Understanding the very real nature of the latest cyberthreats

And this is before we get into the realm of rogue employees and privileged identity management. And it’s against this backdrop that the fundamental principles of governance, risk and compliance (GRC – the bedrock of ISACA) have returned to the fore.

But what are today’s cyberthreats? From detailed analysis of the current threat landscape, it can be seen that the hybridised nature of today’s security threats centres on hacking, serious and organised crime and the recently-arrived issue of hacktivists.

And let’s not overlook the problem of misplaced data. Add to this the dangers hosted by smart malware code such as Stuxnet and Duqu – and the possibility of a cyberwar as outlined by Foreign Secretary William Hague this year – and you have an idea of the challenges facing government.

The risk landscape changed last year largely as a result of hacktivist groups such as Anonymous and its forebears. This is no idle threat – attacks targetted the Royal Navy, the UK government, the NHS and commercial sector organisations and newspapers.

Overactive Imagination?
For many years there has also been some debate as to the reality of any form of cyberwar or cyberconflict – which many observers ascribe to an overactive imagination on the part of the industry’s thought leaders and analysts.

Even taking into account recent high-profile system hacks – there have been no examples of a pure cyberwar casualty. While there has never been a cyberwar, let us not forget, neither has there been a nuclear war, but such weapons of mass destruction have nevertheless been used.

During 2010/2011 the US and UK governments announced they were focusing more on cyber defences. In doing so, they indicated that this low-cost method of delivering a potentially devastating payload to the heart of the enemy’s systems was now considered a serious threat.

In addition, the UK government also revealed that, at the end of 2010, various servers has been attacked using the notorious Zeus malware. On this same topic Foreign Secretary Hague informed a Munich security conference that the attack was considered to be part of an international effort to infect systems.

Though malware is still on the rise – the concept that today’s malware is ever more imaginative is weakening and, as a result, the anti-malware developers may be a little closer to developing ahead-of-the-game compliance technologies. This should not allow complacency. The Infosecurity Europe show in the spring of 2011 saw the threat of AETs – advanced evasion threats – becoming reality, but very little media attention was given to the development of more advanced AET threats that the malware bandwagon inevitably evolved.

A real threat
AETs are real. They are not a product of an aggressively-badged application but more of an imaginative mix of old code, new vulnerabilities and skill-based imagination on the part of the developer in attempting to circumvent the security of a trusted perimeter networked device, such as a firewall, Intrusion Detection System (IDS), or Intrusion Prevention System (IPS).

AETs are a natural evolution of the multi-faceted attack vector threats. They may also be defined as an amalgam of various components that may be leveraged by criminal and cybercriminal fraternities, or sponsored international groups and hacktivists seeking to locate and infiltrate selected targets.

AETs can have many guises, including old-to-new cloaked code, insider contacts, integration into websites and the leverage of some other agent-seeking tool to order to embed itself in a micro endpoint, such as a smartphone. The evolution of AETs is a methodology combining imagination and creativity to achieve an objective.

The key question is whether your critical digital assets are protected against such evasion techniques. To qualify and quantify this question, Stonesoft, the company that discovered AETs in the latter half of 2010, conducted research into AET evolution. In addition, Gartner has concluded that AETs are real, credible and growing threat against the security of company networks and allied IT resources that protects governments, commerce and information-sharing systems.

Once you consider the potential effects of AETs – and the prospect of being hit by a well-targeted payload from an AET-delivered vector – it is clear that our industry’s move to harnessing the power of cloud and virtualised resources needs to be paralleled by the development of better defences.

Defending government
And it’s not just the commercial sector that needs to better defend its digital data assets – thought also needs to be given as to how the public sector can raise its game on defending government and allied agency computer systems.

This brings us to the new and sexy world of advanced malware code such as Stuxnet and the recently-arrived Duqu darkware – dubbed `Son of Stuxnet’ by some sources. With the advent of Stuxnet we have observed the manifestation of smart code that exhibits seek and destroy capabilities capable of locating and impacting specific types of systems and allied apparatus, most notably IT control systems from specific vendors and with specific functions that include nuclear and similar platforms.

A key feature of the multi-vectored Stuxnet malware was the inclusion of its own form of digital passport – a forged X509 digital certificate – to assure automated monitoring systems and their onlookers that it is a friend, rather than a foe. It is also worth noting that, unlike some common malware variants of the 80s, such as Casino, which really wanted to tell you they were infecting you – this modern day code is much more subliminal.

Stuxnet is also considered to be the product of some high investment, extensive research, and long term production to craft such a well-designed aggressive application.

The next variant of this genus of smart malware is the underestimated Duqu variant, which entered the public scene in the third quarter of 2011.
Before we look at the way in which Duqu changes the IT security ballgame, let’s look at a few facts about this malcode. These are significant since, prior to being given its moniker, there were widely-reported incidents which occurred with drones operated by the US Air Force being infected with malware.

However, as the strain in question did not directly impact the operational ability of the infected craft, it was tolerated, and allowed to accompany these smart models on their missions. Notwithstanding the malware in question did not have any designed intent to directory impact or affect the assets, it was obviously there for a reason - the malware in question was all about snooping, and the gathering of information which was passing through the bird concerned. Shortly after the infection of the USAF drones, there was the revelation that there was had been some suspected hacking of a number of terrain and agricultural satellites.

The big question, of course, that many experts have been quietly asking themselves is whether these two hacking potential cyber-terrorist or similar hacking developments are linked. And if so, what are the implications?

Looking at Duqu, our first observation is that the darkware is all about the invasive placement of the code on to a remote platform with this distinct objective of accessing and stealing information from that system.

The data that is being sought to be cyber-heisted, includes a list of running processes and drive names being used on the infected machine, as well as access to output devices. The malware also harvest network information and all available input data, including open window names and the enumeration of computers in the domain through NetServerEnum

As with Stuxnet, Duqu carries a signed valid digital certificate with an expiration date set as 2nd August 2012. It also uses a mixture of HTTP and HTTPS IP sessions to communicate back home – typically to an Indian site at 206.183.111.97.

Inquisitive code
The big question here is, was this an evolution of the program code which infected the USAF drone’s computer systems? Or was a close variant? Perhaps more importantly, what are the implications of such inquisitive code invading sensitive government systems – and then going on to capture data from those systems?

There should be no doubt whatsoever that the age of cyberconflict is now upon us and has global governments in its focus. It is therefore time to look beyond those rolled up security policies and procedures, and look to GRC frameworks such as COBIT (http://bit.ly/vtZJw8) to help secure our electronic borders, no matter where they may be hosted.

Further information
twitter.com/ISACANews
www.isaca.org/knowledge-center