by Rik Farrow
The past year seemed replete with widespread attacks, Slammer and Blaster being well known examples. But the most serious attacks of 2003 will continue to pass beneath the radar screens of most people--except for their victims. These are attacks that targeted specific sites with the goals of stealing information.
Theft of proprietary information and financial data continues to cause more financial losses than any other type of computer security attacks. The American Society of Industrial Security's (ASIS) 2002 survey suggests that responding firms experienced proprietary information and intellectual property (IP) losses of between $53 billion and $59 billion from July 1, 2000 to June 30, 2001. While this survey does not distinguish between computer-related attacks and other methods used to steal data, it does speak to the value of stolen data. The CSI/FBI annual computer security report has always found that loss of proprietary information was the most costly of computer-related attacks.
Targeted attacks proceed very differently than the attacks you typically get to read about, even experience. In this column, I will explain how targeted attacks differ from opportunistic attacks, and suggest some remedies.
The most obvious, and logical, difference between a targeted attack and an opportunistic one is that the untargeted attacks are directed at any target. Worms like Slammer and Blaster used pseudo-random number generators to choose IP addresses to attack. Targeted attacks proceed very differently.
The attacker with a planned target can spend a lot of time and resources learning about the potential victim. Public information, including SEC (Security and Exchange Commission) reports, lists of company officers, physical location of offices, as well as domain name registration and public IP addresses may be included in the attacker's research.
When money is involved, attack strategies can include onsite visits. The attackers may come armed with yagi antennas to listen for unprotected wireless networks, or attempt to enter an office disguised as telephone or network technicians. The most serious attackers have gone as far as getting a job within the victim's company. Even a job as janitor will work--in fact, a janitor often has physical access to the targeted computers as well as backup media, making the attack much simpler to execute, at the same time being much more risky for the attacker.
But for now, I want to focus on the network aspects of a targeted attack. The targeted attacker will spend a lot of time probing the victim's network. This type of attacker will be discrete, not bombarding the victim with portscans, but sending occasional packets, each from a different source address, each with a specific purpose in mind. These probe packets will blend in with the normal racket of portscans from opportunistic attacks and script kiddies, making them indistinguishable from background scans.
The targeted attack will differ in other ways as well. While script kiddies prefer frontal assaults, the targeted attack may include exploiting many other systems, with the goal of gaining access to the victim's site. The victim's network might include a Web farm, and the Web servers often provide a method of ingress into the protected network--as well as being publicly accessible via HTTP. If the attacker can gain access using exploits against the Web servers, then success may be assured.
The attacker might also invade the victim's ISP. The ISP may provide various services besides simply routing packets, and any of these services may provide either the ingress, or perhaps the data, the attacker needs. In a recent unpublished incident, the attacker broke into a Windows system at the victim's ISP. Then attacker then leveraged this attack into gaining access to an account with Domain Administrator's privilege. Using this privilege, the attacker accessed the hidden shares (provided by default on all Windows systems in the NT line) to take control of all of the ISPs systems. From this vantage point, the attacker was able to copy emails being sent from an executive that contained the important, and secret, financial data that was the real goal of this attack. The end result was a financial windfall--for the organization that hired the attacker. For the victim, it was a serious disaster, only recognized after the fact.
Another approach into a victim's network lies within partners' networks. Many large organizations have business partners, and quite often the networks of these partners will be connected, via a VPN tunnel or leased line, to the the target organization's network. If the partner organization does not have an identical, or stronger, security policy (that is actually enforced) than the target organization, the partner becomes the logical point of approach for the attacker. In some cases, the partner organization might not even have a properly configured firewall, or might be entered through yet another unprotected partner's network.
Attacks by insiders, or attackers who gain internal access, appear impossible to defend against. But there are things can be done.
The attack that succeeded by capturing email would have failed had the email been encrypted. With millions, possibly billions, of dollars at stake, encrypting email sounds like a small price to pay for protection.
Important files, stored email, databases, and even backups should also be encrypted. An intruder who steals an encrypted backup medium has gained nothing more than a tape cartridge. But the same intruder, who may have gained access through social engineering, could walk away with the crown jewels if the backup was not encrypted. And this has happened.
VPN tunnels should never be terminated within any internal networks unless the organization has administrative and security control over both ends of the tunnel. Partner sites, with their own security, cannot be relied upon to have a similar level of security as your own site. Terminating VPN tunnels from those sites in a special, protected but external network, is essential. Those external networks should have only limited access to internal resources. Or better yet, the internal resources required should be mirrored onto servers in the external network, providing limited access to the partner as needed.
Targeted attacks are the real threat to an organization's security. While the latest Windows worm might cause havoc, it will not be designed to steal your most privileged info or recent plans. Proper use of encryption and network design provides you with the best protection against these attacks.
ZDnet story about targeted attacks:
http://zdnet.com.com/2102-11_2-523790.html?tag=printthis
American Society for Industrial Security, FY 2001 report on intellectual
property theft, PR:
http://www.asisonline.org/newsroom/pressReleases/093002trends.xml
2003 CSI/FBI report on computer attacks: http://www.gocsi.com/press/20030528.jhtml;jsessionid=NI2QBOKXZXPJ2QSNDBGCKHY