20

We have seen this attack method grow as part of Advanced Persistent Threats (operation Aurora against Google or the G20 French Finance ministry attacks come to mind) but I have no doubt that even smaller scale attacks may employ this methodology if there is a lot to gain. Our case is: high value individuals within the organization receive malicious messages (e.g. PDFs or other documents with embedded malicious code) crafted specifically to look legitimate to them. Moreover, we are usually talking about less-than-expert users that would have trouble detecting an ill-intended message, let alone analyze one.

I feel it’s a subject that touches upon a number of security areas within an organization and would require a multi-layered approach: User Awareness Training, Detection Techniques, Mitigation measures (DLPs) in place etc.

Thinking that User Awareness and measures against Data Leakages would anyway be part of a comprehensive security program how should an organization address the Targeted Attack detection problem?

Some questions that need to be addressed:

  1. You need to set up these filters and usually this may happen much after the actual attack took place. (There was an earlier question on dealing with APTs, but can this put to wider use?)

  2. There needs to be detection and analysis capability either in-house or out-sourced. Are there any firms offering such a service?

  3. You need to have email filtering tools able to integrate (automatically) disclosed attack patterns in their scanning process.

  4. What to do with intercepted messages? Trying to catch targeted attacks may result in a large number of false positives, making it hard to delete; sending them in a “quarantine” system would perhaps be more appropriate but then (if you leave it to the user to decide) there is no guarantee that he/she will not, in the end, access the malicious email and get infected anyway…

  5. How about complete system segregation for people that handle critical data: I’m thinking of a "layered" approach i.e. not receiving email themselves, but rather through secretaries or other "safe" go-betweens.

Your thoughts/suggestions/solutions/directions?

George
  • 2,813
  • 2
  • 23
  • 39
  • Many thanks to all those who answered so far. I should clarify that I was also interested in the detection part of dealing with Targeted Attacks. Spear phishing, 0-day exploits and "less technical aware" targets together create not only a dangerous mixture but also one difficult to detect. I suppose even at a well protected organization that implements every possible measure, they would like to know (and stop) TAs that try to hit them. – George May 10 '11 at 07:42
  • Some great answers so far but I'm still missing a substantial contribution in the Detection area. I would like to see some more input on detection methods before you have to put the prevention and reaction methods to use. I'm putting a bounty to keep interest high and hope to get some more feedback. – George May 16 '11 at 07:24
  • This is also relevant and demonstrates the urgency of the situation. SC Magazine UK: Chancellor admits that the Treasury faces one email attack every day http://www.scmagazineuk.com/chancellor-admits-that-the-treasury-faces-one-email-attack-every-day/article/202996/?DCMP=EMC-SCUK_Newswire – George May 17 '11 at 12:01
  • Step One: Don't get Targeted. ? – atdre May 11 '11 at 04:24

5 Answers5

18

IMHO it is doing the un-sexy things consistently that will provide you the best defences against even targeted attacks and "APT's".

As I wrote when RSA provided details of their advanced attack good lessons learnt are:

  • Email as a malware distribution mechanism is not dead. Dig out those user awareness presentations and add some training on spear phishing and trusting the junk filter a bit more
  • Internet access is a luxury not a default right. Do not provide it if it is not required for a clear business benefit
  • Consider white listing websites that need to be accessed based on the user role, being smart like rules that check referring URL to be Google can prevent the backlash and loss of productivity while significantly improving security
  • Re-evaluate the business reason for software like Flash, Adobe reader, Office, browser extensions as part of the gold build for all desktops and laptops. Alternatives exist, users with a specific business reason can request it - cut your attack surface
  • Use IDS to detect and ideally IPS to prevent connections from endpoints to suspicious sites
  • Configure a desktop firewall and host based IDS to block any new outbound connections without approval
  • Monitor alerts from your IDS/IPS - have a team that is trained to react to these alerts with clear and rehearsed procedures
  • Implement two factor authentication for administrator access even to internal systems.
  • Move away from permanent privileged access for critical systems and monitor for logins outside of approved changes and support tickets
  • Move your security controls closer to your most valuable data with tools, people and processes for DLP. Your monitoring strategy needs to consider encrypted files, either analysing a decrypted version or flagging any new encrypted transfers. Encrypting the data in storage to add further layer of protection even if is stolen is also a good idea
  • Network segmentation - create secure network zones even within your internal network for your crown jewels, control and monitor access to these
  • Think about thin or zero client endpoints

Above all do a risk assessment, create a threat model and attack trees. Get some smart people in a room, ideally not just security and at least brainstorm:

  • Value - what is your most important information? You only need as much as security as you have value to protect
  • Threats - is there anyone that has the incentives and ability to cause you a problem?
  • Weaknesses - what are the weaknesses in your systems, your people and processes that could be exploited? How serious are these?
  • Risk - based on all this what is your actual risk? What is the real exposure?
  • Controls - how does everything you have spent on security so far help you reduce this risk? If you got rid of a control would it significantly increase the risk? Is it worth investing in new technology, people and process?

What you will find may not be the most sexy stuff, it is probably stuff you should have been doing anyway e.g. patch Appache aka Sony but end of the day it will probably give you the best cost benefit for defending against even APT's.

