Contact Us
Targeted Threats = Big Business
by Steven Drew, EVP of Client Services, SecureWorks
Over the past month, we have witnessed two zero-day attacks exploiting previously unknown and un-patched vulnerabilities in Microsoft Office and Excel. The first took aim primarily at companies in the semiconductor, aerospace and military sectors while the second has taken aim at a single, specific company which has not been named. These two attacks have much in common: both take advantage of vulnerabilities in Microsoft applications that no one knew about, both have been traced back to China and both target a very limited scope of companies.
Whether the attacks have more in common is mostly speculation at this point, however it does make you wonder to what extent these two attacks may be related. Are they both the work of the same individual or group of attackers? Did the initial zero-day attack serve some purpose in setting up the second as a form of malware reconnaissance and information gathering to determine the target for the second? At this point, asking such questions is little more than grasping at straws using a few pieces of circumstantial evidence. Unlike the worms and other widespread malware attacks of recent years which were created primarily for notoriety and bragging rights, targeted attacks have a different motivation: profit.
Well-executed targeted attacks can reap big rewards with little risk, which has made it a very attractive business model for those who want to make money using malware. At SecureWorks, we have seen significant increases in targeted attacks over the last year as part of a shift in the motivations of malware authors. In the coming years, this trend of targeted attacks will continue grow as more and more individual criminals and organized crime rings recognize the lucrative "business opportunities" behind the defenses of today's enterprises.
For enterprises, the threat of targeted attacks is greatly different than the wildly propagating worms of the past. Targeted attacks are more likely to rely on exploits that are not publicly known and since each attack only impacts a relatively small number of companies, the chances of security product vendors developing signatures or other methods of countering the specific attack within a reasonable time are slim. And that's assuming that the attack is detected at all by its victims. For all we know, a zero-day attack such as the second one detailed above may have already compromised the security of several companies before it was eventually detected.
Previously undiscovered vulnerabilities, especially those found in widely-used technologies, demand top dollar in the underground economy. This has resulted in the increased specialization of roles as would occur under similar conditions in a legitimate economy, which serves to make the business of malware much more streamlined and efficient. Those skilled at finding vulnerabilities and crafting exploits can focus on ripping apart code and forego actually using their own exploits, choosing instead to sell them and avoid the risk involved in being the attacker. Those wanting to carry out an attack no longer need to possess the expertise needed to craft a zero day exploit, they only need to provide payment and bear the brunt of the risk involved in attacking. Fueled by profit, this maturation of malware into an "industry" is reflected in part by several recent trends including: the dramatic reduction in the period of time between the public disclosure and successful exploitation of vulnerabilities, the rise in the amount of previously unknown exploits being used by malware and the general lack of significant widespread worm attacks like those seen in previous years.
While these trends reflect a maturing malware industry, they also significantly elevate the risk enterprises face from a well-crafted targeted attack. To counter this, an enterprise must have a strategic security program that relies on multiple layers of security technologies with a focus on monitoring and correlation. Relying on a single technology to warn of attack introduces a single point of failure into your security infrastructure that can be taken advantage of by an attacker to completely evade your defenses by targeting the weak link in your line of defense. If the information from your security technologies is brought into a single system where it is correlated and thoroughly analyzed across your enterprise, an attacker has to evade all of the components in your security infrastructure without leaving a trace for the threat to go unnoticed. In terms of the analysis, you specifically want to have strong policies in place in terms of where data can be transmitted and monitor for violations, such as an Excel spreadsheet being sent to a known attacker IP block. The effectiveness of these activities is amplified when you are able to gain threat visibility across companies and industries, raising the importance of information sharing groups, local security associations, email scanning service providers, managed security service providers and security intelligence feeds.
The threat posed by targeted attacks will continue to increase over the coming years, simply because more and more criminals will recognize the opportunities to be had by stealing the data retained by today's enterprises, whether for identity theft, industrial espionage or other malicious purposes. Unfortunately, these are some of the hardest attacks to stop, but with layered security infrastructure, strong policies and constant vigilance, enterprises can stop the attackers from profiting from their critical data.
Internet Threat Update
Provided by SecureWorks' Security Research Team
Microsoft Office Security Gets Fuzzy
Over the past couple of months, we've seen an increasing trend in the use of malicious Microsoft Office documents used to gain access to corporate networks and files. We've seen the same type of attacks happening for two years now, but only recently did they begin to utilize so-called "zero-day" exploits, meaning that even fully-patched versions of Microsoft Office are falling prey to hackers bent on industrial espionage.
