Advanced cyber threats such as Flame – the powerful cyber weapon discovered in May 2012 with functionality exceeding that of all other known threats – are commonly dismissed by businesses as irrelevant to their cyber defence strategies.
The argument is that Flame and other so-called cyber weapons, such as Stuxnet,
Duqu and Gauss, have nothing to do with businesses that are not in the financial sector, suppliers of critical national infrastructure or under contract to the government or military. However, a growing number of security researchers say no organisation can afford to turn a blind eye to this emerging class of cyber threat.
At the very least, organisations should be examining these threats to get a better idea of what they are up against.
One of the most persuasive reasons for paying attention to these threats is the trend of sophisticated cyber attack tools being made widely available to low-level attackers at relatively low cost, with modern user-interfaces and comprehensive support services.
How To shape information security strategies
Gartner has pointed out for several years that targeted attacks require organisations to evolve their security strategies - Stuxnet and Flame are just highly publicised examples of targeted threats that have been causing financial damage to businesses recently, writes John Pescatore, research vice-president at Gartner. Threats will continue to evolve and enterprise security strategies will continue to need to so as well. Next-generation firewalls, intrusion prevention, web security, whitelisting and other security controls need to replace last-generation solutions.
There will be no last-generation security controls until threats become static. That is about as likely as crime and global conflict becoming static. Just as financial organisations have always had to continue to adapt their anti-fraud strategies, as clever criminals think up new ways to commit crime, organisations will need to adapt their information security processes, architectures and controls to become both more effective and more efficient in dealing with threats.
Today’s cyber weapons in all likelihood will be tomorrow’s standard espionage tools used by a range of cyber criminals to steal commercial intellectual property. IT security teams should not pass on the opportunity of preparing for the onslaught in the meantime. If nothing else, Flame should provide a reason and opportunity for organisations to reassess their current defences and defence strategy, with particular focus on how well-prepared an organisation is to deal with malware designed for industrial espionage.
Take care of the basics and educate the users
Researchers say Flame acts as a general-purpose spying tool, designed for cyber espionage and stealing all types of information from compromised machines.
A key lesson to be learned from Flame is that businesses must prepare for the unpredictable, says Adrian Davis, principal research analyst at the Information Security Forum (ISF). The analysis of Flame has yielded some interesting insights, he says, but none more so than the way it is spread through well-known vulnerabilities. The major vulnerabilities exploited were USB sticks and a known printer vulnerability in Windows (MS10-061). Additionally, there was some clever programming to forge trusted certificates, to help with signing the attack code. For information security professionals this has tactical and strategic implications. The tactical dimension is to focus on the basics.
This includes patching vulnerabilities, keeping signature files and configuration controls current, and raising awareness around the dangers of USB sticks. In this regard, Phil Stewart, director of communications at ISSA UK, says too many organisations overlook the need for a comprehensive solution that will both block access by an authorised USB device, while preventing malicious code from executing, should an approved device become infected.
“Blacklisting code is not the answer: Flame went undetected for two years by all the anti-virus vendors, and the industry needs to think much more in terms of code that can whitelist intelligently, without becoming an administrative chore,” he says.
According to Stewart, organisations should be looking at all devices on the network that support USB capability and ensuring they have a solution that can restrict unauthorised devices and unauthorised code. “Complementing this technology should be regular end-user training provided in the form of acceptable usage policies,” he says.
This is especially important, as social engineering in the form of highly-targeted phishing attacks, known as “spear phishing”, is at the start of 99% of successful data breaches, says Daniel Cohen, head of business development and knowledge delivery at RSA’s Online Threats Managed Services. And the company knows what it is talking about. After RSA was hit by an advanced persistent threat attack that breached data in March 2011 by using social engineering, the company has stepped up internal security awareness training.
There will be no last generation security controls until threats become static
For end-user training there are many organisations that provide phishing simulations to look at ways of correcting employee behaviour, says ISSA’s Stewart. Annual employee performance objectives should include security objectives. While training is important, there is also a technology component to countering spear phishing, but most rely too heavily upon blacklisting, he says, which overlook the fact various domains can be set up overnight and slip under the radar until malicious content is detected.
Design a strategy and response plan to prepare for the unpredictable
After the tactical focus on the basics, the ISF’s Adrian Davis says IT security professionals need a strategic plan to prepare for the unpredictable, ensuring the organisation has the resilience to withstand such attacks. To implement this cyber resilience requires cyber security governance, a clear and comprehensive risk strategy and response plan, and support for cyber security initiatives at the very highest level, says Davis.
“The business must lead this resilience effort, using a collaborative approach, sharing knowledge across business units and functional groups within the organisation,” he says. A key step is to align information risk management with enterprise risk management and with incident management and response.
At the same time, Davis believes no organisation can respond effectively on its own to the threats from cyberspace. This means organisations must work with others to benefit from the knowledge and resources of numerous stakeholders. “This will improve the level of cyber resilience of each organisation through improved awareness and sharing of experiences leading to more effective controls and preparation for attacks,” he says.
“A key step is to work with your suppliers and supply chain to reduce their vulnerabilities, and thereby the possibility of attacks mediated through them and the associated impacts.” Setting up alerts for new threats across vendor platforms is one way organisations can make sure they can be proactive in protecting their computer systems, says James Hanlon, head of the northern region security practice at Symantec.
“By keeping up to date with the latest analysis of new threats, you can make sure you have the latest advice and proactively respond to any challenges,” Hanlon says. The importance of layered protection, encryption and board support The capabilities of Flame, says Hanlon, also highlight the need for a comprehensive endpoint security product that includes additional layers of protection, such as endpoint intrusion prevention, that protects against unpatched vulnerabilities from being exploited; browser protection, for protection against obfuscated web-based attacks; and application control settings, that can prevent applications and browser plug-ins from downloading unauthorised malicious content.
Advanced threats like Flame are another good reason to implement and enforce a security policy which ensures data is encrypted. “This should include a data loss protection solution, which is a system to identify, monitor, and protect data at rest and on the move,” he says. Finally, the ISF’s Davis says information security must position itself as a boardroom issue because the consequences of not addressing the threats posed by attacks such as Flame are too significant to ignore.
But there is much work to be done in this regard, says (ISC)2 member David Harley, with 61% of UK private sector IT professionals polled by BAE Systems Detica saying it would take an attack on their company or a competitor before their board would take the risk of advanced cyber attacks seriously.
Even in the absence of board support, at least IT security professionals can use the insights offered by Flame to shed some light on what to expect and plan accordingly.