A change is necessary in the mind-set about how we protect IT to an approach that sees attacks as a part of doing business.
By Mike Auty
When a business is the subject of a breach, emotions often run high. The immediate reaction tends to originate from an emotional place: "Why would someone do this to me?" "Who is responsible?" And ultimately, the organization wants the infiltrator out. However, once the background to nation-state hacking is understood and how these types of attacks operate, a change is necessary in the mind-set about how we protect IT to a reasoned and rational approach that sees attacks as a part of doing business.
It is rarely considered that for most nation-state sponsored attackers, targeting foreign companies is a day job: it is more economically feasible to steal $500,000 of research rather than spending $2,000,000 and two years to conduct the research themselves. The consequences are minimal, in part because accurate attribution is so difficult to achieve, but even when the perpetrator is identified, geo-political boundaries prevent any kind of direct action. So really, the primary risk present is getting caught, having their foothold removed and then having to start over.
Malware is one for the easiest ways in for attackers. The game is stacked in their favour for several reasons:
- They have unlimited time.
- They have unlimited resources.
- There is little recourse that can be taken across multiple international borders.
- An organization needs to focus on executing its business strategy, not solely pouring resources into its defences.
There are, however, a few rules that the attacker must play by as well:
- The attackers need their code to run inside the target organization.
- The attackers need to communicate back out if they want to have control once inside.
- The attackers need to maintain visibility on the areas of the organization that hold the information they seek.
Generally, the attackers are not physically present within the target company because the risk and cost are far greater. Therefore, they can only see what they can access over the network. They are attempting to sustain access, so their biggest problem is being detected and then booted out of a system. Another driver for attackers is to attack only a few key points to avoid detection.
It is common to find the same malware strain being used by attackers, irrespective of the size or sophistication of the target. It will be rewritten and upgraded, but the core code and functionality remain the same. It has been witnessed numerous times and what is also clear is that this malware can obtain large amounts of sensitive and valuable data whilst evading detection for years.
In many examples that we (MWR InfoSecurity) investigate, malware infections were identified months after the initial infection and only a few machines were compromised. In addition, there were long periods of inactivity between the bursts of actual attacker activity and the techniques in use showed advancement over time. However, in the historic examples, simple and obvious methods of persistence and beaconing behaviour were witnessed.
Based on these factors, it is time companies start accepting that doing business means dealing with nation-state actors who will penetrate their networks by depositing malware by the means of spear phishing and targeting specific, underused, machines. Although, it is possible to detect these incidents, the length of time to get to that point can sometimes take years: often with attackers compromising a machine and letting it sit dormant until they strike.
Attackers and malware are generally discovered at the point when they are trying to make outside communications or when persistent behaviour is recognised. For many businesses the question of attribution rears its head. And this is usually based on misconceptions of how attackers function. For example, there is still an element of naivety which is that the host country of the IP addresses that are seen to be conducting the attack must be that of the attackers. The truth is that the IP addresses carrying out the attack may just be the last in a long chain of connections. It’s also likely that the country hosting the IP will not be friendly with the country of the victim machine, because then attempts to trace it further will likely fail. In short, every attempt at attribution comes with an element of uncertainty and thus is, on the whole, futile for anyone other than a government power.
Aside from the question of ‘who is attacking me?’ the next decision made is normally a knee-jerk emotional reaction which sees organizations immediately take the stance that there is someone on their systems trying to do something bad to them, and so they want it stopped and gone as soon as possible.
This is irrational for several reasons: firstly, the malware has likely been present for over a year. Anything it was going to do it has already done. Secondly, there’s an assumption that this was the only malware present, as opposed to simply one of many examples that the attacker had deployed as backup methods of entry to the organization.
A more fruitful approach would be to detect the threat actor and contain it. Monitor it. Know it is there without the attacker having any idea they’ve been spotted. That way, they are fooled into still thinking they have a foothold in the organization but, in reality, you have the upper hand. At the same time, if you are also watching their traffic and able to read that traffic, you know exactly what impact they are having.
Your advantage immediately disappears as soon as you broadcast that you’ve spotted them and remove their malware. They also disappear from sight leaving you with the challenge of finding them when they inevitably return.
There needs to be a fundamental transformation from seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, to one where these attacks are viewed as a part and parcel of doing business.
If this leap is made, then responding to these attacks with calm, measured actions driven from strategic thinking will be completely possible. By accepting that the people who are intent on breaking into large and complex IT systems, will achieve it if they really want to, we can design networks to ensure that the things of most value to our business are those that are most protected. This will make organizations more resilient and in a position to accept the minor losses and be in a world where incursions will be of less consequence in the board room, leaving time to grow business rather than a mounting sense of despair and paranoia.
Mike Auty is senior security researcher at MWR InfoSecurity.