As a result of the increased attention paid to zero-day exploits in MS Office documents, other researchers have begun to spend their time looking for even more flaws in the Office document format. From what we've seen, it looks like there are plenty still to be found. Finding flaws in a complex binary file format is not hard - it simply requires the use of a "fuzzer". In other words, changing bytes in the file at random and then opening the document in Office. When Office crashes, it could mean that a potential code-execution vulnerability has been found. This repetitive process is automated by the vulnerability researcher - when finished, all they have to do is investigate each crash in a debugger in order to find out where it occurred and whether there is the potential to subvert the normal code-execution path of the document. Depending on their motive, the flaw is either responsibly disclosed to Microsoft, or sold to the highest bidder.
At this time, most of the attacks we've seen have been highly targeted in nature, affecting mostly certain industry sectors and government/military institutions. Its no secret that most of this activity is coming out of China, either. The problem is, that as other hacking groups with broader goals (e.g. spam, fraud, information ransom) see the success of the Chinese effort, they will likely adapt and begin using the Office document format as a vector into many more businesses, schools and homes.
Unfortunately in this day and age, the risk of accepting unsolicited documents from outside parties is too great - causing a great deal of headache for companies who rely on the free exchange of these documents for business. Antivirus can help, but if the antivirus companies haven't seen it yet, they have no way of knowing what a new zero-day exploit might look like. It's time to look at your email attachment policy, and review the need for sharing these documents via email, weighing the implied risk from these latest developments.
Client Success Story: Securing e-Commerce and Proving Compliance
Overview
Today's Success Story comes from one of our clients in the e-Commerce industry who provides millions of customers with a steady stream of quality products directly to their front door. By integrating online and telephone orders, the e-Commerce client has established an innovative delivery system that ensures the right products are delivered to the right customers by the right time with a very high level of consistency and reliability. The client also goes a step beyond for their customers, providing them with instant access to their online support website which includes information, tools and professional advice.
Business Problem
To accommodate rapidly growing base of satisfied e-commerce customers, the client established scalable datacenters capable of processing millions of orders accurately and efficiently. Securing these systems and maintaining the privacy of all of the customers who put their trust the client was of the highest importance not only because of the business implications of a security breach, but because of the personal implications that a breach would have for each customer whose confidential information was no longer secure.
As a publicly traded company, the e-Commerce client also needed to prove to Sarbanes-Oxley auditors that they had the security measures in place to protect the integrity of their financial systems. With their business growing quickly, the Client needed a security solution that would streamline their operational processes, safeguard the privacy of their valued customers and provide reporting for Sarbanes-Oxley compliance.
Solution
After evaluating the top solutions in the market, the e-Commerce client selected SecureWorks' Managed Firewall, Managed Intrusion Detection and Security Monitoring services. SecureWorks' team of trusted security professionals immediately began working with the client's security team to integrate the Sherlock Enterprise Security Management Platform with their unique infrastructure.
"Implementation of their services was absolutely painless," according to the client's Director of Networking, "They were able to accommodate any scheduling restraints we had and their services began delivering value as soon as they were turned up."
Within days, SecureWorks began delivering 24x7x365 management and monitoring of the client's security infrastructure. Using Sherlock's secure web-based interface, the client could see all of their security events and the actions taken by SecureWorks' expert team of SANS GIAC Certified Security Analysts to protect their business critical e-commerce environment.
"SecureWorks has demonstrated a high level of vigilance, expertise and responsiveness," stated the Director, "As part of our security program, we have third-party consultants perform periodic penetration tests to further validate the security of our environment. These professionals use advanced techniques to evade detection while attempting to find weaknesses in our systems. Within 3 minutes of the first test beginning, SecureWorks identified the consultants' activity and our phones were ringing with their analysts on the other end."
SecureWorks' services also streamlined the client's workflow processes while facilitating compliance activities, allowing their security team to focus on improving security posture instead of compiling audit reports. Taking advantage of Sherlock's robust reporting capabilities, the client incorporates automated daily reports of security activity into their workflow management processes to more effectively guide day-to-day resource allocation.
Conclusion
With SecureWorks managing and monitoring the e-Commerce Client's security infrastructure around the clock, they have been able to concentrate their efforts on strategic security initiatives to further safeguard their customers' privacy and ensure the continued success of their business. Since leveraging SecureWorks as a trusted security partner, the Client's security team has also used the reporting tools and information provided by SecureWorks' services to make significant improvements in operational efficiency while demonstrating the effectiveness of their security program to both auditors and management.
"When we were first considering Managed Security Services, I was a bit skeptical about the value any provider would really be able to deliver," said the Director, "After working with SecureWorks first-hand, I can honestly say that they've truly surpassed my expectations and have provided strong value to our enterprise."