Enterprises are under constant seige from cyberthreats that continue to evolve to new levels of sophistication, reports Deb Radcliff.

Cyberthreats and their attack vectors haven't changed much over the past year, but the criminal underground is unleashing more sophisticated, layered and persistent attacks that are harder to detect. The other change is that, thanks to Stuxnet, there is now the imminent threat of similarly advanced cyberterrorist and politically sponsored attacks.

“The unsophisticated attacks account for 90 percent of successful breaches, but only for 10 percent of data losses,” says Wade Baker, director of risk intelligence for Verizon Business, which authors an annual Data Breach Investigations Report. “The other 10 percent are stealth, sophisticated attacks that account for 90 percent of data losses.”

In 2010, the threats capable of wreaking the largest destruction came to be known as APTs (advanced persistent threats). APTs are criminally operated malware families so secret they can slip low and slow into endpoint systems. Their most common initial entry point is usually through targeted spear phishing or web attacks.
Once on a machine, APTs open back doors, hide from the operating system and security, crack encrypted passwords and exploit default credentials left on systems to spread bots, set up command-and-control centers, and maintain their presence even after erasure.

One such APT to dominate 2010 was Zeus, an advanced bag of tricks that, among other things, exploits small- and medium-sized organizations, including school districts and municipalities, to drain their Automated Clearing House (ACH) accounts. Zeus was one of the most significant cyber trends the FBI followed in 2010, according to Russ Brown, chief of the FBI's East Coast and Eurasian cybercrime unit.

“One notable aspect of Zeus is its way of information gathering,” says Brown. “Businesses and municipalities post the contact information of their financial officers on websites. Zeus uses malware programs that can scoop this information to target their attacks successfully.”

This targeted, spear phishing attack is another dominant threat in 2010 that will continue to get more sophisticated this coming year, according to Jamz Yaneza, threat research manager for Trend Micro.

“A few days ago, our researchers were analyzing targeted attacks sent to human resources personnel through their webmail accounts – these are outside of the company,” says Yaneza. “Criminals were looking for login information to the company's intranet where they can go up the chain with targeted attacks.”

In addition to more sophisticated spear phishing techniques, Zeus also can circumvent two-factor authentication, say experts. A Zeus botnet-infected computer will monitor attempts to login to known banks that offer two-factor authentication. If the user has this option enabled, Zeus will display a fake ‘mobile details confirmation' page, where the user gives up their mobile information and then receives a fake text message with the mobile botnet component installer. Now both the mobile device and desktop are controlled by the botware.

The time is very short between Zeus-compromising authentication to the draining of accounts, says Brown. So once an organization notices something amiss, it is usually too late and the money's gone.

Websites and browsers

Websites will also continue to take a beating next year, say experts. In its Q2 2010 report, Dasient Security reported 1.3 million new website infections. By the end of that same quarter, Trend Micro threat researchers had published more than 2,550 new application vulnerabilities needing patching. According to an IBM X-Force report, web applications made up 56 percent of all application vulnerabilities reported.

Old and commonly known methodologies, including SQL injection and cross-site-scripting (XSS), are still dominant means of breaching websites, according to the X-Force report and a fall report from WhiteHat Security.

The WhiteHat report also concludes that the largest organizations have the most vulnerabilities in web pages – an indication that the more complex an organization, the more difficult it is to track which web pages and extensions of pages are hosted across the organization to protect them.

“Companies don't know that developers are creating their own intranets, or when the marketing group decides to bring up a new website that might not be within your infrastructure,” says Bill Huntington, chief strategy officer at WhiteHat Security. “Because they don't know what web pages they have out there, companies pick their top or main websites to test, update and protect.”

The motivation of attackers to find vulnerabilities and take over the web server is to access a database and servers connected to them, to inject hidden iFrames and pop-ups on web pages. This strategy infects visiting browsers with bot malware. Most often, the vulnerabilities being exploited on the browser will be found in PDF plug-in applications, according to the X-Force report.

On the other hand, rather than infecting or building malicious sites that end up on blacklisting programs, malware developers are also improving on ways to poison search engine results to pull people's browsers to malicious sites, says Chris Larsen, researcher for Blue Coat Systems, a web security company.

Advancing on new targets

The most advanced threats are primarily targeting financial resources and intellectual property, according to the Verizon study. However, the Stuxnet Win32 worm – reported by Microsoft in the summer of 2010 – indicates that advanced, automated, multilayered attacks targeting infrastructure organizations will be a growing threat in 2010.

Stuxnet specifically targets the energy sector within a particular geopolitical location, then seeks out a Siemens power control system used in that realm. If the Aurora vulnerability and the Russia-Georgia conflict didn't do so already, Stuxnet is the wakeup call that cyberterrorism, cyberwar and political threats have advanced against the infrastructure.

When surveyed, half of 600 IT professionals at international critical infrastructure companies say their organizations have experienced stealthy infiltrations and DDoS (distributed denial of service) attacks against them on the part of high-level adversaries. The survey, produced in early 2010 for McAfee by the Center for Strategic Internet Studies, also reports that nearly 90 percent of respondents had experienced persistent virus and worm attacks.

There are many other threats advancing on other targets in 2011, according to experts. One interesting prediction is that botwars will spill into organizations that have bot-infected hosts.

“We've been seeing cases where compromised computers get re-compromised with new botware and controllers,” explains Neil Daswani, CTO of Dasient. “Bots are valuable and we're going to see more botnet operators trying to take over other bot networks. Ultimately, the end-user will get caught in the middle.”

Mobile phones are another emerging target, adds Verizon's Baker, and, in fact, Zeus completes the computer-to-phone infection circle. In addition, SMS, email phishing and tricks to collect income off toll numbers are already happening. Phones will become more aggressively targeted as money applications are being used on them, Baker adds.

In for the long haul
Even in sophisticated attacks, initial intrusion usually relies on known vulnerabilities in email, browsers, websites and other vectors, according to the Verizon report. This means many advanced threat types can be prevented at the initial penetration point with basic best practices, says Steve Dauber, VP of product planning for RedSeal Systems, a developer of security assurance software.

“For example, process controls – like changing default passwords – would go a long way to clear the low-hanging fruit that attackers go after,” he says.

To get started, organizations need to understand the severity of threats, inventory their critical systems and create situational awareness of which systems and threats actually coincide, Dauber says. Then they need to patch, create compensating controls and monitor.

If IBM's Global Security Operations Centers (SOC) are any indication, the sheer volume of events and the vulnerabilities being exploited will continue to overwhelm organizations in 2011. In any given day, IBM's Global SOCs are monitoring more than 140 countries and processing five to 10 billion security events, says Marc van Zadelhoff, director of IBM Internet Security Systems.

“Defense-in-depth is key for any type of warfare,” he says. “Secure by design. Then monitor applications, data and identities across networks, endpoints, servers and the physical infrastructure.”