Dell SecureWorks’ Brand Surveillance Team Warns Organizations of Hacktivists and Disgruntled EmployeesBy: Elizabeth Clarke
Hactivists, disgruntled employees, and other cyber threat actors intent on sabotaging an organization, are expanding their tactics beyond Distributed Denial of Service (DDoS) attacks, warns Dell SecureWorks’ Enterprise Brand and Executive Threat Surveillance team. This team is constantly monitoring social media sites, forums, and other public information sources, looking for conversations and other indicators that a customer’s brand or its executives might be the target of a cyber-attack. Using their highly honed investigative skills, the team has worked numerous cases where they have obtained solid intelligence of an attack being planned by the threat actors. Dell SecureWorks has then worked with the organizations to quickly shut down the attack before it could happen or implemented countermeasures to block the attack, effectively protecting the organization’s infrastructure, assets and brand.
“Unfortunately, in today’s attack climate, if you are an organization which is likely to be a target of hacktivism and you do not have an intelligence team monitoring the Internet on your behalf, you have to be prepared for far more than just one attack strategy,” said Rick Hayes, Sr. Manager, Security and Risk Consulting for Dell SecureWorks. “The cyber campaigns being launched by hacktivists today aren’t merely consisting of a Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks (where large amounts of Internet traffic are directed at a website in hopes of knocking it offline),” continued Hayes. “But rather, we are seeing hackers launch a barrage of different cyber-attacks at their target including everything from DDoS attacks to website defacements, web application attacks, and spear phishing attacks looking to steal valuable customer and employee data to the hijacking of corporate Twitter credentials.”
In addition to DoS/DDoS attacks, we are seeing hacktivists launch the well- known, but still very successful SQL Injection and Cross-Site Scripting attacks against organization’s web applications. Using these tactics, the hackers hope to find a hole in the web applications so they can enter the target network and ultimately gain access to the company’s backend databases, where valuable customer and /or employee data is often housed, or they use their access to deface the website, leaving damaging messages for all website visitors to see.
If the web application attacks don’t work, social engineering continues to be one of the most successful ways of getting a foothold into a company’s network. Threat actors will begin by researching an organization and its employees, often finding a plethora of valuable data about their victims, from their corporate website, as well as popular social and corporate networking sites. From here, the cyber hackers will determine the victim they want to target.
Depending on the data they want to steal, the target could be the VP of Finance, the Network Administrator, or the CEO. The threat actors will send well-crafted emails or tweets, often spoofing the email address, Facebook, or Twitter account of a colleague or friend. The subject of the message will be one the victim is familiar and interested in. The message will contain a malicious link or attachment. If clicked on and the user’s device is vulnerable to the exploit then their computer or mobile device will be silently infected, giving the hacker access to their computer. From there, the hacker can often traverse to other parts of the corporate network where valuable customer and/or employee data is housed. No matter how the hacker gets access, we have all seen what can happen if the intruders are not stopped. It can lead to the public posting of customer and/or employee data, often including financial and personal identifiable information (PII).
Another mode of attack often mounted alongside these latter attacks, is the hijacking of corporate twitter accounts. In April, we saw where hactivists got access to the credentials of a news wire’s corporate twitter account and sent out a fake tweet announcing that the White House had been attacked, resulting in a brief plunge of the US Stock Market.
Protecting Against DDoS Attacks; Web Application Attacks; Malicious Email or Social Media Attacks; Twitter Account Hijacking and Website Defacement Attacks
If an organization is in a high profile industry, then it is important for the entity to consider the cyber risks it faces, not just from cyber criminals looking for financial gain but from those groups looking to sabotage or disrupt the business. In addition to having security experts constantly monitoring what is being said across the Internet about and by an organization’s personnel, it is also important to implement key security layers so one’s organization is not vulnerable should your company get hit by a surprise attack.
Defenses for DDoS Attacks
- Implement a bogon (bogus IP address) block list at the network boundary to drop bogus IP traffic.
- Separate or compartmentalize critical services, including public and private services; intranet, extranet, and Internet services; and create single-purpose servers for services such as HTTP, FTP, and DNS. Implement a dedicated firewall for each of the services mentioned, e.g.: service specific control, such as a web application firewall. Implementing a load balancer is another good tactic.
- Keep contact information for your ISP, Intrusion Detection, Network Administrators, and Firewall teams close at hand so that in case of an attack you can quickly and easily contact the parties who need to know about the attack and who can help to mitigate the issues. Scrambling around for this information last minute can lead to unneeded downtime.
- Evaluate and implement dedicated DDoS mitigation technologies. Having dedicated hardware for mitigating DDoS and DoS-styled attacks can help keep strain off targeted systems and provide your DDoS response team with much needed time to find and eliminate the attack.
- Run a Denial-of-Service Preparedness Assessment which:
- Identifies risk exposure
- Highlights ability to withstand attacks
- Ensures a tested response methodology (An Incident Response Plan) is in place
Defenses for SQL Injection and Cross-Site Scripting Web Application Attacks
- Regularly scanning Web Applications for vulnerabilities which an intruder can use to break into the corporate network is key in defending against web application attacks.
- Quickly patching the discovered holes and following a strict patch management regiment is key in defending against web application attacks.
“Although we continue to see cases where hackers are breaking into organizations by entering through their vulnerable web applications,” said Hayes, “The good news is we are seeing an uptick from small and medium businesses asking for our Web Application Scanning Service. I believe they have learned from some of the large and expensive public breaches, which have been a result of web application attacks, that it is cheaper in the long run to employ regular scanning of one’s web applications and fix the vulnerabilities immediately so as to keep one’s assets secure,” continued Hayes.
Defenses for Social Engineering Attacks via Malicious Email, Tweets or Social Media Messages
- Educate employees and partner vendors to be on high alert of cyber criminals trying to social engineer them into clicking on a malicious link in an email, tweet, or Facebook message. The scammers often spoof the “from email” to make it look like it is coming from a colleague or friend. Never click on a link or attachment, always check with the sender first.
- Employees and partner vendors should be wary of social media messages they receive, especially around breaking news stories. Hackers take advantage of these types of events. These often appear to be from a friend or colleague. Because the character limitations, a shortened URL will be included in the message, which in reality is a malicious link in disguise, once clicked on, if vulnerable to the malware the recipient could be compromised but will never know it, until it is too late.
- Organizations, with highly valuable informational assets, should consider implementing a Malware Protection System, which will review and scrub each email for malicious content before it is delivered to the recipient and will block malicious web content from being delivered to the computer user. These Malware Protection Systems also detect and block other obfuscated attacks before they can compromise their targets.
Defenses for Corporate Twitter Account Hijacking
- Consider dedicating a secure computer to only doing your Twitter activity.
That dedicated computer or virtualized desktop would not be used for any other activities, such as sending and receiving emails or surfing the web. Malicious email and web exploits are two of the key malware infection vectors.
- Educate your computer users to NEVER click on links or attachments within emails from untrusted sources or even trusted sources. Even if the user recognizes the sender, they should confirm that the sender has sent the specific email or social media message to them before clicking on any links or attachments.
- Online computer users should avoid using weak or default passwords for any online site, including their Twitter account.
- Corporate twitter account holders should utilize two factor authentication.
- Make sure your anti-virus and security protections for your users’ computer systems (including for third party plugins), is current, up-to-date and can protect against the latest exploits. Patch management is key. It is critical that as soon as the updates become available you install them for your applications and for your computer’s operating system.