If you follow the news, you know that Target got hacked to the tune of at least 110 million credit card numbers (and some PINs) lost. But, how did it happen? Hardly anyone is asking or answering that question. You can find plenty of articles that tell you what happened once the attackers go in: Memory scraping on the POS devices and servers, a Russian teenager, famous coders, etc.
My question is different. How did they get in initially? I think as an industry we focus too much effort on what happened after the attackers get it. Do not misunderstand me. We absolutely need to scope the breach, determine what happened, what was stolen, changed, and such.
We need to spend more time, money, and technology on understanding exactly how the compromises are being made. I was just talking with another security professional recently who was telling me what versions of Java that current variants of Zeus was exploiting. Guess what? Zeus doesn’t exploit anything. It does not take computers over. Zeus is just a piece of software that can get installed by anyone with administrative access to the computer. It is what some people call “Stage 2″ malware. In the Cyber Kill Chain, this would be the Install phase.
There is a whole world of what we call “Stage 1″ malware. Some of these software packages are also called “Exploit kits” as it has gotten pretty commercial. Ones that come to mind are Blackhole, Cool, Phoenix, and others. There are custom exploit tools as well. In the Cyber Kill Chain, I’m talking about the Exploit phase.
The problem with what I’m asking is that it is not easy to find out how computers got exploited. There are very few tools on the market that help give you visibility into Stage 1 malware. FireEye and Mandiant (now one company) create tools to help. Most of your anti-virus vendors really focus on Stage 2 malware. In other words, they are looking for the malware that makes the news like Zeus and others.
Typically, Stage 1 malware (the real exploit) is deleted from the box after it’s job is done and the Stage 2 (Zeus, BlackPOS, etc) malware is installed. That’s why it is hard to determine how the computer got “infected”.
If we take the money we would spend on that latest silver bullet security product and double down on visibility and process, we can really cut down on large intrusions like the one at Target and now Neiman Marcus.
Here is a list of action items off the top of my head. I’d like to drill into these in later posts.
- Build visibility into networks and computers
- Design an ecosystem to capture that visibility
- Make it easy to search and narrow down events by time
- Have your users send you anything they feel is suspicious
- Determine what exactly got exploited each both by analyzing the events and user input
- You need people to do this: Analysts
- This is where you get some of your best threat intelligence, by the way
- Measure and track the exploits seen on your network
- Research what vulnerable pieces of software are hit most often on your network
- Uninstall that vulnerable software OR put a lot of rigor around patching those vulnerable applications
- Feed current threat intelligence (not lists of 90000 bad IP addresses) into your detection platform
- Measure time to detect and remediate exploits and work hard to lower that time.
- Look for data leaving your company. Show that to management. Often.
- Demonstrate the tie between the trend of exploits and data leaving the building.
There are companies and vendors that get this and are working hard to solve the problem as stated above. Other companies just want to sell you “signature update” subscriptions on an annual basis and are not really interested in solving the problem wholesale. The companies most interested in selling subscriptions are short sighted because there will always be a better mouse no matter how good we build the mouse traps!
Just remember: Stage 1 malware (aka – The exploit) and kick-butt Incident Response is where the money is. If you cannot get access to the computer, you cannot install your cool botnet or memory scraping software. When the bad guys are successful, they will have time to stage these large hacks (ala Target, TJX, Sony, etc) if the Incident Response team kicks them out quickly.
Until next time…