Services Leader, London)

+44 20 7980 0596 [email protected]

Paul van Kessel (IT Risk and Assurance Services Leader, Amsterdam)


Advisory ServicesRobert Patton (Americas Leader, Atlanta)


Andrew Embury(Europe, Middle East, India and Africa Leader, London)


Doug Simpson (Asia-Pacific Leader, Sydney)


Naoki Matsumura(Japan Leader, Tokyo)


IT Risk and Assurance ServicesBernie Wedge (Americas Leader, Atlanta)


Paul van Kessel (Europe, Middle East, India and Africa Leader, Amsterdam)


Troy Kelly (Asia-Pacific Leader, Hong Kong)


Giovanni Stagno (Japan Leader, Chiyoda-ku)


Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com

About Ernst & Young’s Advisory ServicesThe relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 20,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.

© 2011 EYGM Limited. All Rights Reserved.

EYG no. AU0768

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

www.ey.com