After a quiet year on the advanced malware front, we could soon see more activity, says the Atlantic Council’s Jason Healey. Karen Epper Hoffman reports.
Things may have appeared low-key last year in terms of high-profile malware threats, but when it comes to government cyber security, the relative quiet of 2013 probably means we’re just in the eye of the storm, according to security experts like Jason Healey, director of the cyber statecraft initiative at the Atlantic Council, a Washington, D.C.-based think tank that promotes constructive leadership and engagement in international affairs.
“My overall concern is, as it’s always been, is that it’s a lot easier to attack than defend on the internet. And this past year, I’m worried we may have slipped past the tipping point,” says Healey (left), who is also an adjunct professor at Georgetown University. “Attackers have always had the advantage, but now they may well have the supremacy. We may be moving from the Wild West to Somalia.”
Other experts say that while 2013 did not give rise to the same sort of headline-grabbing malware attacks as the previous year – wherein a bevy of sophisticated malware threats, including Flame, Wiper and Gauss, were all discovered – security personnel must be on the lookout for increased activity. According to Howard Schmidt, formerly the special assistant to the president and cyber security coordinator for the federal government, this is simply the “lull before the storm.”
“We’re seeing more people take and modify [malware] and do something else with it,” he says. “There’s not less going on, it’s just less visible. And what we are seeing in what the government is doing is being more diligent and not giving [hackers] the opportunity to use malware for sabotage or intelligence-gathering. But it doesn’t mean it’s not happening, it’s just very, very discreet,” says Schmidt, also a former chief information security officer and chief security strategist for eBay.
Meanwhile, Chris Petersen, chief technology officer and co-founder of LogRhythm, a security analytics firm, points out that few organizations have realized the required analytics driven defense capability that can make sophisticated malware visible. “This is an arms race in which too many organizations are failing to keep up,” he says.
OUR EXPERTS: Fighting malware
Ken Baylor, research VP for NSS Labs
Stephen Cobb, security researcher at ESET Peter Firstbrook, research VP for Gartner
Aryeh Goretsky, distinguished researcher with ESET
Jason Healey, director of the cyber statecraft initiative at the Atlantic Council
Al Pascual, senior analyst, security, risk & fraud at Javelin Strategy & Research
Chris Petersen, CTO and co-founder of LogRhythm
Howard Schmidt, formerly the special assistant to the president and cyber security coordinator for the federal government
Matthew Standart, threat intelligence director for HBGary
Harry Sverdlove, CTO for Bit9
Some industry insiders don’t believe the pace of sophisticated malware development is slowing at all. “It is never quiet,” says Matthew Standart, threat intelligence director for HBGary, a technology security firm. “Much of the threatening malware we see today originates from a constant, underground, sophisticated economy that gets better and expands every year.” People from all across the world with increasing expertise make a living from the various aspects that derive from the demands to compromise networks, he says.
Whether it is research and development, exploitation and compromise, or executing and achieving mission objectives, there are professionals that are diametrically opposed to the computer security professionals that protect our networks, and they are as active as they ever have been in the past, he adds.
Other experts agree that the lack of major news about specific sophisticated espionage attacks in 2013 is no indication that there is in fact a slowdown of such activity or that the majority of the situation has already been uncovered. In fact, Harry Sverdlove, chief technology officer for Bit9, a firm that provides network security services to the U.S. government as well as several Fortune 100 firms, believes it may be evidence that “advanced espionage teams have become better at working under the radar in light of previous discoveries and disclosures.”
Even though Stuxnet was discovered and reported in 2010, he says, some of its components (as well as the corollary Duqu worm) have been traced back to 2007. While Flame was discovered in 2012, it is believed to have been active for at least five years prior, he points out.
“Most advanced attacks are discovered months or years after being first active in the wild,” says Sverdlove. “It is entirely foreseeable, if not inevitable, that we will learn in the future of new attacks that actually occurred in 2013.”
Ken Baylor, research vice president for NSS Labs, adds that nation states have shown what they have and released samples against targets. “Other nation-states are dissecting the malware and trying to one-up each other in secret,” he says. “There has likely been huge research and development in this space and everyone is holding their latest weapons very close to their chests.”
Other experts point out that simply because the cyber espionage news focused squarely on Edward Snowden and his National Security Agency (NSA) revelations for much of the past year, doesn’t mean all was quiet. Aryeh Goretsky, distinguished researcher with IT security firm ESET, reports that there have indeed been several nation-state malware attacks over the past year outside the United States. These malware attacks include: Win32/trojanProxy.Agent.NJK, which targeted Taiwan and Vietnam; Win32/Syndicasec.A attacking systems in Nepal and China; and Win32/Agent.NLD, which targeted Pakistan.
New trends emerging
What could be more daunting than the below-the-radar malicious malware activity that is being perpetrated are the emerging trends that could lead to more attacks in this year.
For starters, that could mean more players in cyber espionage. While 2013 already gave rise to the Snowden affair, Healey suspects that we will hear more about government espionage networks in 2014. “There will be more countries seeing what the United States has done and getting into the game themselves,” he says.
