Security experts are seeing an increase lately in advanced persistent threats, threats that have no known signature or known pattern of behavior.
"The first victim is patient zero," notes Samuel Visner, vice president and cyber lead executive at CSC, Falls Church, Va., and a former security official with the federal government. These threats lurk unseen in servers, applications and databases and are very difficult to detect. They often are created by nation-states or companies affiliated with them, they can change their own appearance and migrate from server to server seeking confidential information, they can establish communication with their creators, and they can wait stealthily and patiently until conditions are just right to attack.
These thieves are after not just bank or card account information, but intellectual property, such as product development or marketing plans and corporate strategy. "This information is valuable not only to an economic competitor but to a nation-state that has some kind of relationship with companies that owe sovereign allegiance to that government," Visner says.
"The Office of the National Counter-Intelligence Executive says foreign governments are in fact collecting this intelligence, doing what we call network exploitation, and they are collecting information from U.S. and other Western commercial enterprises. They're doing this because its gives them economic clout, which today is a component of geo-strategic clout."
The value of research and development in the U.S. was estimated by the National Science Foundation at $4 billion in 2008, about 2.8% of the U.S. gross domestic product. "If somebody were to steal that, they would get all of the benefit and not have to pay any of the cost," Visner says.
It's too soon in the investigation to tell if the Global Payments data breach earlier this month falls under this category, but financial institutions are targets of such attacks.
"One senior banker said, why would the Chinese hack me? I have their money, they want me to secure their money," says Bill Wansley, senior vice president at Booz Allen Hamilton, McLean, Va. "They're not going to steal their own money." Wansley responded that the bank has sensitive M&A information that could be valuable. "Don't kid yourself. We have never not found malware on a client. If anybody thinks they're not being attacked, they're not aware of the fact. There are those companies that have been attacked and those that don't know it yet. If you're a major institution, you're being attacked all the time."
In fact, banks, credit unions and insurance companies are among the most coveted targets, according to Darin Anderson, general manager Norman Software NA, Fairfax, Va. "First off, they have a broad base of customers; someone executing a social engineering trick can play the numbers and send out the email to millions of email subscribers," he says. "The bad guys are following the money to financial institutions and looking for ways to get users to compromise their credentials or institution itself to open a place where they can further perpetuate their crimes."
The term "advanced persistent threat" evolved from the U.S. military and originally was used as a cover name for Chinese hacking. "It has since evolved to describe a type of attack that meets the definition: advanced in that it's very sophisticated in the technical abilities of the attackers, persistent in that it keeps coming back — it's so well resourced that it has the time and money to keep plugging away when they want to penetrate an organization," says Wansley. "And it's generally associated with a nation-state attack."
Advanced persistent attacks put sophisticated malware on a company's systems through a social engineering/phishing type attack approach, with incredible persistence and detail, Wansley says. A country might dedicate 100,000 people to such a project, who will build detailed personal profiles on individuals they're going after. "They'll social engineer to the point where they know great details about people, who their colleagues are, and they'll send them a very innocuous email that looks like it's coming from your boss or best friend and says, 'Here's a picture of us together last weekend,'" he says. The email may be legitimate, but the picture could have malware on it and make the recipient an unwitting insider.
The malware learns about vulnerabilities inside a company's systems, collects intelligence, and seeks intellectual property or sensitive data. It has the potential to encrypt that information, copy it and send it out at night when it's less noticeable in an encrypted packet. "You may see an increase in volume of data leaving at night but you don't know what it is," Wansley says.
These cleverly crafted pieces of malware know how to morph in such a way to not to be detected, and they can establish a morphing schedule so they morph faster than a signature could catch up to them, notes Bryant G. Tow, chief security officer — Financial Services Group at CSC. One example of this type of malware was the Zeus banking Trojan that Microsoft's crime unit worked with law enforcement to catch.
"That malware was so sophisticated that it would act as that man in the middle and display actual account balances on a page that looked so unbelievably real, users had no idea what was going on," Tow says. "As the malware proliferates and makes its way through the network, it knows how to behave and it behaves in such a way that we're often not aware of it."
