Malware for sale! Botnets for hire!
It appears anything goes these days in the increasingly monetized world of cybercrime.
'"Simplistic" viruses no longer affect just one or two machines -- hackers now threaten the entire enterprise network. The evasion techniques used by today's innovative malware are demonstrated by adversaries known as advanced persistent threats (APTs), which are much more complex and, therefore, harder to detect and eradicate. Even with traditional anti-malware controls, the risks are still present, especially during targeted attacks.
Recently, I worked on a project that involved an APT attack on a highly visible organization that is key to the well-being of the U.S. The compromise had been detected a couple of years earlier and was assumed to have been cleaned up. Instead, we found tens of thousands of Windows-based computers being controlled by command-and-control servers with IP addresses originating in a not-so-friendly country. It was ugly -- very ugly. The attack took dozens of internal IT staffers offline for months, not to mention the time and cost associated with our team of external incident-response experts and forensics investigators.
Modern malware from APTs is deployed and spread through Windows (and other) systems using a process similar to that in Figure 1.
All of these steps can take place over a very short time, so organizations can go from a network of vulnerable Windows systems -- including missing patches, dated malware protection and eager users raring to click any old Web link -- to a wholly owned subsidiary of Hackers-R-Us in a single day.
Attackers evade further detection and takedowns by using "disposable" command-and-control servers that simply fail over to other systems when needed. Resilience is just as much a part of these malware networks as it is in the most critical business environments.
The APT project revealed just how critical team communications can be -- especially during and after an infection is discovered. If enterprises don't have the proper buy-in and oversight at the top, reasonable communication among all the teams involved and a well-documented incident-response plan, the organization will continually struggle to clean up the problem. That's exactly what happened in this situation.
If IT administrators, security and forensics teams don't truly understand the essence of this modern malware, it can easily get in the way of daily tasks and hinder detection, eradication and recovery processes.
Perhaps it's time to step back and think about this whole APT thing. Start by reevaluating the organization's existing security architecture. Are layered defenses being used to their full potential? Is Web application security in place throughout the environment, or are the applications facilitating attacks? Would endpoint controls or stronger network segmentation help?
Regardless of the cause of these attacks, one thing is for sure -- the detect and react mode of operation just isn't cutting it. And since there are no simple answers to this new threat, it's up to enterprise admins to keep things in check as much as possible.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. With over 22 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security, includingThe Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached atwww.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.
This was first published in June 2011