Trend #1: Government Malware Goes Commercial
What will happen in 2013? Will our cyber security get better or worse?
First, the good news. We think security will improve for larger, well-funded organizations. In the same way James Q. Wilson introduced community policing, transforming law enforcement, we think a community approach—a sort of security commune—will improve security in the digital realm. Sharing attack information will help remove seeming randomness of attacks.
Second, the bad news:
- As bigger firms get smarter, we think hackers will choose the path of least resistance—small companies. To date, we’ve seen for-profit hackers pursue small organizations but rarely have we seen government-sponsored (APT) attackers go after the little guys. We think that will change. Small companies contain a lot of data and, in many cases, quality intellectual property. They make for ripe targets.
- Not surprisingly, we think hackers will continue to get more sophisticated. In 2013, hackers will continue to refine cloud computing for attacks.
- Traditional SQL injection attacks will continue—but we believe they will focus on content management systems (CMS). Hackers go where the vulnerabilities are. Today, CMS provides a rich target.
- We think hackers will use a cloud-based model to become more efficient and effective.
Overall, 2013 will also have many headlines reporting breaches. We believe the path and methods, however, will look a bit different.
Trend #1: Government Malware Goes Commercial
Government military research has an influence on the industry. Commercial aviation, for instance, has been heavily influenced by advances in military aircraft. In 2013, we believe this government-driven cascade effect will apply to cyber security. How? The most dynamic change factor in the insider threat landscape in recent years is the evolution of modern malware. The massive introduction of user-owned devices coupled with work-force mobility is giving the “compromised insider” threat an extra weight compared to the more traditional “malicious insider” threat.
We expect two existing trends to take us through 2013:
- Technologies previously attributed to “state sponsored” attacks are going to become commercialized (or commoditized), further blurring the difference between Cyber Crime and Cyber War.
- Devices affected by modern malware (APT), representing a “compromised insider” threat, are going to become a more prominent risk factor than malicious insiders. The 2012 Verizon Data Breach Investigations Report noted malware’s impact: “69% of all data breaches incorporated Malware.” This represented a 20% increase over 2011.
Through 2011 and 2012, we have seen a variety of allegedly state sponsored malware operations described in the media among them “Gauss,” “Doqu” and “Flame.” Three notable aspects were discussed with respect to these operations:
- The method of infection.
- The complexity of the software and the robustness of the command and control network.
Throughout 2012, we have seen two of these three aspects appear in modern commercialized malware.
Infection Methods Gone Wild
In the second half of 2012 we closely tracked a number of botnets—which gives us a glimpse of future infection methods with next generation malware. Today, malware is usually delivered as a compressed archive about 50KB size and is the basis for a very robust and versatile compromise operation. We generally see that the initial infection package changes very frequently, even within the same distribution campaign to the point that antivirus (AV) products appear to have difficulty keeping up with detecting new strands of the same code. What will change?
- A larger number of hosts containing more sophisticated malware. Each campaign is also characterized by keeping a large number of compromised servers that host the infection package. The actual functional modules that are downloaded from time to time vary in size, are by no means the tiny, size-optimized, executable programs of previous generation malware. Some of the modules are larger than 1MB, and in some of the instances, we tracked the total code size that amounted to almost 10MB. Modules keep evolving over time. For some, we saw version numbers grow substantially over time.
- The command and control structure (C&C) becomes larger and more robust. Today, basic malware comes equipped with a list of more than 10 IP addresses of available C&C servers. Recently, we have seen this number go up to 40. Moreover, all C&C servers seem to share a common state with respect to the clients through some mechanism. The different modules downloaded from time to time provide functions such as sending spam, file pilfering, password grabbing, and attack against web servers. Each individual operation was able to last a few weeks before being shut down.
It seems that most operational capabilities that defined Flame and the like as “super malware” are in fact finding their way into these commercial malware operations. We expect the infection vector to remain the biggest differentiator between the commercial malware and the truly advanced persistent threat.
C&Cs Get a Major Upgrade
In a different incident, we tracked a botnet’s activity. This botnet is a classic banking malware typically seen in Latin America. The instance we tracked employed two versions of the malware agent using different methods to control the redirection of user traffic to the attacker-controlled server and two different types of C&C channels, thus giving the entire network an improved efficacy and redundancy.
This botnet operates by locally hijacking domain names of online banking applications and routing the traffic through an attacker-controlled server. It does that either by rewriting the “hosts” file or hooking into the domain name resolution service. It quickly became clear that the same technology can be used by the botnet operator to target enterprise systems rather than personal banking accounts. In particular, if the domains to be controlled (which are downloaded as a configuration file after first infection) are chosen to be cloud-based enterprise applications like SalesForce.com, NetSuite, SilkRoad, and the like, an attacker can gain access to corporate information stored at these systems and accessed by infected computers. Moreover, these cloud-based services may be accessed by mobile devices (in particular, laptops) from outside the enterprise perimeter, leaving no trace of the attack.
This is just one example that leads us to believe that next year we will see more enterprise data being affected by malware originally used for other malicious activities. This is going to be driven by the following:
- Existing commercial banking malware technologies can seamlessly be applied to the compromise of cloud enterprise data.
- Cloud enterprise data is mostly used by organizations with a large mobile work force, which, in time, is more susceptible to compromise.
- Attackers are always looking for new revenue streams based on existing technologies.
Attackers have always followed the path of least resistance. Considering that antivirus has not been effective in preventing infections from modern malware, this trend should surprise no one. Enterprises who fail to adopt a data or file-centric security approach will be caught with their pants down. Investing in the right “ears and eyes” to monitor the access of servers, databases and files, to make the detection of such attacks easier.