Rakkhi
  • 5,803
  • 1
  • 23
  • 47
  • +1 for the risk assessment, and +1 for the overall response. – Steve May 09 '11 at 16:26
  • Many thanks for providing such a nearly exhaustive list of measures. It's even better to see them in context by way of the risk analysis. Still, is there any ground to cover in the detection phase? – George May 10 '11 at 07:26
  • Sure detection has to be in any good strategy, especially with zero day attacks and staff that already have access, your preventative controls are limited. I however still believe that a well tuned IDS/IPS and DLP for application layer monitoring where you know a baseline i.e. we do not send Winrar encrypted files out with 24x7 SOC that is well trained and has a good signal to noise ratio, provides sufficient detective controls even against an APT. Additions/ disagreements welcome. – Rakkhi May 10 '11 at 11:58
  • 1
    If you can't remove Flash, Acrobat, Internet access, ... completely (and it's quite likely since some of the most sensitive users are also the most senior and therefore unlikely to take kindly to being told what to do) running the applications in another VM on the local system via a mechanism like RemoteApp would limit the impact of a compromise. Different network access rules could be applied for the browser VM - possibly leaving it out of the domain altogether. Theres a good intro to RemoteApp at http://blog.stealthpuppy.com/virtualisation/remoteapp-for-hyper-v-hyper-what/ – Bell May 16 '11 at 15:57
12

Defending against targeted attacks compels the defenders to boost observation capabilities.

Strengthening defensive gaps is great (e.g. accelerating patch deployment, whitelisting apps end-users can run, providing throw-away virtual machines, enhancing the security hardening of client-side apps), but since all prevention tools are expected to fail in time (faster so when targeted by motivated adversaries) it is essential to expand the monitoring capabilities you have so you can observe all of the pathways an attacker may utilize to gain control, steal information, or whatever. Detection is the key component against talented adversaries.

It may be pretty slick to setup an internal portal whereby end-users could download special virtual machines designed with additional security (what others mentioned here), but particularly with extra monitoring. Say, for example, Marc the CFO needs to perform a few bank transfers and send a highly sensitive email. Marc could double click a link on his desktop to launch an app or VM (even transparently, like Unity mode in VMware) that is preconfigured with a greater level of monitoring. The browser is preconfigured to route traffic through a special internal web proxy setup for people like Marc requiring additional monitoring and detection capabilities. The OS could be hardened, preconfigured with an optimized HIDS setup, full packet captures or netflow could be recorded and stored for a period of time, all ingress/egress file transfers (e.g. PDF viewing after downloading via HTTPS) could be piped through offline malware identification tools. After Marc has completed his tasks, you could run scripts that would summarize his activities and bundle any alerts generated by the suite of security tools you preconfigured.

I think performing temporary heavy monitoring when appropriate gives you a chance to win. The reality of turning on full monitoring on everything all the time is failure to me. Few possess the resources to thoroughly analyze the stream of alerts generated by such heavy monitoring on a full time basis.

Do you think you could keep pace with Joanna Rutkowska’s “Partitioning my digital life into security domains” and maintain each “high value individuals” workstation like hers? You would be awesome then!

Tate Hansen
  • 13,794
  • 3
  • 41
  • 84
4

The best way to defend against targeted attacks is the same as the best way to defend against all other attacks; balance usability with security and act accordingly.

I find this question hard to answer because if it's actually a targeted attack, the attacker has a goal. They're going to, for most of the attacking process, use the same resources as all of the other attacks that are in the wild. The only real change is that this targeted attack will have a much higher resilience and be much more directed. If they have the skills and they are determined enough, they are getting into your systems (provided that there actually is a connection to make use of).

Most of your questions you seem to answer yourself.

I wish there was a better way, but atm the only real answer is to keep adding layers until your content and the ROI balances out.

Ormis
  • 1,940
  • 13
  • 18
2

I've read that in some critical government offices, now it is customary to give each employee two computers, one with access to the intranet, with no disk or usb sockets available, and another normal desktop with regular internet access, which is where all the email is read. Normally there is little need to transfer data from one side to the other

lurscher
  • 1,200
  • 1
  • 11
  • 15
2

Sorry to hear about your situation. I have a few suggestions you could consider, but I don't have personal experience dealing with this kind of situation, so you'll have to evaluate them yourself:

  • Give your high-value users a specially configured laptop, pre-configured with automatic update and other protections pre-enabled.

  • Give them a Mac. Right now, many targeted attacks are going to fail, if the target user uses a Mac.

  • If they are using Windows, consider replacing their email client. One of the main reasons that targeted email attacks work is because Outlook and other major email clients are designed poorly from security. (Clicking on an attachment can infect your entire machine? Nuts. That is not user-friendly.) Perhaps you can give them an email client that runs in a VM, and opens every attachment in an isolated throw-away VM that is discarded after closing the attachment.

  • You might consider looking at Polaris, Sandboxie, and similar systems.

  • Consider looking at tools to ensure that all software on their computer is up-to-date. Secunia PSI is quite nice for personal use; I don't know if there's a corporate equivalent.

  • Consider using "anti-virus in the cloud". Consider setting up your anti-virus on the mail server to periodically scan older emails, so that if an attack does get through and you don't detect it right away, you still might have a chance of detecting it a bit later.

  • If all the high-value users need is email and web access, you might consider giving them a Google Chrome OS Netbook. It has some security advantages. However, they're not going to be able to run Excel or other business tools on it.

  • Consider giving your high-value users a second-factor authentication device, and making their access to other systems require that device.

  • Consider using diversity: using less-popular replacements, to make common attacks more likely to fail. e.g., Consider replacing their Adobe PDF reader with a less-well-known one, to defend against malicious PDF files targeted to the Adobe reader. (Buying a Mac is another version of this.)

  • For heavens sake, if you give them a Windows machine, don't give them IE6! Replace it with a recent version of Chrome, Firefox, or IE9. Eliminate all internal corporate systems that require IE6 or that are IE-specific. If there are any remaining ones that are IE-specific, give your high-value users access to an administrative assistant to deal with those remaining legacy internal corporate systems on their behalf.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 1
    If it is a *targeted* attack, they could just as easily target Macs. No advantage there, other than the generic one of mixing things up in the middle. – AviD May 11 '11 at 12:36