Winning strategies in cyber warfare

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/winning-strategies-in-cyber-warfare/article/342934/

Today we live in a world where the “giants” are lined up against us. Cyber
Crime, Cyber Sabotage and Cyber Espionage is a daily fact of life. Whether
we're talking about botnets, defacing of web sites, spear-phishing or theft
of intellectual property, everyone seems to be defenceless against the
relentless attacks that are targeting everything from your Facebook page to
the SCADA systems controlling nuclear power stations.

Governments talk about the risk of Cyber-Attacks being more deadly that
atomic weapons, and company after company are being pillaged for their
intellectual property.

The technologies that have traditionally protected us are no longer able to
provide any effective defence. Firewalls, Anti-Virus, and whatever other
latest and greatest panacea that is being touted as the answer to our
problems are all proving ineffective.

And yet every user, and organisation, has the means to stop every giant in
their tracks, but most are, as the saying goes; ‘so blind as those who will
not see.' The most deluded people are those who choose to ignore what they
already know.

Stopping Malware and APTs Dead In Their Tracks

Breaches such as those discovered at Target, the NSA, or wherever, all
follow a set pattern. Breaches are not a shot in the dark, but require
careful planning and execution.

In the first instance, the attacker has to identify the target, essentially
looking for the weakness in the defence. Multiple tools are available on
the Internet that allow anyone to scan for systems or components that have
vulnerabilities. Tools such as Nessus, and web sites such as Shodan provide
an easy way for an attacker to identify a weakness.

Once the point of entry is identified, the next step is to gain entry. In
other words, looking for access to a system which can then be used as an
escalation point. Again tools such as Metasploit and others make it easy to
do this on an industrial scale with brute force attacks.

“The attack process is usually focused on a particular system, or set of
systems. We will then attempt  to access the system, either through the use
of an outright attack or using credentials that we have managed to gather
from somewhere in the environment, through social engineering, or other
means. Once we have an account on the system, we may need to escalate the
level of access that we have in order to accomplish our goals. The target
for such privilege escalation is often root or administrator level access,
giving us relative freedom on the system. Given the needed level of access
to the system, we can then exfiltrate any information that we wish to,
cause damage to the environment in any way that benefits us, then install
any measures that we need to in order to ensure future access.” - Cyber
Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason
Andress and Steve Winterfeld.

Getting the information out, and covering their tracks is relatively easy
once a beachhead is established, using applications such as Corkscrew and
others, and then using Tor or other deep web service to move the
information. Additionally there are plenty tools available that make it
possible to hide stolen data on USB drives, mobile devices etc.

And of course, as Aramco discovered, once in, the destruction of data,
software and even systems is relatively straight forward. Again the
applications are easily available on the net.

Faced with giants that guarantee zero day exploits, with a guarantee that
vulnerabilities will not be detected for several months, and that promise
that all leading anti-virus and threat protection technologies have been
tested before the release of these exploits, technologies that protect us
against these attacks are helpless. It eventually gets very tiresome to be
continually be told by the security industry after the fact. It's like my
wife always telling me after the speeding camera has flashed that we've
just passed a camera! For once I'd love her to tell me where the camera is
ahead of time.

Of course my navigation system tells me where cameras are, or rather tell
where they were when the GPS software was installed, so it's equally
useless!

But all malware and APTs have a chink in their armour. To be able to do
their worst, they need privileged access to a system. Ultimately if they
can't install something, they can't attack. The little pebble of managing
privileged accounts, whether used by administrators, services, tasks,
whatever, will stop them dead in their tracks. In other words, every
organisation has the means to protect themselves if they simply enforce a
policy of continuous monitoring and scanning, like the enemy,  of
components such as registries, daemons, tasks, hardware components,
services and privileged accounts, and eliminate all vendor default
accounts, they can win.

Pebble beats sword, pen beats sword, password management beats malware! It
is just that simple!

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!