The Canadian Govt was hacked! The Globe And Mail reported a few days back:
A cyberattack crashed federal government websites and e-mail for nearly two hours Wednesday – an incident that raises questions about how capable Ottawa’s computer systems are of withstanding a sustained assault on their security.
It is not news that cyber attacks are being used for more than just stealing information. Showing defiance and protesting like what Anonymous and the Syrian Army is doing every now and then is another example. Hacking is also used for intelligence gathering, spying, public humiliation, and much more.
The question is: are attackers getting better at attacking? or we getting worse at defending?
The answer is complicated but attackers are definitely getting better. Not only do they get better in terms of skills and tools. But they are also getting smarter and more sophisticated, the most interesting thing is that they are raising the profiles of the same old attacks.
There are hardly any new attacks nowadays that we never knew they existed before, maybe once in a while a new technique of old attacks. What we are mostly dealing with is same old attacks but given sophistication, complexity, or facelift. There are several things that raises the profile of an attack, from an ordinary attack to something that makes the headlines every where.
Please keep in mind that I am not discussing state sponsored attacks here because I think this is a league of its own and most organizations can’t prevent these kind of attacks.
1. The Target: “Go Big or Go Home” is definitely valid in the hacking world. The primary factor of raising the profile of an attack is the target attackers are after, or the organization the attackers exposed. The IRS attack last month was definitely a big deal. The breach that caused the identity of every single federal employee to be stolen, RSA attack was another high profile because of the target, and in this case it was the seed for the infamous encryption that is used by a lot of Government organizations as a two-factor authentication (SecurID)
2. The timing of the attack: Distributed Denial of Service is a very simple attack. Imagine tens (or hundreds) of thousands of browsers sent and kept sending requests to the exact same set of servers at exactly the same time. What is going to happen? These servers will go down for sure because they can’t handle this kind of traffic. Attackers can do that by controlling Botnets. As a matter of fact, Botnets are available for rent for as little as $200-$300 a day! Every single Federal or Provincial faces a ton of attacks every single day. What made this particular attack against the Canadian Government very visible worldwide is the timing:
A. Bill C51 just passed in the House of Commons
B. The Federal Elections are up and coming in October of this year. Perfect timing for visibility for the Group Anonymous.
3. Combining Attacks: It is not new that attackers combine several hacking techniques in a single attack. It is typical that attackers launch a multistage attack where they first gain a foothold inside the organization probably through an unrestricted zone (marketing, DMZ, etc) and use that to elevate their foothold and gain privileges to other more restricted zones until they get to what they are looking for. It is common too that malware exploit several vulnerabilities or zero-days in a system. The best example is Mickey Mooney’s worm that hit Twitter in 2009 and leveraged a combination of Cross-site Scripting and Cross-site Request Forgery. What we are seeing more these days is the amount of zero-days used, and the speed by which zero-days are used in the wild. It was reported that attackers exploited the Drupal SQL Injection back in November 2014 8 hours after the initial disclosure, 8 hours is not enough for most organizations to take any kind of action or even get in some cases get notified about the attacks.
4. Branding of Attacks: Remember Heartbleed? it was a simple bug where the code did not check the boundaries of the buffer allocated and thid led to attacker gaining access to unencrypted server’s memory, the best explanation is found in this cartoon. Now, why did it make the headlines and why it was such a big deal? It indeed affected half a million website, but I don’t think this was the main reason. Here is my proof; Drupal suffered a massive SQL Injection attack few months after that affected about 12 Millions sites and the impact is grave where attackers could get a shell on the server which in security terms means “Game Over”, attacker wins. So as far as impact and reach the Drupal attack definitely had more impact and reach. Now ask 100 people in different departments of any organization, chances are more people will remember Heartbleed and very few will remember or even recognize the Drupal SQL Injection attack. Why? Heartbleed had a name, and a logo. It has a brand!
5. Branding of Attackers: 10 years ago all the bad guys were labeled either hackers or blackhat. Now that hacking got mainstream, attackers are grouped either they name themselves or they are given a name. There are Hacktivists such as the Anonymous group which mainly protest issues related to free speech, human rights, or freedom of information. Syrian Electronic Army is a group that claims responsibility for defacing or otherwise compromising scores of websites that it contends spread news hostile to the Syrian government or fake news. APT (Advanced Persistent Threat) while not a group, it is a name given to a specific style of hacking used by state sponsored attackers, but it is usually attributed to Chinese attackers.
Now, that attackers are getting better, organizations’ defences must get better too. And there are several things that organizations could go to protect themselves against these kind of attacks:
1. Threat Assessment: the very first step organizations should do is to understand who are their primary adversaries? Who is the most likely to attack your organization, what does this attacker look like, what are their capabilities, what are they looking to do? what kind of tools and skill set do they usually have? Answering these questions will focus your efforts on what should be done and more importantly what should not be done.
2. Defence in Depth: we can’t stress enough on the importance of defence in depth. When you go on a business trip, you check in to your hotel room, how many locks do you secure before you go to sleep? …….. all of them! why? one is not enough? The truth is, there is no perfect security system, but the more good security controls used the harder it is for the attacker to infiltrate your system. The harder it is for the attacker to infiltrate, the less motivated the attacker would be to attack you versus the next target. The harder it is for the attacker the more time it is going to take the attacker if they are really after you, the longer it takes them to exploit your organization, the higher the chance your intrusion detection systems will notify you and you take an action in time.
3. Cyber Security Strategy: security is not only an IT problem. It is a business risk. Without an organization wide strategy that covers everything from Governance, architecture, design, implementation, testing, deployment and testing; security will remain an IT problem, a problem that is much bigger than just IT. Therefore, the defences will always remain short regardless of the budget thrown at it.
4. Continuous Assessment: attackers are pounding your defences on a daily basis to find holes, crack them, see what they can get and what they can do with it. Best organizations do that proactively themselves leaving nothing for attackers to find. Test your own defences, push them to the limit because if you don’t, hackers will.