How Cyber-Attacks Are EvolvingJames Lyne of Sophos on the Elements of Targeted Exploits
Cybercriminals are developing an increasingly sophisticated black market of tools and services to target organizations, says James Lyne, who details the evolution of advanced cyber-attacks.
Hackers have matured to a staggering point where they can now generate massive volumes of high-quality malware easily, says Lyne, director of technology strategy at Sophos.
Along with that, cybercriminals are approaching their activities with a business-like mindset, streamlining the process of obtaining the malicious code they need and targeting who they want to hit with their exploits, Lyne says.
"We're seeing instances where criminal gangs will hack tons and tons of systems, collect user names, passwords and credentials, and then they'll sell them on a black market to a vertical specialist that focuses on exfiltration," Lyne says in an interview with Information Security Media Group [transcript below].
The specialist will then work to find value out of certain data, such as military or medical information, he says.
This business mentality has also made it easier for insiders and low-level hackers to obtain high-level tools to conduct their attacks, Lyne says.
For instance, the Blackhole exploit pack is a product hackers can purchase on the black market, Lyne says. The exploit pack generates and distributes malware, tracks its efficiency, and manages the user's access to it.
"It even comes with technical support in case you have trouble," he says.
Cybercriminals are also spending more time within systems that they have compromised, Lyne says. "It's not uncommon for the attackers today to gain access to a system and go after collecting user names and passwords for other users in the network."
In an interview, Lyne discusses:
- The new maturity of cyber-attackers;
- Elements of new targeted attacks;
- What's necessary to deter criminals.
Lyne is director of technology strategy at Sophos, where he focuses on upcoming technology and threat trends. He has focused on a wide range of threats and technology issues and has advised some of the world's largest organizations on security strategy. A frequent presenter at technical conferences and instructor at the SANS Institute, Lyne has also worked on spreading the mainstream security message and simplifying complex concepts for the broader public.
Volume of Threats
TOM FIELD: Let's just talk a little bit about the scary numbers. I would like to hear a little bit about the volume of threats that you see on a daily basis.
JAMES LYNE: It's a pretty astonishing figure today. I remember when I used to go into work five or six years ago and you'd see numbers like 6,000 pieces of malware a day and you'd be like, "Oh that's terrible. How will we ever deal with this volume of malicious code?" It's kind of incredible today. I look at the statistics and, on average, we see 250,000 individual, new PC malicious codes every day, just a mindboggling volume of malware.
It's also really interesting how it's getting distributed, how that kind of breaks people's ideas about malicious code. About 30,000 new websites get hacked every single day. When you actually do the math on the distribution, it's about one every second. And contrary to popular belief, it isn't adult sites, gambling and the like that are distributing it, but 80 percent is legitimate businesses, mostly small businesses, which are getting hacked and distributing malware to their customers.
FIELD: I've got to ask you: What's the technology vulnerability, particularly for the small to mid-size organizations, that's making them accessible?
LYNE: It's a series of different attacks. One of the most popular is referred to as SQL injection. What's interesting is it's a vulnerability that has been very well understood for many, many years and it's actually relatively simple to fix the majority of those hacked websites. But the big problem is people have, I suppose, a lack of understanding of secure coding practices. Often, many universities are not teaching those principles to their students. In fact, in some regards it has gone downhill from years previous. People aren't getting ahead of the curve and implementing stuff securely, [and] getting their websites hacked and making mistakes. It's a simple lack of communication between security experts and the rest of the community that's allowing not clever high-end attacks, but the basics being done badly.
FIELD: We've talked about the volume; let's talk about the types of malicious code you're seeing out there and the quality of it. We have quantity. Is it quality as well?
LYNE: It's an interesting challenge. You start talking about these 250,000 pieces of malware and that's staggering. Clearly, they most be producing in quality, all those people sitting there writing all the malware. Naturally, computers are being used to generate the majority of that malicious code. The cybercriminals have developed an astonishing black market of tools and services to make it easy to generate massive volumes of very high-quality malicious code.
For example, we take one of the market leaders in this area at the moment, the Blackhole exploit pack. It's a Russian criminal gang-produced hacking tool kit that will generate malware, distribute malware, track the efficiency of certain malware, and manage your access to it so that you can hit lots of systems and compromise them on mass. It varies between $700 and $2000 to purchase a license of it, and it even comes with technical support in case you have trouble setting up your illegal hacking server. The ease of use is making it trivial for even an insider or someone who's less technical to get their hands on, should we say, nation-state-grade attacks.
