The Bomber Will Always Get Through
In the tumultuous years before World War 2, a British Parliamentary official, Stanley Baldwin, gave an ominous speech regarding the country’s war defenses.
Responding to calls for building an “impenetrable” air defense network to defend London from an air raid, Baldwin quipped, “it is well also for the man in the street to realize that there is no power on earth that can protect him from being bombed. Whatever people may tell him, the bomber will always get through.”
We live in an age where complex hacking attacks have become the norm. State sponsored agents, mercenaries, and other highly sophisticated actors have become the standard adversary for governments and organizations.
The average successful cyberattack has accordingly become much more complex, with malware in the wild employing advanced techniques (encryption, polymorphism, etc.) to defeat modern intrusion detection systems and hide the point of origin of the attack.
But despite this increasing trend of increasingly complex attacks and attackers (and increasingly complex defenses), low tech attacks such as social engineering and physical security breaches remain powerful weapons in the hands of the modern hacker.
Low tech attacks are generally employed in one of two ways: as a means of physically escalating privilege, or as a means of physically circumventing strong electronic defenses.
The Fin4 campaigns are a great example of physically escalating privilege that has been marauding US biotech and medical technology firms for the last year. Since late 2013, FireEye has been tracking a group of cybercriminals who have successfully compromised major domestic biotech firms purely through social engineering and spear phishing.
According to FireEye and the New York times, Fin4 actors begin their attacks by targeting senior executives at a victim’s organization. These malicious actors will then craft e-mails to their targets, purporting themselves to be financial advisors (such as investment bankers or auditors the company has retained) who need the executive’s immediate review of information. Said actors will further establish credibility by including immaculately forged or stolen sensitive documents that appear to belong to the company.
When the target executive moves to review the e-mail’s information, they are prompted to “log in” at a fraudulent company Single Sign On (SSO) webpage. Their SSO data is transmitted to the attacker, who uses it to log into their e-mail box and the company’s infrastructure in order to steal and exfiltrate extremely sensitive data.
Unlike other types of privilege escalation attacks, low tech privilege escalation doesn’t require advanced software techniques to defeat resident intrusion detection and prevention systems (IDS and IPS). In the case of the Fin4 campaign, attackers eschewed malware or other technology altogether, and (somewhat comically) defeated attempts to prevent compromise by simply deleting e-mails to the executives from their IT organizations that would advise them to take preventative actions to stop phishing attacks.
Low tech attacks are also frequently used to circumvent architectural security measures that otherwise make more high tech attacks impossible.
The Stuxnet attacks on the Iranian nuclear facility at Natanz are a prime example of this. Without outside internet access, an attacker used physical access (via a thumb drive) to penetrate the internal network at Natanz to deploy Stuxnet and sabotage the facility’s nuclear centrifuge.
This attack vector effectively voided the compartmentalization (air gapping) of the facility from the outside web and layers of internal security. Air gapping would have successfully stopped over the wire attacks or other external attacks launched from the web. But by using a low tech delivery method, the attackers were able to deploy Stuxnet successfully and cause significant damage, despite advanced network and architectural security.
Low tech attacks like the above succeed because they target the most porous part of a defender’s infrastructure: an organization’s knowledge of security. While sufficiently advanced IDS and IPS may be able to detect and prevent external compromise, low tech attacks rely on an asymmetric or otherwise generally lacking knowledge of security across an organization in order to defeat being “recognized.”
The CSO of a company may have a verbose knowledge of security. But as shown by the Fin4 attacks, if an organization’s CFO or CEO is unable to recognize a phishing attempt, the company’s sensitive strategic or financial information is still very much at risk.
There are a few things we as an industry can do to stop these otherwise “stealth” low tech attacks. The most important action we can take is to continue to educate user and constituents we defend about common low tech techniques of compromise.
Security has always been a low priority for most non-IT individuals because of its secondary nature as a sort of “insurance” commodity for organizations (something you only need when you’re breached). But the rash of highly publicized cyberattacks that the public has seen over the past two years has helped to highlight the critical role that information security plays in an organization’s success.
Framing the education of common threats and techniques to compromise users in the context of recent major attacks is an excellent way to help add pertinence and immediacy to security education. It’s one thing to tell users that they should not divulge their username and password outside of trusted channels online. It’s another to show them the Fin4 attacks and why behavior such as the above can be catastrophically dangerous.
From a technology point of view, security software must learn to embrace other indicators of compromise (IoCs) in order to recognize unconventional low tech attacks. While many advanced IPS/IDS suites are capable of unpacking binaries and searching for known patterns or signatures of malware, very few such tools look for other non-malicious files or patterns that otherwise might indicate an attack.
For example, had the IPS/IDS or firewalls used by victims of the Fin4 attacks been attuned to hashes of the uninfected documents and attachments used to add credibility to the attackers’ emails, preventative action could have been taken to analyze and stop the attacks.
We must also confront, just as Stanley Baldwin once said, the reality that some systems ultimately will become breached no matter what our defenses. Enhancing architectural security and access control to compartmentalize the capabilities of users is critical to minimizing the potential damage from a breach, even if a user is successfully subverted via a low tech attack.
Low tech attacks will persist for the long term because they attack the weakest point of defense in a security infrastructure: the user. By focusing our attention on the user and re-evaluating how we defend them programmatically and personally, we can help better brace ourselves against these unconventional attacks in an increasingly unconventional world.