Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.
Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.
How is this kind of specific attack done? Websense describes the seven stages of advanced threats.
- Stage 1: Recon
The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
- Stage 2: Lure
Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
- Stage 3: Redirect
When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
- Stage 4: Exploit Kit
An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
- Stage 5: Dropper File
Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
- Stage 6: Call Home
Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
- Stage 7: Data Theft
At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.
Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.
Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.
These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.
The last word:
Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.
Welcome to our brave new world.
Keep your sense of humor.