Cybercrime Community's Business Skills
FIELD: In the past we have been blown away by the technical skills of the cybercrime community, if you will. My sense is that we're being blown away now by the business skills.
LYNE: Right. It's kind of staggering. I've seen amazing innovation technology over the past four or five years and I continue to be surprised every few months when someone comes up with something clever. But the very active theme, particularly over the last 18 months, very much recently, is the commercial [model]. For example, we're seeing referral models where cybercriminals will take these tool kits, set up a company, and they will pay other cybercriminals a fee for each computer they compromise. We're seeing instances where criminal gangs will hack tons and tons of systems, collect user names, passwords and credentials, and then they'll sell them on a black market to a vertical specialist that focuses on exfiltration, or making value from certain kind of data, maybe military, medical, or alike. [It's] pretty scary, potentially if you get into the terrorist segment there as a point of concern, although so far much of this is more commercial.
I mentioned already technical support and documentation. Some of these guys are even running cloud services, and, if I may say so, generally doing a more effective job than most businesses and governments are with the same piece. It's a hugely professionally organized black market today and that breathes more innovation of the technical sort as well.
FIELD: Offline here you were telling me about some of the conversations you've been privy to watch among the criminals arguing over techniques. Can you share some of that?
LYNE: It's great. We sometimes get to sit in these forums, pretend to be part of the criminal community, and see technical discussions or debates on how to attack a certain system. I remember this one particular discussion. It was translated from Russian, where it was these two criminals arguing over what time of day they should access the system they had acquired access to. One of them was saying, "Let's go in [during] the middle of the day. There's going to be lots of network traffic. It's going to be hard to spot us because they'll be al these users doing all this stuff, refreshing and accessing the Internet." The other guy is saying, "No, it's a terrible idea. The system administrators and the network guys will be there. Why don't we wait until it's past midnight and it's much less likely the help desk is going to pick this up?" They kind of went through an active debate on which was the better attack strategy. If I recall correctly, they opted to attacking in the early hours in the end as opposed to assuming that the incident responders would be either dreary or just not present.
FIELD: I was going to suggest they probably would have opted to do both.
LYNE: Yeah, fork attack, try both by multiple accesses. There's another interesting trend in more targeted attacks of late. The mainstream cybercriminal hits systems, steals credit card data and banking information as quickly as possible, and just continues and doesn't really care. A targeted attacker gets access and takes their time spreading around the system. We're seeing the length of time over which systems are held in a compromise state extending massively. It's not uncommon for the attackers today to gain access to a system and to go after collecting user names and passwords for other users in the network. This represents a really interesting challenge for us in security, because the past 26-27 years of our industry has primarily been focused on spotting the bad code. Whereas now, we may have to spot a user logging in - a legitimate user with legitimate credentials that's actually a cybercriminal coming to do bad stuff. The security policy and the granularity of monitoring for that is wildly different from the more black-and-white, good-and-bad world that we were conventionally used to.
Collapse of Threat Actors
FIELD: Typically, when we talk about the actors, we're talking about nation-states; we're talking about hacktivists; we're talking about cybercriminals; we're talking about insiders even. The point you made earlier is a collapsing of the actors, if you will. Could you explain that?
LYNE: It's interesting to map all these different actors out and it's still pertinent to assess the potential interest of each of those groups and what they may go after. Some will be more relevant to other businesses, less to others. But from an attack-technique perspective, we're seeing a massive crunch in the techniques they use. I theorize that's occurring primarily because of this hacking-as-a-service industry, the ready distribution of tools that make it trivial to launch high-quality attacks. Why roll your own stuff if there's a utility there that does the job well? If you're an insider with lower knowledge or a script kiddie - as we historically like to call them - you get your hands on one of these tools and you've got the same technology as a hardened cybercriminal. If you're a nation-state, these tools give you plausible deniability. You look like mainstream cybercriminal gangs.
We're seeing a huge focus on the use of these tools and very, very similar techniques, which does represent an opportunity for us because at least we can potentially deal with multiple groups' attacks through a very similar set of security mitigations. I wouldn't stop analyzing who your potential attackers are, but I would be weary of classifying an insider or a script kiddie or a hacktivist that you irritated as potentially a low-tech attacker. The tools are too good.
