As we start a new decade it’s clear we are living in a time of escalating tensions between nations and growing concerns around the issue of cyber warfare. Only weeks into 2020 and government officials and cybersecurity experts are already reporting an increase in malicious activity by pro-Iranian hackers. This year has already seen Britain’s National Grid poised on high alert for a possible revenge cyberattack as well as a cyberattack on Austria’s foreign ministry, suspected to have been conducted by another country. Escalating tensions are placing national infrastructure at risk as they become high value targets.
Espionage the new normal
Espionage is now becoming common place with the introduction of new ransomware specifically targeting Government and military secrets. This new breed of sophisticated malware is able to scan files for key information to identify valuable documents such as banking information and classified information on any device.
Whilst government bodies are a firm target for cybercriminals hoping for widescale disruption, the threat is real for organizations of any kind. Any organization that holds personal citizen data or intellectual property is ripe for a state-sponsored attack.
BlackFog’s 2019 threat report validates this trend. Our research shows that 20% of data flowing from enterprise devices is now being exfiltrated to Russia and China daily, without the knowledge or consent of the organization.
Recent attacks have not only focused on major infrastructure but also high profile individuals such as Jeff Bezos. These attacks are more common than reported and are even being perpetrated by governments on citizens. Recently, it was reported that a Chinese-government sponsored propaganda app with more than 100 million users was found to have a backdoor granting access to location data, messages, photos and browser history, as well as remotely activated audio recordings.
These problems are also compounded by the way in which these attacks are now being carried out by agents of governments, including national corporations such as Huawei. It has been reported that Huawei did help China spy on others by providing usernames and passwords to Huawei accounts.
Aragon Research have summarized how Huawei have a history of hacking, firstly Nortel trade secrets in 2004 by using malware to record nearly every phone call by the CEO and documents about future products. Similarly, Cisco was the target of IP theft by Huawei, down to the actual code itself which was used in their own products.
Why Anti-Virus software is ineffective
So how do we stop these hackers in their tracks before it’s too late? We need to think about the problem differently. Let’s step back for a moment and think about how the problem has traditionally been approached by Anti-Virus software (AV), and why it is now so ineffective.
In the early days of the Internet malware was very rudimentary. It was a simple matter to discover and identify the malicious code. The concept was simple, take a fingerprint of the malware, add it to a database and subsequently check it against any new files to see if it is on the list.
This technique is trivial to implement and is still used today by virtually every AV solution on the planet. It served people well in the early days because there was a limited amount of malware that existed. Fast forward to 2020 and its estimated that there are more than 350k new variants every day.
As malware has become more sophisticated fingerprinting is no longer an effective solution as most successful software now uses Fileless techniques to download payloads, generating a unique fingerprint every time it is deployed. This combined with other evasion techniques means it is very easy to bypass an AV solution. As a result, new vendors have emerged focusing on different aspects of the malware to help them detect infections.
Disrupting attack vectors
As we think about how viruses infect a device and spread laterally within an organization, we can see a number of traits. Firstly, the point of an attack is to steal information, be it financial, personal or intellectual property. If the attacker cannot communicate with command and control (C2) servers or transmit any data, then there is little value in the attack.
By focusing on data exfiltration, it is possible to neuter the attack from the onset. By preventing malware from communicating and isolating the code, it is possible to stop the loss of information and the lateral spread to other devices within the network.
There are many points within the lifecycle of a typical attack where you can target the exfiltration of data. The diagram below provides an example of how BlackFog targets malware using layer 3 packet monitoring.
By focusing on multiple stages of the lifecycle we can use behavioural profiling to determine with a high degree of accuracy when software is behaving suspiciously. There are many techniques that are now employed by successful attacks, such as delayed activation which is specifically designed to avoid detection. By using data exfiltration techniques to monitor communication from every device, you significantly decrease the risk of becoming the next victim. We only wish that Jeff Bezos knew about this sooner.