It’s All About The Data

Today, data defines our personal identities, companies’ intellectual property, and businesses’ reputations. Your credit ratings, a company’s competitive advantage, and even stock prices are damaged if this data is stolen or manipulated. Let’s break down how cyber attacks work into three phases—the lure, the exploit, and the callback—and see how these steps are becoming more targeted with advanced threats.

 

1. The Lure

In Terminator 2, the target was John Conner. The T-1000 cyborg did its homework to know where he lived, and from his home, impersonated his stepmom’s voice in an attempt to lure him in.

Most targeted cyber attacks also use reconnaissance on specific individuals, companies or industries to increase the likelihood that the lure will work. Most lures rely on social engineering, but some, like “watering hole” attacks, simply rely on the predictability of their target.

The lure is linked to a threat (see next phase), which must be hosted or delivered from somewhere on the Internet. The attacker either builds new or compromises existing infrastructure (e.g. IP addresses, domain names). More advanced threats are smart enough to hide from anyone that is not the target.

To prevent the lure, many security solutions attempt to block known bad or less reputable websites or emails. This approach is reactive based on collecting data from past attacks, and is often too late to be effective.

 

2. The Exploit

In The Naked Gun, the target was Queen Elizabeth. Reggie Jackson was programmed to assassinate her, but acted normally because he had been hypnotized so that people would trust him.

This phase is all about code exploiting other code. Many of today’s advanced threats are programmed to act benign at first to bypass security checks that happen only at a single point of time (e.g. when something passes through a firewall or runs on the device). Attackers either build or buy a threat to exploit vulnerable software (e.g. Java, Flash). Targeted attacks often use previously undiscovered (a.k.a zero-day) vulnerabilities. In these attacks, regularly patching software to stay up-to-date is not enough.

To prevent the exploit, many security solutions attempt to scan for code that looks malicious, or scan for actions that behave maliciously. In both device and network activity, the techniques are reactive. Other solutions are more proactive. Isolating applications from accessing sensitive data can help, but these are often complex and expensive solutions to setup. Forcing users to approve unknown or suspicious behaviors can help, yet tend to flood users. Over time, users just click OK without even thinking.

 

3. The Callback

In Batman Returns, the target was Batman. The Penguin exploited the Batmobile by hiring a henchman to set up remote control, then manipulated the car with the intent of damaging Batman’s reputation.

Cyber attacks must also remotely control infected devices to reach their ultimate goal–the data. To control thousands of devices and avoid disruptions, attackers require resilient CnC (command and control) infrastructures to manipulate their botnets (i.e. robot networks of infected devices). Advanced attacks often use techniques such as “fast-flux networks” or “domain-generation algorithms” to keep changing the callback’s destination by IP address or domain name, and/or use covert communication channels to blend in with normal traffic. Advanced threats often go around defenses by waiting until users take infected devices outside a company’s secure perimeter, where the devices are less protected.

To contain the callback, many organizations use the same solutions that attempted to prevent the lure. Besides being reactive, these solutions often have no visibility to the callback communication. Other solutions first rely on reverse engineering the threat or collecting  past attack data to discover the callback IPs or domains–another slow, reactive approach.

 

The Predictive Approach

In Minority Report, Precrime police officers acquire data from the Precogs’ visions, then “scrub” this predictive data to pinpoint the location of future targeted attacks.

Business, large and small, will continue to fall victim to targeted attacks, but there is hope! In our new information age, we now have the ability to acquire and analyze massive amounts of data—petabytes even. These attacks have a weak spot—global networks (like “Precogs”) can observe bad actors’ infrastructures being staged on the Internet before the attack begins. Using a satellite-like vantage point to acquire a global cross-section of all activity on the Internet, both in the past and present, big-data analytics and machine learning technologies have the power to correlate and extrapolate (similar to “scrubbing”) where these infrastructures are located. While we likely will never achieve 100% prevention of targeted attacks, OpenDNS’s predictive approach can uniquely contain many of these attacks’ callbacks from stealing or manipulating our data.

This post is categorized in: