Should revenge assaults be just another security tool large IT shops use to counter cyber attacks?
It's a controversial idea, and the law generally frowns on cyber attacks in general, but at the Black Hat DC conference last week, some speakers took up the issue of whether and how organisations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security.
One idea that got plenty of attention here was the notion of exploiting vulnerabilities in attack tools and botnets to try to determine what the attacker was going after, or feed fake data, or even dive into the attacker's network lair.
If it turns out an attacker has taken control of a corporate machine, it's logical that you'd want to "counter-strike" to find out what the attacker is up to, perhaps by finding a hole in the attack tool being used and planting a backdoor of your own to watch the attacker, said Laurent Oudot, founder and CEO of TEHTRI-Security, an ethical hacking and vulnerability research firm, who spoke at Black Hat.
"We want to strike back. We want to exploit his network," said Oudot. You want statistics and logs related to the attacker, and it might be the idea of attacking ZeuS or SpyEye or even a state-sponsored attacker.
It's not so complex to find zero day vulnerabilities that would allow subversion of attack tools, noted Oudot, whose firm has experience in identifying vulnerabilities, including several related to mobile devices. He suggested it would be fairly simple to strike back against exploit packs such as Eleonore, or feed fake information into attacker's hands. "You can strike back," Oudot said. "Your enemies are not ethical hackers."
Matthew Weeks, a security researcher who recently joined the Air Force, also spoke on the question of counterattacks against hackers clearly using attack tools to break into networks, acknowledges the law would probably regard most counterstrike ideas as illegal.
But as a contributor to the open source version of Metasploit, a tool that can be used for either good or evil to test and explore network vulnerabilities, Weeks says tools such as this have their own vulnerabilities much like any type of software will, and attackers may not pay attention to patching their own attack tools.
At the conference he went into depth on some vulnerabilities in open source Metasploit. And he says other tools, such as Nessus or the Wireshark protocol analyser, which can also be used for attack purposes, have also had vulnerabilities.
While the idea of counterattacks remains contentious, especially since there could be "unintended consequences," Weeks noted, his inclination as a security researcher is to explore how countermeasures such as "tarpits" could be put to use, which would put attackers in an endless spin cycle when they connect.
It's possible to "tie up resources in an attack," said Weeks, and it would make sense to monitor what hackers are up to.
There's scant evidence that companies or civilian government agencies are trying to turn the tables on attackers in these ways, but the military arms of several governments around the world, including the US, are building up cyber-forces with an eye toward supporting a retaliatory strike capability. And no one denies espionage takes place in cyberspace.
Long battle ahead
While counterinsurgency could slow down the threat of cyber attacks, Black Hat speakers said data thieves are still getting into corporate networks too easily, in some cases simply by tricking one targeted victim to open a phishing email.
Data thieves sneak in by this route to collect the most valued information and they tend to go about it at a methodical pace over months if not years, and patience is the key to catching them at it, according to security firm Mandiant.
Mandiant shared some of the findings its incident response teams have seen in investigations, noting that far from being one time grab and run events, data cyber-theft is often a long methodical process.
The attacker, who usually gets in through a phishing email targeted at a particular employee to gain control of a Windows-based computer, then begins to move around the network to look for the most valued data, then starts collecting it in a "staging area" on a compromised machine, in order to try to eventually transfer it out in data containers such as a RAR file.
In speaking on the topic of how attackers exfiltrate data out of the network, Mandiant security consultant Sean Coyne said in many cases, "the attackers were there for several months, if not years." A defense contractor that was hit, he notes, found that over 120 GB of data, mostly Word documents, were stealthily collected over a period of months, with the attacker picking a staging area to bundle up what was stolen and send it in a digital container, such as a RAR, ZIP or CAB file.
"It's easier to move one large file than several smaller ones," he noted, adding, "Most corporate IT users are completely oblivious" though they may wonder why their computers, used as a staging point, suddenly seem slow.
Often backdoor trojans and data collection tools such as one called Poison Ivy are often used. But data thieves are artful dodgers who do a lot manually, not automated, to evade attempts at security controls such as intrusion prevention systems or data loss prevention (DLP), according to Mandiant.
Mandiant consultant Ryan Kazanciyan says he saw one case where the victimised organisation was using McAfee host intrusion protection system to look for RAR files but the attacker figured that out that an alert had been set off and simply changed to something that wasn't being monitored.
"Some guys will take everything but the kitchen sink," and get it out to sort through it later, while others are "pickers and choosers," though evidence shows data thieves today exhibit a tendency to use habitual methods suited to their own style, Coyne noted.
When asked if DLP tools that seek to monitor or block attempts at unauthorised transmissions of data outside the organisation are effective in instances connected with data exfiltration, both Kazanciyan and Coyne expressed skepticism.
DLP is mainly useful for "keeping users from accidentally sending files out," Coyne said. "It's not built to stand up to a targeted attack." Kazanciyan expressed a similar opinion. If an organisation suspects a data thief is in their midst, the first thing is "don't panic," said Coyne, by making slap dash changes to the network that will simply make any attackers suspicious and change their tactics.
It's a risk-based decision, but for a while the decision might need to be made to watch data being stolen, however painful that is, while a quiet hunt to flush out the attacker's operations set up inside the network can proceed.