June 28, 2016 by Angela Stelmakowich
Everything is going automatic – and those looking to perpetrate data breaches with malware are no different – emphasizing the need for individuals and organizations to be better prepared to keep the cyber door closed to potential threats.
With the change in methodology used by threat actors, moving from manual manipulation to malware, the change greatly widens the pool of targets and enhanced effectiveness, suggests David Ostertag, global investigation manager for Verizon’s investigative response unit.
“What we see now is the use of malware in these breaches as opposed to manual processes,” Ostertag said last week during a Verizon presentation in downtown Toronto. Previously, “we would see the bad guy manually getting access into a network, manually controlling a breach situation,” he explained. “They’ve changed their methodology where malware does all of that.”
The change has taken place “because it works,” Ostertag told reporters.
“Where before, typically, the attacker would attack a web-facing application, brute force it, use sequel injection, use hacking techniques to get in, now we see a change to the use of phishing emails,” he pointed out. “So, you simply broadcast to a wide variety of individuals looking for access credentials or spear phishing where you identify individuals and focus on them.”
The idea is that once someone bites, the perpetrator steals credentials (such as a password or VPN access into the network). Once initial entry into the network is achieved, a backdoor is established, the malware loaded and allowed to run.
Using malware “gives them the ability to manage a lot of breaches at the same time. So instead of being able to manually do a handful, now they have the ability to do dozens or hundreds of breaches simultaneously,” Ostertag explained.
Rather than a linear progression to the breach, “malware will pivot across the network, will open up multiple command and control points” and multiple data aggregation points before transferring data to an exfiltration points, he said. This allows for operating across the network, at multiple points, with “data exfiltration, rather than being at the end of the process, is continuous as this goes on.”
Since there is “a low and slow stream of data leaving the network at a variety of points,” Ostertag noted, “they appear to be normal business.”
This works to extend the length of the breach from the time of compromise to the time of discovery, he noted, adding that for Verizon cases in 2015, it took an average of 288 days to pinpoint the breach. “It is also more effective and allows them to conduct multiple reaches at the same time,” he said.
That is what makes employee awareness and preparedness so critically important, Ostertag emphasized, but added there are some definite challenges. “13% of the people will always open those emails, will click on the links, will open the attachment no matter the training that we do,” he added.
“That is the methodology the bad guys have gone to very clearly because it works,” Ostertag said.
Still, it needs to be recognized that “87% of your employees don’t open that email or don’t succumb to that social engineering attack. We need to teach our employees to report that,” he noted. “There’s a great potential there for detection or alert based off of all of those employees.”
It is also key, though, that a company has an accurate understanding of where it is in terms of cyber security. While organizations oftentimes “understand what are best practices, understand what should be basic, minimal threshold security practices,” these do not necessarily “work in everyday life,” Ostertag suggested.
For example, an organization may do all the right things before rolling out web applications to ensure that things are secure. However, once in place, the organization may not practice the same security and may modify the application, resulting in “rolling out change to that application that has vulnerabilities.”
Another issue may revolve around security assessments, which will include looking at policies and interviewing key management people.
“What they don’t do is sample and verify that that’s actually going on,” Ostertag emphasized. “So that’s, a lot of times, where the gap is in a company believing we’re at this position when they’re actually at this position because they’re relying on what they think is happening or what is supposed to happen, not necessarily on what truly happens,” he pointed out.