He envisions seeing patriotic hackers using botnets in China against Japan. It wouldn’t surprise him to see Taiwan get involved too with the East China Sea issues and differing claims over islands in the region.
“We’ve already seen Iran making DDoS attacks on U.S. banks,” he says. “I would be curious what Iran has planned for 2014, especially if peace talks slide off the table.”
Schmidt agrees, saying he is seeing a growth in the trading and selling of zero-day vulnerabilities. At least 27 different nations are now maintaining “cyber command-type activity,” he says. But many of these nations don’t have the “rigor and the discipline” to adequately fight off cyber sabotage assaults, since this is new to them, he adds.
NSS Labs’ Baylor says many nations are truly seeing malicious malware as another arrow in their quiver. “When the dogs of war are unleashed by those in power, we get to see what has been worked on over the last few years,” he says. “When Stuxnet, Duqu and Flame were released, they had been exceptionally well developed and integrated. Just like with the attacks against Bloomberg, the New York Times and Wall Street Journal showed, nation-states are continually building malware, but only releasing it when they get major political pressure to do so, similar to nuclear weapons.”
Al Pascual (left), senior analyst, security, risk & fraud at Javelin Strategy & Research, says that “malware has become a weapon, much like missile systems or M16 rifles.” The commoditization of zero-day effects, where developers are selling these malware ‘weapons’ for six-figure prices, is a trend that he says is on the rise. “Governments spend millions of dollars a year to purchase these exploits,” he says. Like NetTraveler, which infected hundreds of targets in many countries, Pascual believes some of these exploits will be used to reach a broader base of victims. “Why steal from one when you can steal from many?,” Pascual says of such exploits.
Simple as it sounds, Sverdlove believes even sophisticated exploits may fall back on using tried-but-true techniques, like using spear-phishing and social-engineering tricks. “Even as technology evolves, the weakest link will always be the human operator in front of the keyboard,” he says. “The majority of the advanced attacks in 2013 began because some user clicked on a link in an email or unintentionally visited a malicious website. The attack that hit Apple, Facebook, Twitter and Microsoft early in 2013 showed how attackers can combine both techniques – such as Java exploits to target multiple platforms and social engineering to lure victims to compromised websites – to wage fairly broad campaigns.”
Goretsky raises the point that with nation-state malware a great deal of effort is expended to counter attribution, both by customizing the malware so it is undetected by the anti-malware software used by the target and contains no metadata that can identify its creators, and by using communications paths which appear to be legitimate kinds of network traffic. “And even if the network traffic is detected as malicious, the scammer’s hope that its communications would still be presumed to be from a botnet being used for criminal activity, as opposed as being from a hostile nation-state,” he says.
To Standart, it’s not the players that have changed, it’s just that everyone has upped their game. “We have seen new victims in the same industries, the same attackers in new industries, new tools used against new victims, and the same attackers with new tools,” he says. “This is nothing new from what we were seeing 10 years ago, except a higher level of sophistication.” Along those lines, he says organizations have focused and improved on better recognizing, detecting and mitigating these threat actors at a more sophisticated level. Part of the increase in sophistication comes from attackers leveraging third-party software as a means to conduct their operations, he adds.
“This concept is not new as attackers have leveraged legitimate services as a means to conduct their operations in the past,” says Standart. “If you allow email, they use email. If you allow FTP, they use FTP [for data exfiltration].” Now that there are stricter security controls around these commonly used areas, he says, the attackers have used other mechanisms which have increased the complexity of their malware. “Organizations should be aware of the threat that third-party software has, particularly software that has internal/external communication capabilities already coded into it,” he says.
Internet of Everything
Several experts, including Healey, cite the growth of “the Internet of Everything” as another factor making it easier for these sophisticated malware threats to proliferate. Petersen of LogRhythm believe the Internet of Things will create new targets and entry points. “Evolved malware becomes increasingly sophisticated at comprising individual targets in its path, that lead to its final objective over weeks, months, even years,” he says.
The accelerated rate of technology that changes in the world unfortunately also applies to the rate of change in malware, says Sverdlove. “As more and more devices are interconnected in the Internet of Things, there are more opportunities and value in co-opting those same technologies for malicious purposes. Hence, we are seeing an increased focus on advanced attacks targeting smartphones and mobile devices. We also are seeing advancements made in highly sophisticated attacks, such as memory-only exploits that leave no footprint, and the use of cryptography in advanced attacks.”
Sverdlove believes that as technology continues to advance and more and more information becomes interconnected and accessible from multiple devices, we will continue to see ever newer methods of cyber attack. And, he believes those hackers are looking to profit, as well as make a ideological point. Specifically, he predicts an increase of ransomware, where malware is used to encrypt and hijack a person’s computer until payment is made. “Criminals, like everyone else, follow what works, and malware like CryptoLocker was highly successful in 2013.” Consequently, he says that copycats and variants will emerge in 2014. “Information can be turned into money by criminal actors and power by nation-states.”
