Black Hat 2015 is less than a week away, and almost daily cybersecurity stories remind us that there’s never a dull moment in the world of hacking. Black Hat is known for attracting information security’s best and brightest to its nearly week-long event, where experts share war stories, how to’s and what’s-coming-next scenarios with an audience of enthusiasts who can’t seem to get enough. And to be sure, there’s always lots to talk about. The cybersecurity landscape continues to change with technology advancing at break-neck speeds, making it harder than ever to keep good technology out of the hands of bad hackers. And with so many different threat vectors at play – terrorists, criminals seeking financial gain, hacktivists – the possibilities for an organization to fall victim range far and wide. A couple of recent articles demonstrate how new technology and the Internet of Things are taking hacker exploits out of the realm of science fiction and into real life.
You’ve been a diligent and informed cybersecurity expert for your organization, deploying layers of preventive technology to stop advanced threats, including a secure web gateway, a firewall, IPS, and file sandboxing, and yet your defenses have been breached and data stolen. Certainly this is a scenario that’s played out at many organizations and statistics suggest these incidents aren’t going away soon. According to the Identity Theft Resource Center, there have been 436 data breaches in the United States YTD, resulting in the exposure of 135 million records. These breaches have hit virtually every market sector – it seems no organization is immune to attack. If your organization has experienced a data breach resulting in data loss, you understand how far and wide it can impact your business. But investing all your resources into prevention may not be your best bet.
Clearly, the standard methods organizations are employing to stop evasive malware and prevent a catastrophic data breach, have failed as verified by a long list of high-profile losses. The problem is, these layers of security such as robust AV, Intrusion Prevention Systems (PS), application ID, and sandboxing, to name a few, are all undoubtedly necessary and valuable. If you want to sleep peacefully at night, you don’t just lock the gate to your yard and leave your house open. So while multiple layers are necessary – relying on any one as your sole defense would be ineffective. Here is a recap of some standard solutions being deployed:
The ZeuS Trojan, often called banking malware, because it primarily targets financial institutions and online banking customers, has been around since 2007 – ancient history in the world of cybersecurity. But recently a new configuration was identified, a 64-bit version that may represent an entirely new breed of software, one that could take protocol evasion to whole new level.
The method of transmitting data over the Internet was developed when no one predicted how criminal organizations would take advantage of its structure. Internet transmissions to port destinations are sent in packets, each containing 1,514 bytes. Each packet is divided into sections, including a wrapper containing routing and transmission information and a larger content section that can include anything from a PDF and video to DNS requests or even malware. The goal is to fill each packet leaving as little empty space as possible, in order to deliver an efficient payload. The routing and transmission sections include headers for Ethernet, designating movement inside the network; an IP heading for movement outside the network; a TCP or UDP header, which includes the destination port number; and the protocol heading, for instance HTTP, or HTTPS.
In analyzing the anatomy of some of today’s most
virulent threats, an important distinction needs to be made between ports and protocols, if one is to understand how hackers employ evasive ports and evasive protocols to deliver malware. An analogy that is often used and most clearly illustrates the differences, is that of a physical address. When someone sends a letter via snail mail, it’s like a computer pinging the Internet for information, both require a specific address to arrive safely. Your computer first accesses a URL, which is comparable to the street address of the destination. On that street is a building housing apartments or ports, each with its own number. With 130, 070 ports, there are a lot of numbers. Adding more complexity is that within each apartment there is a language or protocol spoken – it could be English, French or a thousand others. When you transmit your message to an apartment on this street, there must be someone there who speaks your language in order for your message to be understood. If a French message is transmitted to an apartment where only Norwegian is spoken, it will be rejected as unintelligible – simple enough, right?
To understand how protocol evasive exploits work, you need to understand a little about TOR and the Dark Web, an entity that may be as ominous as it sounds. Certainly it lives in the popular imagination as such – the shadowed corner of the Internet, where criminal activity runs wild with people engaging in money laundering, child exploitation, drug trafficking and more.
Defending against today's sophisticated cyber threats seems to increase in complexity every day. The openness of the Internet, built on a foundation of thousands of ports and an infinite number of protocols designed to support multiple data transmissions at once, has transformed how we share information. But it has simultaneously created an unforeseen quagmire, where ambitious criminal hackers conspire to circumvent whatever security technology stands in their way. They seek access to your data, with tactics developed faster than solutions can be created to stop them. This is the reality of the current cybersecurity landscape.
A conversation with iboss CEO and Co-Founder, Paul Martini, outlines the current dilemma of increasingly evasive threats, and discusses what it will take to better protect organizations against the consequences of a serious data breach.
A recent article posted in Dark Reading, CareerBuilder Attack Sends Malware-Rigged Resumes to Businesses, outlines a new exploit that that has been characterized by some researchers as “simple elegance and brilliance.” While these may not be words typically used to describe malicious cyber exploits, it’s clear those quoted have a wary respect for the deftness of this attack.