Security Experts:

Critical Infrastructure Organizations Lagging in Security

Businesses and government agencies are a popular target for attackers looking to steal information and destroy networks, and they are woefully unprepared to deal with the attacks, FortiGuard Labs researchers wrote in a new report analyzing attacks in 2013.

Fortinet researchers pulled data from thousands of FortiGuard firewalls and gateways installed in customer networks around the world for their analysis on advanced persistent threats. Researchers also conducted simple online searches to see real-world examples of how critical infrastructure organizations had secured their systems.

There were over 142 million unsuccessful hacks and intrusions attempts in the first half of 2013, according to statistics collected by Fortinet. Nearly 3.14 billion users were tricked into visiting malicious sites, and Fortinet blocked 4.45 million phishing emails from reaching customers, according to the report.

In a report outlining the rise of advanced persistent threats, Fortinet researchers said these attacks are the "greatest threats on the horizon internationally." Fortinet defined APTs as sophisticated attacks, usually coming from government agencies, aimed at damaging or stealing data from other governments, companies or individuals.

What makes today’s APTs unique and frightening are the sophistication of the malware, the vectors they’re choosing for attack and the perseverance with which they’re going after their targets, FortiGuard Labs researchers wrote.

Fortinet's report showed how researchers were able to access a Candian infrastructure company and take a screenshot of an irrigation system. The configuration screen gave the researchers access to the entire industrial control system, to modify settings, read reports, and add new users.

There is no need, when security is this weak, for attackers to bother looking for vulnerabilities or exploits. "It's clearly not needed: we have full access to the device already," the researchers wrote.

The attackers use a "substantial arsenal of tools" such as social engineering, forged and fake security certificates, zero-days and other exploits, and both customized and off-the-shelf malware.

According to FortiGuard Labs analysis, vulnerabilities and tools used in the attempted attacks included the ZmEu.Vulnerability.Scanner, a directory traversal tool, a command execution tool for Cisco IOS systems, and an exploit targeting the Joomla content management platform.

Other vulnerabilities included HTTP.Chunk.Overflow, HTTP.Negative.Data.Length, ESVA.CGI.Argument.Injection, and PHP.CGI.Argument.Injection.

An APT may be a software exploit taking advantage of a zero-day vulnerability or a lesser-known software bug. Combined with social engineering such as spear phishing, the attack becomes "highly combustible," Fortinet wrote. Once the attacker breaches the systems, it can use other methods to move around the infrastructure, stealing or destroying data.

The malware used frequently stay dormant for months or years at a time to stay under the radar.

"It's very possible that a site, such as a major city power grid, is compromised right now and the malware is just waiting for someone to press a button," the report warned.

Only a handful of countries and groups have the capabilities, skills, funding, and infrastructure required to launch an APT, FortiGuard Labs researchers wrote in the report. The short list includes China, Russia, and the United States. While other countries may have developed their own cyber-armies and APT groups, such as Syria, Iran, and North Korea, "it's safe to say that most of these nations have at the very least researched the option," the report said.

APTs may vary attack methods and may lurk for a long period of time, but they generally follow the same steps to succeed. The attacker first determines the target—who to infiltrate and what to steal or destroy. Once the victim is identified, the attacker will do extensive background research, such as looking through search engines, social network activity, and other sources of public information, to learn about potential human targets.

The attacker typically creates a customized phishing email crafted to trick the humans using the information that was gathered. At this point, the attacker is in the network and has planted some kind of malware on the victim's computer.

The next step is to move around the network by exploiting other vulnerabilities and issues and getting access to other systems and data. Data can be stolen, or systems damaged. Even after the initial objective is complete, the attacker can decide to evade detection and remain in the network to maintain surveillance.

Just as the attackers rely on multiple attack methods and techniques to craft a successful campaign, organizations need to implement a layered defense to protect their networks, the report suggested.

Two-factor authentication would make it harder to gain unauthorized access. By restricting administrative rights, putting in rules on how USB drives are used and limiting access to cloud services, administrators would be able to control the potential damage.

The layers include training users to recognize attacks, segregating the network, creating Web filtering and IP reputation rules, implementing whitelists and blacklists, defining network access control and application control, deploying cloud-based sandboxes and data leak prevention, installing intrusion prevention/detection systems and endpoint protection software, and proactively patching systems.

While firewalls and intrusion prevention technologies are necessary, they are just the beginning of a comprehensive and effective security posture and organizations need to think about a "holistic strategy" to block APTs at various stages of the attack process, the report said.

Forming security partnerships with other organizations ensures the organization has up-to-data threat intelligence and a clear plan of action in the case of an attack.

"No single network security feature will stop an APT," the report concluded.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.