Protecting Your Data from The Automated Cyber Mafia
(Part III In a Series on Cybercrime. Read Part I, Part II)
In my previous column I presented you with quite a gloomy picture. On the one hand we are not the sole handlers of our data. We happily delegated this responsibility to financial and medical institutions, to our preferred online ticketing agency and to Facebook. But on the other hand, this convenience comes with a high cost. The cyber-mafia is now after that data.
We do not need to, and should not, sit on the sidelines and watch the criminals play with our data. Rather, organizations should enhance their security controls according to the threat landscape. Once they store our sensitive information, they should bolster the controls around their systems. If the safeguards put in place require hackers to invest more time, effort and resources, they will move on to a different target.
Recap – The Hacking Industry
As profits from data theft have grown, the hacking community has evolved. The industry’s main vehicle of operation is botnets. These are compromised machines (zombies) that, unknown to their physical owners, are controlled by hackers. They are like leeches on the machines, probing the network to carry on attacks on behalf of criminal users. The business models used by hackers are similar to those used by any successful organization in any modern industry. The three pillars of this industry are identified as: the supply chain, optimization and automation.
Understanding the hacking industry is imperative to protecting data.
Supply Chain. The supply chain within the hacking industry is comprised of:
• Researchers: These individuals hunt for vulnerabilities in applications, frameworks, and products, and feed their knowledge to malicious organizations for the sake of profit. In particular, they focus on browser vulnerabilities to optimize botnet infections.
• Farmers: The farmers maintain the botnets in cyberspace and seek to increase their numbers. They control their zombies using a series of commands and controls (C&C).
• Dealers: Dealers rent botnets based on size and length of usage. They use these botnets to conduct different types of attacks, such as extracting valuable data, inflicting a DDoS, disseminating spam and executing brute-force password attacks.
• Consumers: These individuals monetize the stolen information. They know how to fake credit cards to steal identities, advertise through spam and commit fraudulent transactions.
Optimization. Hackers optimize their resources in order to gain the most from compromised applications or computers. Their C&C centers are managed to gain the most from their botnets, fortifying their size and strength while taking out all other competition intent on controlling the same machines.
Automation. This is the key aspect of the hacking industry for maximizing the attack process. Automation is what made the hacker community into the hacker enterprise. Handling this building-block of the industry should be a defining process when applying security controls.
For more detailed information on each topic and examples, I suggest returning to my previous column which introduced the hacking industry.
So how do you deal with this automated, growing industry?
• Explain the enemy to management. One challenge that we face time and again in the field is that scared look on decision-makers’ faces when we talk about security. Sadly, many security teams’ reflex is to begin explaining XSS, SQL Injection, CSRF, Drive-by-Downloads…. You get the point! Decision makers don’t get it. But if you paint a picture that articulates to management who wants the data and how outgunned you are, you’re more likely to get the resources needed.
• Remember that companies of all sizes are at risk. All applications, whether small or large, are attractive targets. Servers and workstations are identified as potential targets. In short, being victimized is not personal. This means that the smaller organizations that used to rely on their small customer base as a “preventive” measure cannot take that approach anymore. Rather, all companies alike must start paying attention to application security, either directly or through their hosting providers.
• Beat automated attacks at their own game. The key factor here is automation. Slowing down an attack is most often the best way to make it ineffective. A one second delay will not be noticed by most users, but this can make the difference for an automated attack – just enough of a difference to have the bot move onto another worthwhile target.
Here are a few examples on how to delay botnet activity:
- Adjusted Blocking – Black-list the IPs known to have originated from malicious sources and botnets. This list can be created from past attack campaigns and by looking at the contents of the messages, as well as by collaborating with different organizations to keep an up-to-date list of current hacker activity. Remember, with today’s fast pace of hacker activity, it is important to constantly keep these lists reflective of real-time malicious sources.
- CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) – This technique attempts to distinguish humans from bots by providing a test that only a human can solve. I’m sure you’ve all encountered traditional CAPTCHAs which come in the form of character recognition. Other methods also exist, such as choosing the correct description of an image, or solving a simple riddle.
- Adaptive Authentication – When automation is suspected during a highly sensitive transaction, users should be alerted that malware may have taken over their browser. The alert could involve requesting the user to supply additional authentication details such as repeating the password or answering previously recorded questions.
- Client-side Computational Challenges – In this technique, the browser, on behalf of the client, is required to solve a computational challenge. Solving this challenge requires some power consumption, but the solution can easily be verified by the server.
- Disinformation – Botnets attempt to follow each link on a website. Feeding the site with many bogus links is therefore an effective countermeasure. A human would not follow these links, but an automated tool will follow them indefinitely.
• Beef up data control defenses. There is a reason bad reputations exist, and companies should take them into consideration. One method is to apply forensics from recent attacks in order to strategically enhance defenses. Essential forensic information includes anonymous proxies, TOR relays, active bots, or references from compromised servers. A second method is to incorporate reputation-based controls within the company’s security initiative. Such controls leverage unique and identifiable characteristics from third party attacks to better help filter Web traffic.
Coming Up Next – the New Business Models
Knowing the pillars of the hacking industry and their roles helps us gain better understanding of attack campaigns and the business models hackers are developing. Next week I will discuss in depth some of these business models. So stay tuned as I dress these hackers with a suit and tie!
(This Column is Part III In a Series on Cybercrime. Read Part I, Part II)