Data Breaches Gone Wild

This extra-long blog post started out as a response to question posted by prolific and versatile writer, Pam Baker about why there seemed to be a surge in cyber attacks, if there were actual hacking groups performing the attacks and if there was anything a normal company could do to protect itself. The full content of Pam's article with a very funny and true intro by Aaron Higbee, CTO of JDA's partner PhishMe.com, is available at eSecurity Planet. I particularly agree with Aaron's assessment that Advanced Persistent Threat (APT) has become a buzzword that is used by companies to cover-up their otherwise mediocre to poor security practices.

In our cybercrime work with large companies and defense contractors we see actual groups, meaning intruders that operate using the same toolsets or same remote computers as part of their attacks. Some security firms are willing to immediately call this group of intruders "state sponsored" cyber attackers and link them to various governments or terrorist groups. While I don't completely disagree with that line of thinking sometimes the linkage between a specific attack and a foreign government is often times tenuous at best. I prefer to think of these groups that attack large corporations or defense contractors as "organized cyberminers". I know that isn't as sexy sounding "Advanced Persistent Threat" but it is more accurate description of their data breach activities. Typically the organized cybermining groups attack an organization with a series of very targeted phishing attacks directed at "C-level" employees and directors of the organization. These phishing emails often contain what appears to be current information about company business, for example a PowerPoint presentation from the CEO on projected sales figures that he'd like everyone to look at. The phishing PowerPoint will even contain company data (usually dredged from their website and other media sources) and will exploit a vulnerability that allows it to download a Trojan onto the victim's computer. From that foothold victim computer the organized cyberminers will employee other attacks to gain valid passwords and access other systems. Once firmly established on the victim network the organized cyberminer then begin collecting email, file share data, My Documents folders, hacking into internal Microsoft SQL and Oracle databases and "exfiltrating" large quantities of data. Typically the stolen data is related to ongoing company projects, R&D data, sales and contract information and sometime extraction of data from databases. The organized cyberminers often utilize tools that can be left behind on a computer to allow them access to the network later should their activities be discovered, all of this is often referred to as Advanced Persistent Threat (APT) techniques, although frankly the break-in, get control of computer, exfiltrate data and leave plenty of backdoors for later, hacking methodology isn't exactly new or advanced.

The second group of cybercriminals I would classify as "financial hackers". There is a whole credit card and financial data theft ecosystem alive and well on the Internet that involved the hackers stealing the data, other hackers distributing tools for hacking and account verification, cloners making new debit and credit cards from stolen information and links to criminal networks for buying and selling the information. Financial hacker groups may target an organization such as a credit card processor or a website that accepts credit card transactions but they will also send out spam/phishing emails with Trojan links to gather individual Internet user financial information. Typically this group of cybercriminals isn't interested in data that isn't Personally Identifying Information (PII), financial information for user IDs and passwords to financial accounts. While financial hackers are definitely a menace, they are a very targeted menace that is always looking to steal just that one type of information from any available target.

The last group I would broadly categorize as "social hacktivists". These are the hackers involved in groups like Anonymous, Lulzsec and all the other less famous associated groups. The purpose and goals of these groups can seem somewhat chaotic but tend toward what some would consider anti-government, anti-corporate and anti-secrecy. These groups and their targets are often based on group ideas from Internet Relay Chat (IRC) channels and image boards such as 4chan.org. One of the common techniques of this group is Distributed Denial of Service (DDoS) against websites of organizations that have irritated the group or the group feels does not meet their requirements of personal freedom. These targets range from financial services and government web sites to the web sites of rockstar Gene Simmons of KISS. These DDoS attacks can make the targeted servers and networks unavailable for days or weeks. Other, more sophisticated cells, of the social hacktivist groups use more advanced hacking techniques to intrude on financial services, government and corporate networks to steal email, passwords and documents that are typically made public as a way of exposing the targets operation or business practices to the public. These groups have been involved in providing documents to organizations such as Wikileaks and dumping corporate information out to anyone interested in reading such as the intrusion on security firm HBGary which drew the ire of Anonymous earlier this year. Attacks from social hacktivists are very hard to prevent or control due to the decentralized nature of the groups provided by the inherent anonymity of the Internet.

Attacks from the first two groups can generally be prevented by practice good network and system security. Unfortunately, it is our experience that even the largest and most professional organizations (corporate and government) often have significant weaknesses in their Internet accessible computer and applications. Once these two groups of cybercriminals are inside an organizations network there are typically even fewer security mechanisms to detect and prevent furthering the data breach.

Individuals can protect themselves by ensuring they have their computer patched and are using a good commercial, anti-malware solution. While patching and security software will protect individuals from most attacks it won't protect a user from harming themselves by downloading and installing Trojaned software or falling victim to a phishing scam. Again unfortunately, we frequently find that when individuals have been the victim of a random attack they have failed to do any sort of updating of their computer via vendor supplied patches and have no or completely outdated security products on their computer.

The social hacktivist group is probably the most difficult to protect an organization from. These groups have displayed a wide diversity of hacking techniques and skill levels as well as an ability to launch sustained anonymous attacks. It is very difficult for an organization that has been targeted by a group like Lulzsec or Anonymous to protect itself as has been demonstrated numerous times in the past few months and weeks. For individuals it is best not to engage in activities that would directly antagonize one of these groups as was done by the CEO of HBGary. Don't poke a stick in the bee hive if you don't want to get stung.

Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Twitter Submit to LinkedIn
© 2012 Jones Dykstra & Associates, Inc.
5850 Waterloo Rd, Suite 140, Columbia, MD 21045
P:(410) 480-7190 F:(410) 480-7191
contact@jonesdykstra.com