Exposed: the 6 Need-to-Know Attributes of Advanced Cyber Attacks
Every minute of your day is probably scheduled by the minute. I know how that feels and I also know what it’s like to have little to no time to learn about things that aren’t immediately necessary. But the truth is that there are more things affecting your security, from the software you use to critical infrastructure, than you can possibly imagine. And we need to make time for it, before the damage is done.
Cyber security is not something reserved to technical people. Not anymore.
We’re all connected, which makes us all vulnerable. So learning about cyber security becomes imperative, not only for our current state, but especially for the fast changing, tech dominated world we live in.
As technology users, we should do two things:
- Become skilled in protecting our assets by learning fundamental things about cyber security
- Use this knowledge and skills to make better choices when purchasing products or services.
Because our data is stored in a thousand different places, we need to become aware of how our data is managed and stored, before a data breach affects the companies we entrusted our information with.
And it’s not just what companies do to protect our data (and theirs), it’s what we do as well. We’re all part of the cyber security ecosystem and all our common faults fuel the malware economy.
We do so by never taking the time to debunk Internet security myths, by leaving our software outdated or by ignoring warnings from experts (and the list can go on).
For all of us to start taking more, faster steps into the right direction, we need to understand 2 essential things:
- That cyber criminals are relentless, agile, fast and resourceful
- That there is no security solution that can ensure 100% security (so antivirus is not enough to protect you).
Understanding the main characteristics of advanced cyber attacks can help you better grasp the severity of the issue, so you can plan accordingly for your safety, both online and even offline.
Why Current Cyber Attacks Are More Dangerous than You Imagine
Current day cyber attacks are advanced in terms of the tools and approaches they use. Cyber criminals have refined their tactics to increase the effectiveness of their attacks and also maintain their cover for as long as possible.
In order to achieve this, attackers use sophisticated exploit kits that never drop a file on the victim’s system, malware that remains inactive for long periods of time until a trigger sets of the infection and infrastructure to anonymize their location and identities.
Attack patterns also become more intricate and more difficult to identify, and cyber criminals use a mix of methods to get to their victims, including social engineering or infecting third party service providers. When it comes to companies, the situation is even more serious, according to a 2015 study by CyberArk:
Most leading institutions have 200–300 high-risk, third-party relationships at a time.
That is because:
High-profile attacks reveal that malicious hackers target third-party vendors and supply chain partners as a backdoor into their primary target. Organizations in every industry provide network access to third-party vendors, which range from services companies and suppliers to external consultants.
Which brings us back to the importance of making informed choices when it comes to using online services or products to store, manage or process your data.
Also, keep in mind that financial malware uses the most advanced tactics and tools to spread infections, which is a very important reason for you to learn how to maximize your financial protection.
Attacks and attackers nowadays are also very aggressive.
They use services we use and trust to spread infections, such was the case with Google Drive being used to deliver CryptoWall infections.
They develop complex forms of ransomware, which basically takes your data hostage and won’t provide access to it ever again if you don’t pay a hefty sum. That’s if you ever really regain access to your data.
Cyber criminals are also nimble and fast enough to seize the moment when it comes to opportunities. When a new Zero Day vulnerability pops up, attackers can regroup and orient their resources into that direction, exploiting security holes that vendors may take days, weeks or even months to patch!
Attackers are also not afraid to threaten, extort or pressure their victims into performing certain actions or pay to regain access to their data. One of the most recent examples is the Ashley Madison hack.
As one CEO pointed out in CFO Signals:
Criminals are all automated to the teeth and the only way for companies to counter that is to be automated to the teeth as well to find those vulnerabilities…the bad guys only have to find one hole. We have to find them all.
Thousands of attacks are happening every single minute and they’re all carried out by automated systems that work on their behalf. Just take a look at this map and remember that only skims the surface.
Let’s take, for example, botnets, which cyber criminals use to carry out complex and strong attacks. By definition:
A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.
Source: Wikipedia
Sometimes, attackers won’t penetrate your computer just to steal data or money, but to enlist your PC in a botnet and use your resources (aka computing power) to fuel their next attacks.
When it comes to automation, let’s not forget that there are even platforms that offer ransomware as a service, such as Tox, making it very easy for cyber criminals to buy malware kits from underground markets and then use them for their own attacks.
Malware exfiltration is also an automated process, since your personal data is collected and sent to a malicious server automatically, to then be used for several purposes.
Another example of automation in cyber attacks are exploit kits.
An exploit kit is software that automates the identification and exploitation of vulnerabilities in a victim’s computer (typically via their web browser) to then deliver a malware payload to the target machine. Exploit kits have become a popular method for client-side infection and were responsible for the majority of client-side exploits researched by Trustwave throughout 2014.
Source: Trustwave 2015
Just like malware kits, exploit kits are also sold and bought in the underground markets, making it easy for attackers to carry out their malicious plans. Some kits don’t even require in depth technical knowledge to apply.
