Today’s onslaught of cyberattacks can be difficult to analyze, let alone take immediate action to prevent data exfiltration. Larry Jaffee reports.

You receive an email from your CEO to “wire $80,000 from this account immediately.” 

Forensic analyses show most cyberattacks come via social-engineering trickery, as employees unwittingly leave their organizations susceptible to severe damage. Adversaries usurp pertinent information from company websites and LinkedIn.

“We get five or six a week of those CEO or accounts payable schemes,” Marshall Wolf, senior IT officer for Gigamon, a Santa Clara, Calif. networking company, whose solutions are deployed across vertical markets including over 75 percent of the Fortune 100. 

“It’s not just malware, riskware and the constant barrage of known threat hackers from China and Russia; it’s your own people potentially doing harm to your network without [their] knowledge,” Wolf says. 

Timothy Ryan, principal of EY Fraud Investigation and Dispute Services, and a former FBI agent, in early August tracked a massive intrusion using compromised credentials. The attacker moved around the tool-laden system unheeded because there was no malware involved. 

“These guys are learning to live off the land,” says Ryan, who suggests organizations educate employees to use “out-of-band communication,” such as picking up the phone or sending a text to a cellphone, to confirm a colleague sent a suspicious-looking email instead of responding electronically to possibly the disguised hacker.

OUR EXPERTS 

Alphonzo Albright, VP, Abilis Solutions
Ondrej Krehel, CEO and founder, LIFARS
Rich Malewicz, CIO and CISO, Livingston County, Michigan
Timothy Ryan, principal cyber investigations, forensic technology and insider threat services, Ernst & Young
Raj Samani, VP and CTO, Intel Security
Jeff Schilling, chief of operations and security, Armor
Rush Taggart, CTO, CardConnect
Marshall Wolf, senior IT officer, Gigamon

Phishing often is a prelude to something far more sinister. “After gaining access to an enterprise, I’ve seen adversaries then drop ransomware on servers, locking all the machines up,” says Ryan, who typically investigates “an unmitigated, unreported, unescalated smaller breach that led to a massive breach. In the vast majority of the cases, somebody in the company knew about it.”

Raj Samani, vice president and CTO for Intel Security, agrees that the current spate of ransomware attacks is “particularly nasty.” Whereas small-to-medium sized companies were targeted, now it’s vertical-specific,” he notes.

Ransomware takes less effort and delivers quicker payoff for hackers compared with stealing and selling data on the black market, notes Jeff Schilling, chief of operations and security for Richardson, Tex.-based cyber security firm Armor, which services 1,200 clients in 40 countries from five data centers.

Last spring it tracked ransomware actors going after servers running [Java application] JBoss, taking advantage of a vulnerability that very few users were patching. “Once they gained access to the application with privileges, they’d lock it up,” says Schilling, a retired colonel who until 2012 had been director of the U.S. Army’s global security operations center under Cyber Command. 

Good network hygiene

“I thought that was a big escalation of what threat actors are doing,” he notes. “They’ve gone from going after individual computers, share drives, servers and databases; now they’re compromising software to obtain greater scale.” 

To better protect against attacks, Schilling suggests good network hygiene, such as shutting down shared services between work stations to prevent an actor from being able to move laterally, and also maintaining good backups of computer systems and data. Honeypots sniff out potential attackers within two minutes, he notes.

For potential victims of server attacks, “it’s all about patching and staying up to date with all of the applications you run inside your webserver,” Schilling points out.  

Despite the latest cyberthreats, SQL injection is “still a vector of compromise 15 to 20 years after being highlighted as something people should be looking out for,” points out Rush Taggart (left), CTO of CardConnect, a Philadelphia area-based financial technology company that processes card payments for 65,000 merchants, of which 125 are Fortune 500 and “probed daily by attackers.”  

Keeping threats out might be your goal, but Wolf believes organizations should take the view that malware will get into your network. “You have to look at the behaviors in your network to know what’s wrong,” he says. 

Available tools rank and categorize the seriousness of threats and abnormalities, telling organizations via text or other communication means what they should attack first in terms of remediation because a lack of human resources to analyze the level of threat. “We can’t react to everything all at once,” he explains. 

Anti-virus tools can’t keep up with hackers figuring out new ways to break in.

“There are constant [hacker] routines out there pinging every IP address known to mankind, trying to look for vulnerabilities and how to get through and plop some problematic injections into your networks to be used now or later,” Wolf explains.

Accepting the inevitability of an attack behooves organizations to put together a “coordinated and tested incident response plan,” advises Alphonzo Albright, vice president of worldwide global justice services for Montreal-based Abilis Solutions, which handles IT for state governments, healthcare and financial services in the New England area. Albright focuses on securing law enforcement networks.

Government agencies are under constant external threat, but sometimes their employees are the culprits. An IT technician employed by 185,000-resident Livingston County, Mich., ran from a government server a password harvesting scheme and illegal movie/music operation, which emitted BitTorrent file-infected malware.

Rich Malewicz (left), the county’s CIO and CISO, quickly caught the employee on a network administrator’s PC, trying to obtain higher credentials. The ObserveIT tool captured the keystrokes of the caught employee and some of his colleagues with screenshots of what they were doing. 

“We watched them for a month and uncovered this whole ecosystem,” says Malewicz, who rebuilt Livingston’s security posture in 2013 with a $500,000 overhaul that also included FireEye and enables monitoring of every county computer to protect against insider threats. 

Are tools performing?

Testing whether your threat assessment and detection tools, such as FireEye, are performing is as important as having purchased them, notes Ondrej Krehel (right), CEO and founder of LIFARS, a digital forensics and cybersecurity intelligence firm in New York. 

“All that you are really trying to do is get more intelligence about what is your current cybersecurity posture,” he notes. Companies often think they’re “strong [because they purchased tools], but is it really true?”

Network penetration exercises often test just a few areas. A complete survey of the entire IT operation sometimes reveals “an open door that literally is missing or has to be fixed,” points out Krehel, adding that companies should not just focus on particular endpoints. 

Isolating critical systems will limit the ability of malware to spread, Taggart notes, adding that CardConnect’s firewalls and filters routinely drop malevolent traffic.

Network segmentation denies outbound Internet access. “Even if attackers get in, they can’t get the data out,” he adds.

But Samani asks rhetorically, “Can a three-person small business realistically deploy sandboxing?” Besides the cost, there’s also the configuration, management, maintenance, licensing, installing new servers and staff required.  

To combat today’s escalated threats, Intel Security in July collaborated with Europol, Kaspersky Lab, and the Dutch police to offer free decryption tools through https://www.nomoreransom.org/. 

“In the first 24 hours, we had 2.6 million visitors to the site and just over 4,000 people downloaded the Shade Ransomware decryption tool that we released on that day,” Samani reports. That effort alone helped 165,000 people whose computers were infected. A second takedown has already taken place, and others are imminent, he adds.

An organization’s lackadaisical behavior welcomes trouble. Even though Payment Card Industry Data Security Standard (PCI DSS) guidelines require alarms and logs to be examined daily, “the Target breach transpired over three-and-a-half weeks, and alarms were going off every single day,” Taggart notes.