Cyber Attacks Target Human Frailty

In testimony before the United States Senate Armed Services Committee, Subcommittee on Emerging Threats and Capabilities, cyber security experts from Mandiant told the Senators that intruders often use  deceptive emails to compromise systems. Kevin Mandia said,

They’re leveraging human weaknesses and human vulnerability and trust to break into these organizations.

Mandia told the senators that it is difficult to defend against deception.

It is easy to deceive people.  This is an example of a deceptive spearphishing email.

What looked like a routine FedEx email was, in fact, a cyber attack that compromised the New York Times.

Your personnel will receive deceptive emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.

The Importance of Being Current

The widely report attacks on banks in South Korea provide a strong lesson in the importance of using up-to-date software.

As the Los Angeles Times reports, the attack was not technically sophisticated.  Nevertheless, as the New York Times reports, the attack was extremely effective in causing havoc in South Korea.

Avast! has determined that this attack exploited non-current versions of Internet Explorer.   If the users had been using correctly configured versions of current software, instead of being damaged, the attack would have been stopped by the browser.

Director of National Intelligence warns US Senate — Cyber Is First On His List

Yesterday, March 12, James R. Clapper, the Director of National Intelligence, provided the United States Senate with the annual US INTELLIGENCE COMMUNITY WORLDWIDE THREAT ASSESSMENT.   The first threat in the report is Cyber. While we think it is important to read the entire discussion of Cyber, we think this excerpt provides a good summary of the situation:

Foreign intelligence and security services have penetrated numerous computer networks of US Government, business, academic, and private sector entities. Most detected activity has targeted unclassified networks connected to the Internet, but foreign cyber actors are also targeting classified networks. Importantly, much of the nation’s critical proprietary data are on sensitive but unclassified networks; the same is true for most of our closest allies.

• We assess that highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data. This is almost certainly allowing our adversaries to close the technological gap between our respective militaries, slowly neutralizing one of our key advantages in the international arena.
• It is very difficult to quantify the value of proprietary technologies and sensitive business information and, therefore, the impact of economic cyber espionage activities. However, we assess that economic cyber espionage will probably allow the actors who take this information to reap unfair gains in some industries.

It is now abundantly clear that one of the most important paths to compromising systems is social engineering that deceives personnel into compromising their systems.  Mandiant recently issued a comprehensive report detailing how APT attacks use spearphishing emails are used to infiltrate systems.  This chart, derived from data reported by Trend Micro, shows the prevalence of spearphishing in APT:

Your personnel will receive malicious emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can, for example, easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.

Longline Phishing

proofpoint has just released a whitepaper describing the latest innovation in APT cyberattacks — longline phishing.

proofpoint describes the latest innovations that attackers are using to ply their craft.  In order to evade cyber defenses, the APT cyberattacker has three objectives:

1. Maintain low volume attacks to evade detection.
2. Customize the attack to optimize victim response.
3. Deliver unique malware to evade malware defenses.

In order to accomplish these three objectives, historically the attackers had to devote significant effort to each attack.  That effort imposed a cost/volume trade-off on the attackers.  Describing longline phishing, proofpoint observes:

… today’s advanced phishing tactics may have overcome the cost/volume trade-off. Borrowing tactics from cloud computing and database marketing, attackers are now engaging in industrial-scale phishing attacks that leverage sophisticated customization and delivery techniques.

proofpoint concludes that in longline phishing, the attackers accomplish all three attack objectives — on an industrial scale.

1. Low Volume.   A single targeted enterprise will see a very small number of emails, however many companies can be targeted at the same time.  Thus, tens of thousand of messages can be sprinkled over many organizations without detection.
2. Customization.  The attack emails rotate spoofed sending addresses, embedded URL’s and text customization to optimize deception.
3. Unique Malware. The payloads exploit unpatched security holes and employ polymorphic malware.

proofpoint reviews the ineffectiveness of security defenses and concludes that firms must use big data techniques to apply additional security measures to suspicious emails.

At Iconix we agree with proofpoint.  The attackers are clever.  Cyber defense requires that organizations implement many layers of security.  A key layer in that security is the email recipient — the human.  Your personnel will receive malicious emails.  Your security hangs in the balance when an employee decides to click a link or open an attachment.  Telling employees to avoid suspicious emails is good advice.  The attackers use this same guidance — that is why cyberattackers use social engineering to craft emails that are not suspicious. IT must intervene in the email processing decision.  That is the role of SP Guard.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff at the moment the person is deciding to click or pass.  In the SP Guard environment, staff can easily distinguish a trusted HR email from a spoof HR email.

You can contact us at   408-727-6342,ext 3 or use our online form.

RSA 2013

We just attended the RSA Conference 2013 in San Francisco.  The conference presented a vast array of products and technologies to defend systems.

We think the most important security information did not come from the RSA Conference — it came from Mandiant.

Mandiant’s groundbreaking report APT1 – Exposing One of China’s Cyberespionage Units provides a case study of the process we have termed Chasing What’s Already Gone – the cycle of:

1. spearphishing attack
2. unique exploit installation
3. surreptitious command & control
4. discovery
5. remediation
6. repeat

How did the bad guys respond to the Mandiant report?  They used the report itself as spearphishing bait to deliver exploits!

A small number of well crafted emails will be delivered.  These emails will be specifically written to deceive the recipient into taking an action (most often open an attachment).  These emails will exploit the three factors that drive email interactions:

• relevance
• urgency clues
• recipient habits

As Mandiant makes clear, email weapons are cleverly crafted so that they are NOT suspicious.  The integrity of your systems depends upon the decisions of staff in the face of clever and persistent deception.  Telling employees not to open suspicious attachments, while sound advice, is unhelpful in the face of deceptive emails that are not  suspicious. While all spearphishing emails are deceptive, all deceptive emails are not suspicious.  Avoiding suspicion is the job of the spearphisher.

Employees’ email decisions compromise security.  IT needs to help employees make better email processing decisions.  That is where SP Guard comes into play.  Using SP Guard, IT can determine a list of trusted senders and provide this information to staff.  In the SP Guard environment, staff can easily distinguish a trusted HR email from a spoof HR email.

You can contact us at  408-727-6342,ext 3 or use our online form.