The latest IBM X-Force Threat Intelligence Quarterly report is out. The focus this quarter is on four areas of security, onion layered attacks, ransomware, malicious insiders and an improvement in management.
At first glance it might not seem that much has changed over the last year. What makes this quarterly report interesting is that it comes from the IBM Security Services team. These are the people that deliver the IBM Emergence Response Services (ERS) to customers when things go wrong. As such, they have delivered an in-depth look at each of the four key areas.
At the end of this report is a five page article that should be required reading for most IT security teams and certainly all Chief Information Security Officers and other members of the board. Titled “The power of indicators of compromise for incident forensics” it walks the reader through what to look for to see if an attacker has been in your system.
Onion layered security incidents
This is a subject that has been written about extensively in the cyber security press but is still happening. The latest high profile of it is the TalkTalk attack. It works like this:
- An easy to spot attack, such as an attack on the website or more commonly a Distributed Denial of Service attack. These tend to engage the IT and IT Security teams.
- A more sophisticated attack that may happen at the same time in order to slip through a previously identified gap in the defences. Alternatively it may be that the attacker is already in and wants the distraction to cover the exfiltration of data.
There is nothing complicated in this and it is still surprising that so many IT Security teams are allowing themselves to fall for it. According to the IBM X-Force report the biggest problem that they encounter is that multi-layer attacks take a lot of resource to understand what has happened.
Interestingly, not all multi-layer attacks are linked. The ERS team found that a number of attacks were unrelated. Often the sophisticated attack may have been going on for months and have resulted in the compromising of multiple systems. The irony is that the wider attack may have spoiled a long term infiltration of a target. Studying what has been compromised and how it was achieved will provide a wealth of learning and data to IT Security teams.
Irrespective of how clever the attackers are, the ERS team say there are often some signs that they are taking place:
- Alerts generated by anti-virus software about Trojans or hacking tools in Internet facing servers – If these are Internet facing the big question is how did they get there.
- Servers rebooting unexpectedly or other unusual behaviour – IT security teams need to be involved when this happens in order to establish how this started. Look for unexpected software and then establish how it got there.
- Suspicious log records – Check log records. This is something that still only happens post attack yet needs to be a regular process. With the evolution of big data it is possible to import large numbers of log files and automate much of the detailed analysis. Attempted or successful logins from unexpected locations and countries are the biggest indicator.
- User lockouts – Could indicate that hackers are changing user passwords to test the responsiveness of the support team especially if it happens to a number of users in a short space of time.
The year of Ransomware
There are now several different Ransomware programs circulating on the network. The IBM X-Force team break them into two camps.
- Family one simply locks the user system and tricks the user into paying.
- Family two encrypts all the files, send information on how to pay and once paid decrypts the files.
There are several toolkits available on the Dark Web that allows people to build their own Ransomware especially for family two. The problem is that some of the strains are flawed in that they don’t send the key to the command and control server or they manage to corrupt the key. This means that even if the user pays they cannot get their files back.
One question is whether to pay or not. The FBI has recommended that companies pay up to get their files back. Other security experts disagree and recommend that companies establish a better backup strategy. According to the ERS team there is a widespread agreement across the security industry that the profitability of Ransomware means it will continue into 2016 and perhaps beyond.
The ERS team also points out that the evolution of Ransomware means it is no longer locking entire directories of files but is targeting specific fields in databases. These are long-term attacks that are designed to exist long beyond the normal backup routines of companies. As a result, it is not possible to restore the database without significant loss of data putting companies in the position where they have no choice but to follow the advice from the FBI.
Interestingly the ERS team says that any success by Ransomware relies on multiple security and procedural breakdowns. They list thee in three groups:
- Not backing up data – Clients often admit to not having backups when an attack happens
- Poor patching procedures – Ransomware utilises unpatched operating system vulnerabilities. These can often enable the hacker to gain privileged access making it easier to locate key files and then execute the Ransomware. This accounts for around 65% of all Ransomware infection vectors.
- Lack of user awareness – Ransomware is not the only malware that exploits this route. What exacerbates this attack vector is the poor security training and awareness programmes run by companies. Better training and information for users would make this route harder to exploit and reduce the chances of a successful attack. 20% of attacks come through Drive-by Exploits where users visit websites that download the Ransomware in the background. The remaining 15% of infections come from Spear-Phishing emails.
These three vectors are easily solved through better education and proper IT procedures. In fact, the first two can both be seen as a serious governance failure in an IT department. The latter is user education.