Protecting Your Data from The Automated Cyber Mafia
In my previous column I presented you with quite a gloomy picture. On the one hand we are not the sole handlers of our data. We happily delegated this responsibility to financial and medical institutions, to our preferred online ticketing agency and to Facebook. But on the other hand, this convenience comes with a high cost. The cyber-mafia is now after that data.
We do not need to, and should not, sit on the sidelines and watch the criminals play with our data. Rather, organizations should enhance their security controls according to the threat landscape. Once they store our sensitive information, they should bolster the controls around their systems. If the safeguards put in place require hackers to invest more time, effort and resources, they will move on to a different target.
Recap – The Hacking Industry
As profits from data theft have grown, the hacking community has evolved. The industry’s main vehicle of operation is botnets. These are compromised machines (zombies) that, unknown to their physical owners, are controlled by hackers. They are like leeches on the machines, probing the network to carry on attacks on behalf of criminal users. The business models used by hackers are similar to those used by any successful organization in any modern industry. The three pillars of this industry are identified as: the supply chain, optimization and automation.
Understanding the hacking industry is imperative to protecting data.
Supply Chain. The supply chain within the hacking industry is comprised of:
• Researchers: These individuals hunt for vulnerabilities in applications, frameworks, and products, and feed their knowledge to malicious organizations for the sake of profit. In particular, they focus on browser vulnerabilities to optimize botnet infections.
• Farmers: The farmers maintain the botnets in cyberspace and seek to increase their numbers. They control their zombies using a series of commands and controls (C&C).
• Dealers: Dealers rent botnets based on size and length of usage. They use these botnets to conduct different types of attacks, such as extracting valuable data, inflicting a DDoS, disseminating spam and executing brute-force password attacks.
• Consumers: These individuals monetize the stolen information. They know how to fake credit cards to steal identities, advertise through spam and commit fraudulent transactions.
Optimization. Hackers optimize their resources in order to gain the most from compromised applications or computers. Their C&C centers are managed to gain the most from their botnets, fortifying their size and strength while taking out all other competition intent on controlling the same machines.
Automation. This is the key aspect of the hacking industry for maximizing the attack process. Automation is what made the hacker community into the hacker enterprise. Handling this building-block of the industry should be a defining process when applying security controls.
For more detailed information on each topic and examples, I suggest returning to my previous column which introduced the hacking industry.
So how do you deal with this automated, growing industry?
• Explain the enemy to management. One challenge that we face time and again in the field is that scared look on decision-makers’ faces when we talk about security. Sadly, many security teams’ reflex is to begin explaining XSS, SQL Injection, CSRF, Drive-by-Downloads…. You get the point! Decision makers don’t get it. But if you paint a picture that articulates to management who wants the data and how outgunned you are, you’re more likely to get the resources needed.
• Remember that companies of all sizes are at risk. All applications, whether small or large, are attractive targets. Servers and workstations are identified as potential targets. In short, being victimized is not personal. This means that the smaller organizations that used to rely on their small customer base as a “preventive” measure cannot take that approach anymore. Rather, all companies alike must start paying attention to application security, either directly or through their hosting providers.
• Beat automated attacks at their own game. The key factor here is automation. Slowing down an attack is most often the best way to make it ineffective. A one second delay will not be noticed by most users, but this can make the difference for an automated attack - just enough of a difference to have the bot move onto another worthwhile target.
Here are a few examples on how to delay botnet activity:
• Beef up data control defenses. There is a reason bad reputations exist, and companies should take them into consideration. One method is to apply forensics from recent attacks in order to strategically enhance defenses. Essential forensic information includes anonymous proxies, TOR relays, active bots, or references from compromised servers. A second method is to incorporate reputation-based controls within the company’s security initiative. Such controls leverage unique and identifiable characteristics from third party attacks to better help filter Web traffic.
Coming Up Next – the New Business Models
Knowing the pillars of the hacking industry and their roles helps us gain better understanding of attack campaigns and the business models hackers are developing. Next week I will discuss in depth some of these business models. So stay tuned as I dress these hackers with a suit and tie!