Stephen Cobb (left), security researcher at ESET, says he saw a lot of criminal malware in 2013, notably ransomware and banking trojans. In fact, ESET researchers discovered a brand new banking trojan that suggests criminals are getting a good return on investment in such projects. “Some cyber weapons,” he says “are far from sophisticated.” In December, ESET published a whitepaper on “weak” malware used for espionage as proof that in some scenarios, such as a poorly defended target, you can conduct malware-based espionage on a budget.
He points out that new criminal malware will continue to emerge with the goal of making money off victims. “This trend is unlikely to be reversed until governments make a serious investment in catching and convicting the culprits,” he says. “A relatively small portion of the FBI’s $8 billion annual budget is spent on fighting cyber crime. Compare that to the $52 billion spent on spying or $15 billion spent on the war against drugs.”
Peter Firstbrook (right), research vice president at Gartner Research, and a leading authority on anti-virus malware protection, anti-spam and URL filtering, also sees more use of ransomware on the horizon. “This type of attack has been a very successful money-maker for hackers this year and is very hard to recover from,” Firstbrook says. “Servers, especially web servers, will be under continuous attacks. High capacity web servers are great resource for attackers. We will likely see more all-in memory attacks that exploit buffer overflow, but do not drop more executables. This type of malware is good at leaving no trace on the infected machine.”
The explosion in the use of mobile devices is also seen as a fresh route that bad actors can now use to perpetrate sophisticated malware exploits. Schmidt points out that cyber criminals already use mobile devices, including smartphones, as a means to hijack personal and financial information for financial gain. “When you look at cyber espionage, they will start looking at the proliferation of mobile devices, and in many cases this opens up a new greenfield opportunity,” he says.
Sverdlove agrees, pointing out that he expects to see increases in attacks on portable devices, including new items like smartwatches. “As cyber espionage goes, controlling a device that resides on a person and contains a microphone, camera, GPS and internet connection is too rich a goldmine to ignore.”
What can be done?
In the face of increasingly sophisticated threats and the growing strength by the hackers, government agencies and related organizations face an uphill climb in battling back this cyber menace.
The first step, according to Petersen, is to think more broadly than just the malware threat itself. “Malware is just a tool along with others,” he says. “Organizations need to take a fresh look at their security capability and invest in next-generation technologies and processes.” However, he adds, improved preventative approaches can reduce the introduction of malware, but not completely keep it out. “To address the malware that slips through, organizations need to adopt an analytics-driven defense capability that leverages continuous, machine-based analytics capable of detecting and mitigating sophisticated malware.”
Along the same lines, Cobb endorses a layered approach with defense-in-depth. “This means protecting endpoints and servers and actively monitoring the connections between them, while ensuring that the people who design, run and use your systems are properly vetted, trained and motivated,” he says. “Doing all that does not guarantee you will have no breaches, but if you skimp on some of those things your chances of failure go way up. Just look at Snowden and the NSA.”
Sverdlove says organizations must assess key assets, know where their risks lay, employ the best tools they can – and still prepare for the worst. Between cyber criminals, nation-states and hacktivists, he says, there are many threat actors out there with different capabilities and different motivations. “These actors are making advancements daily, so you should be deploying the latest defenses in response. Don’t expect 20-year-old anti-virus technologies to protect you. Use next-generation security technologies – like application control, next-generation firewalls and advanced monitoring tools,” he says. “Establish a security plan that does more than just put up walls. Assume your walls will be breached, so make sure your plan answers the questions: ‘If I am breached, will I know?’”
Goretsky says that the steps that organizations, companies and governments need to take to avoid nation-state malware are largely the same as those for avoiding conventional malware, notably keep up-to-date with operating system and software patches, run anti-virus software, run with the least system privileges necessary to work effectively, and review logs from firewalls and security devices. But, if an organization believes it is being targeted by a hostile nation-state, Goretsky believes they should also increase the number of supply channels used for networking and computing gear in order to make it harder to implant devices en-route, and refresh equipment more frequently. “If it assumes that devices are going to be compromised, and possibly in ways that cannot be easily checked or repaired, like BIOS firmware, then it needs to try to reduce the amount of time/impact a compromised device has on its network by replacing more frequently,” he says.
Collaboration can be particularly useful to overcome the havoc that such attacks can wreak. Schmidt points out that in recent years, the Department of Homeland Security has become the agency through which other government agencies can share information about attacks or compromises.
Sverdlove echoes this point. “One of the more promising changes that has occurred in recent years is the willingness of companies to disclose cyber breaches,” he says. “This is due, in part, to increased regulation and oversight on different industries, but also because companies are realizing that such disclosures no longer carry the same stigma they did just a few years ago – after all, pretty much every major company in every vertical has suffered from cyber intrusion.”
Healey (above) recommends that government do itself a favor by taking itself out of the leading role. “It has to be the private sector and not the NSA or Cyber Command or the Department of Homeland Security that is going to fix this,” he says. The private sector, he maintains, has greater agility and subject-matter expertise to help fight off the malware threat. “Government needs to realize that the private sector isn’t the problem,” he says. “It’s the solution.”