Some observers thought it was odd that Microsoft participated in this raid. However, Tow points out that Microsoft has a vested interest in going after such perpetrators and protecting their own interest abroad.
Advanced persistent threats typically attempt to establish some kind of control or command path back to the originators or "mother ship," Visner says. Once the malware has found the information sought or an email account that seems to deal with the subject matter, it will open a port and use it to communicate back home.
Another characteristic of these threats is they may cause anomalous behavior inside the network, for instance driving bandwidth up as they try to communicate out or changing administrative access rights as they attempt to access administrative controls. "If you find something that looks amiss, because it causes unusual behavior in the network or it causes the application of administrative privileges that aren't ordinarily associated with a particular user, it gives you reason to wonder if something else is amiss inside the network," Visner says.
To protect themselves, banks need to do continuous monitoring from within, Wansley says. "Having a single firewall is not sufficient any more. You have to constantly monitor for changes in your system, and then find a way to collect and remove the malware from your system."
Companies also need a deliberate strategy to protect their most sensitive information," he says. "If you have critical algorithms you use for market trading, those need to be treated specially and the access to those controls has to be done in a way where it's more difficult for those potential malware to get to it."
Banks should consider the real and likely scenario that they've already been hacked and that some or all of their systems are owned, says Anderson. "They have a long-term vulnerability and they need to look at the entire ecosystem of layered defense — having technical solutions in place that provide perimeter and endpoint security," he says. This includes security policies and technical guidelines for customers and educating internal and external stakeholder groups about cybersecurity, especially around social engineering. It involves establishing an infrastructure and ecosystem that gathers information and evidence on what the bad guys have been able to steal from them and identify who has the information, that nature of the information that's been exposed, leaked or stolen, and procedures to follow up and improve the systems based on intelligence they gather through that part of their system.
Existing malware detection software can help. "You do want to continue to look for the signatures of known threats, because a lot of good work has been done to characterize these threats and signatures," Visner says. "There are programs out there that disseminate information about these threats, sometimes in the form of anti-virus definitions."
Knowing what's going on in your networks is critical, Tow points out. "The more we define what's normal, the better off networks will be," he says. "We can find anomalous behavior and make a determination at that point without being too business disruptive."
The perpetrators of these attacks are sophisticated and have access to commercial antivirus tools, the applications enterprises use, and the architectures companies use. "They're in a position to understand how a network ought to operate, so they're going to find fairly subtle ways to introduce malware that causes subtle effects on this side of the network, things that might not normally be detected," Visner says.
The loss of intellectual property can have several effects. "If somebody steals your intellectual property and they can introduce your product to the market and make it more cheaply, the value of your investment is infinitely demonetized," Visner notes. "Your adversary gets all of the return and pays none of the investment. Secondly, the IP thief may not be able to produce the product at the level of quality that the originating firm does, so the firm's reputation may be damaged.
A tactic of "air gapping" — ensuring that a secure network is isolated from insecure networks, such as the public Internet — can help but is not a complete answer. The Stuxnet worm, for instance, that targeted Iranian nuclear capabilities, got on the laptops of Russian contractors who supported those systems through thumb drives. "The fact that something isn't connected to the Internet does not necessarily mean that malware cannot get on those systems," says Donald Purdy, chief cyber strategist, cybersecurity at CSC.
The FBI has recommended that computers banks use for ACH funds transfers be dedicated to that purpose and not connected to the Internet or perform other functions. It's also specified that these standalone computers should have no active USB ports. "I was told that the Department of Defense puts hot glue in their USB ports to keep people from using them — it's a bit of a low-tech solution but effectiveness nonetheless," says Two. These computers should ideally have no other applications on them, not even email, or Microsoft Word, he says. "There's no absolute empirical evidence, but the FBI has said unofficially that companies that did this later reported that there were no incidences, the threat and opportunity had reduced to zero."