In this context, automatic solutions are required to observe threats, gather intelligence and act accordingly to protect digital assets. And the same applies to both home users and companies.
One example is given in the 2015 Cisco Annual Security Report, in the case of security holes in software:
Greater use of automatic updating may be one solution to the outdated software problem. When combined with the downturn in Java vulnerabilities and exploitation, the research clearly indicates that software that automatically installs its own updates seems to have an advantage in creating a safer security framework.
Cyber criminals are obstinate when it comes to achieving their targets. That is why they build a feature called persistence into their malware.
Persistence is a computer program’s capability to continue to run after a system is restarted. If a piece of malware does not include persistence capabilities, a reboot of the infected system would effectively disable the attack until it was manually restarted.
Source: Trustwave 2015
There are various ways in which attackers integrate persistence into the malware kits they use, as we can see from the data below, extracted from the Truswave 2015 report.
Source: Trustwave 2015
The “persistent” process can also mean that an external command and control (C&C) system is incessantly monitoring and extracting data from a specific target, as it happens in the case of Advanced Persistent Threats.
What’s more, there’s another aspect to persistence as well, mentioned in the “The Economics of Persistent Cyber Attacks” article:
Usually these nation-state groups have an arsenal of these capabilities and they have dedicated people who are constantly developing them,” he said. “Someone gave them a mission to get into this one organization to steal their data, or do whatever action they came in to do. That job didn’t end just because it got hard or the door got shut down on them, so they try and get back, and get back persistently.
The key lesson is here is to realize that cyber criminals never give up. And neither should we.
Avoiding detection for as long a time as possible is essential for cyber criminals.
By laying low, attackers can infiltrate deeper into the victim’s system, they can gather more information about the user’s habits and collect more confidential data to then use in various ways.
And launching stealthy cyber attacks is not that difficult, because traditional antivirus products are not coping with the current challenges.
We keep doing the same thing over and over, expecting different results. The security industry has put a massive effort into delivering signatures faster and faster, trying to close the gap between when a new threat is detected to when the corresponding new signature is delivered.
But moving faster hasn’t made us demonstrably safer. Instead, it has led to nimbler attackers, who easily create and hide their exploits in an infinite number of ways.
Source: Net Security
The newest and most evolved forms of malware have a very low detection score for most antivirus products, especially in a Zero Day vulnerability scenario.
What makes malware difficult to detect are features such as polymorphism and the ability to remain dormant. Cyber criminals can provide the malware they create with the ability to change in order to evade detection by tradition security products (such as antivirus). Every new version will require a new signature, and antivirus solutions are having a difficult time keeping up with the fast paced cyber criminal actions.
Moreover, advanced malware, such as the one that targets victims for financial gain, can remain inactive (dormant) in the system for a long time. The malware will be activated only after a certain period, to collect information such as banking data, PIN codes, social security information, etc.
Another key element that cyber criminals use to anonymize their identities and location is the infrastructure they build and use. They spend a lot of time and resources to build, maintain and develop it. And gathering knowledge about this infrastructure is a huge asset in terms of developing protection against cyber attacks.
Another element that makes current cyber attacks so destructive is the fact that they’re targeted. Cyber criminals will customize their attacks to identify weaknesses in the victim’s system (usually security holes in outdated software) to launch specific attacks.
Attackers can have several objectives, from taking control of a certain computer, to enrolling it in a botnet, to encrypting the data on the entire drive, as is the case with ransomware.
There is also another range of other factors in play, according to Trustwave 2015:
Cybercriminals who select their target first usually do so based on the industry and the type of data the organization is likely to process or store. If the attackers chooses to compromise the target via the web application, they analyze this target vector through manual interaction to get a feel of how the application operates and how it might be vulnerable.
Targeted attackers do not focus solely on known vulnerabilities within public software. They will also spend time interacting with their target’s public-facing applications to determine whether they can explain proprietary or custom-coded applications.
They also take special care to avoid detection by security systems so that they can access a system for a longer period without interruption.
Source: Trustwave 2015
Of course, not all attackers focus on targeted tactics. Some of them prefer a more superficial approach:
Opportunistic attackers will identify targets based on search engine query results or by sequentially scanning network block ranges for listening web servers. This information helps an attacker determine what publicly facing web servers are hosting applications that are vulnerable to exploit.
Source: Trustwave 2015
Conclusion
These essential features that define cyber attacks in our era are just the tip of a very complex iceberg whose dimensions we cannot yet calculate. What’s certain is that it’s only going to get more complicated.
The good news is that cyber defense mechanisms are also improving and authorities are also doing their part to ensure that attackers’ tactics are unsuccessful. But besides that, you and me, as home users, need to play our part and become responsible for our data’s security, integrity and accessibility.
And we can do it too, if we just devote a bit of time to educating ourselves on the fundamental of cyber security. And there’s an opportunity just a click away.
Originally published at heimdalsecurity.com on July 29, 2015.