Tips for Organizations
FIELD: Let's talk about a couple of things. What can organizations be doing? We know they don't patch. We know that users don't update. We know that there are known vulnerabilities out there. What can they do to better detect and prevent some of these infiltrations?
LYNE: It's going to be difficult to answer all information security problems in a short segment, but [here are] some key pointers. If I look at the majority of incidents that I've been involved with where it has gone wrong, you dropped in to try and sort it out, we look at data from some of the big breach reports. In most instances it isn't a new clever zero-day or super-hacking technique that's involved. It's recycling something old. If you look back to the first Java attack of the recent space - not ever - it focused on a bunch of defense companies. But within three to four hours it was rolled into the Blackhole exploit pack. It was being used everywhere. Thirty, 40, 50 days later people are still getting hit with this vulnerability from which there are numerous mitigations available.
While it's really tempting to focus on the high-end, sexy, one-percent attacks that you may here about [from] certain publications and the like, actually 99 percent of this stuff is about doing the basics really, really well. Don't forget things like user-awareness training. Look at the APT1 attacks. A huge number of those were caused by essentially simple social engineering: funnypics.exe, "don't click me," which everyone immediately clicks of course. That's how it goes. [It's] user awareness.
From a technical-control standpoint, don't put your eggs too much in one basket. Take it from someone that makes security technology; there's no 100 percent. I like to think of the idea of an attack as a chain. You've got the initial recognizance. You've got the scanning and you've got the exploitation. They log onto the box. They start attacking accounts. They start spreading around and they start stealing data, and even phases after that, in the use of the data. You only need to catch them at one stage to tear down that attack, and there has been too much focus in the industry on just those early stages, not the latter sections, and that's reflected in how people deploy their security technologies. Think broader, protect each of the layers, don't limit yourself to just one or two operating systems, think broadly and protect each point, and you have a much better chance of dealing with these kinds of attacks.
Need for International Collaboration
FIELD: Clearly, organizations aren't creating any sort of a deterrent for cybercriminals, but we've got an issue that's greater than that within the global community. There's not a lot of incentive for cybercriminals to shut down. What do we need to do as a community to prosecute, punish and to create a deterrent?
LYNE: It is a huge challenge. Even when we get to the point [where] we actually have enough data to say, "Here are the guys; here's what they've done; [here] are screen-shots of their faces and the like," it can still be incredibly difficult to even get to prosecution. There was a case with a [cyber] gang where, in the end, information was published online because law enforcement simply couldn't get it pushed through.
Despite all these wonderful cyber conventions that we have on an international basis between different countries, the reality is most laws in this area are national and the Internet is really not that national. We also have the challenge of visibility. In the minority of cases we get this interesting information and most we never get to hear about it. Most businesses don't report, and that's because most data breach notification laws focus on stick, not on carrot. In the UK, for example, I know a lot of businesses that would choose to only report in the event they know that they're going to get called out publicly. Otherwise, they may as well keep silent. The reputation damage from a breach far outweighs the losses from an individual attack, and the result of that is death by a thousand cuts, at an economic level in the country and internationally in making cybercrime pay, which is exactly what you said. It's so true. We need to come up with a way to allow reporting that's focused on the objective of identifying cybercriminals and identifying trends, not a punitive system of hitting companies for getting hit by that one percent, even if they did the job effectively.
We need serious reform in the legal landscape. We need to seriously look at the speed of development here versus Internet technologies. We all, as an international community, need to come to the table collectively. We can't do this in small [groups]. We all need to be prepared to be far more hostile in prosecution of known offenders.
In closing on that point, if you think of the Internet, there's a wonderful saying I really like from Margaret Atwood which is this idea of "freedom to and freedom from," and as you fluctuate between either in the scale, you compromise security or privacy. They're not truly at odds, but are the shades of gray at either end of that spectrum.
At the moment, that pin is being moved dynamically by technology providers, countries and all kinds of different parties. Maybe we need to choose a stance specifically that enables us to make life much harder for cybercriminals but without truly compromising the privacy that enables the great innovation that we have on the Internet today. It's clear we're not doing a good job of it. Fixing it may take a little longer.