When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.
While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large.
Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method).
There has been a lot of media attention on this story, so we’ve put together a list of some of the most interesting content we’ve seen so far:
Pittsburgh Tribune-Review: Cybercrime case names U.S. Steel, Westinghouse, Alcoa as victims
The Wall Street Journal: Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam
The Los Angeles Times: Chinese suspects accused of using ‘spearphishing’ to access U.S. firms
Pittsburgh Business Times: Hackers posed as Surma on email to access U.S. Steel’s computers
Ars Technica: How China’s army hacked America
The New York Times: For U.S. Companies That Challenge China, the Risk of Digital Reprisal
The Wall Street Journal: U.S. Tech Firms Could Feel Backlash in China After Hacking Indictments
The Washington Post: China denies U.S. cyberspying charges, claims it is the real ‘victim’
The intelligence-led security approach is gaining traction in corporate security circles. However, we’ve noticed that the term threat data is often confused with threat intelligence.
It’s an easy mistake to make, yet very important to distinguish between the two – one represents the “old way of doing things,” while the other brings about a new era in corporate security and brand protection. In this article, we’ll discuss threat intelligence and how it differs from threat data.
The Difference between Threat Intelligence and Threat Data
#1: Threat intelligence is verified. Threat data is just a list.
Modern threat intelligence has been verified, while traditional threat data is a list of random data points, such as IP addresses or URLs. Verified intelligence without false positives produces actionable intelligence that security professionals can rely on to protect their brands from cybercrime.
#2: Threat intelligence is actionable. Threat data is noisy.
Modern threat intelligence gives you enough information for you to take swift and immediate action to stop a threat. Threat intelligence allows you to bring together your network and people with the solution. Rather than “educate” machines with threat data, threat intelligence relies on the analysis and action of your human capital in order to drive success.
Threat data, on the other hand, has a high signal-to-noise ratio. The majority of data found on traditional lists is meaningless and it requires a large effort to sift through high volumes of data to find something meaningful.
#3: Threat intelligence is reliable. Threat data is full of false positives.
Threat intelligence provides a clear picture of what is really going on because it has been filtered to remove information that is not directly relevant to protecting the brand. True threat intelligence has been analyzed, vetted and tested – binaries clicked, URLs followed, threats detonated in sandbox environments. Traditional threat data contains many false positives, false URLs, dead URLs, dead IP addresses.
If an organization is working with old school threat data, then they’re just importing white lists, gray lists, or black lists. They’re going to be chasing ghosts for a good bit of their career, trying to find out what’s there and what’s not.
Threat data has bad habit of constantly crying wolf. After a while, you stop believing the kid crying wolf. Then, you stop worrying if there’s a wolf there. If you have actionable intelligence, however, you know where the wolf is every time.
Twitter and the New York Times were hacked this week, which means that they have officially joined the ranks of other major news organizations, including the Financial Times and Washington Post who have been targeted by hackers over the past few months.
So, how’d it happen?
Three things: hacker groups, DNS providers and spear phishing.
The Syrian Electronic Army (SEA) appears to be taking credit for this attack, as their logo was prominently displayed at NYTimes.com when the site was compromised. The SEA, a hacker group, protesting Syrian President Bashar Al-Assad, launched the attack in order to generate high profile awareness of their political agenda.
Why DNS Providers Are Targeted by Cybercriminals
The nature of this attack is consistent with several other cyberattacks that have recently taken place, in that the DNS Provider was targeted in order to carry out the attack. Melbourne IT, the New York Times’ registrar, was the victim of a spear phishing attack that successfully provided members of the SEA with access to the Times’ DNS Manager. DNS providers are among the most targeted businesses by cybercriminals, ranking alongside large financial institutions and major retailers as lucrative targets. There are two primary reasons for this:
- By gaining access to a customer account, DNS records can be changed to whatever the cybercriminal wants them to be.
- Gaining access to the DNS Provider’s employee accounts gives the cybercriminal access to several different domains, creating an opportunity to launch a large-scale attack.
Top Phishing Concerns of DNS Providers
- Spear Phishing is increasing in frequency. A spear phishing attack happens when cybercriminals launch a targeted attack against specific individuals who they feel can give them access to the information, credentials or infrastructure that they need to carry out their attack. In the instance of the New York Times attack this week, a spear phishing attack was launched against employees of a reseller of Melbourne IT.
- Hacktivism is becoming part of the “new normal” when it comes to the cybersecurity landscape. In attacks such as this, the goal is not to obtain customer credentials and access account information to procure funds. Instead, the goal is exposure. As Sun Tzu states, know your enemy.
- Brand Loyalty/Customer Relationships suffer even if just one attack is successful. If a DNS provider fails to protect customer accounts from being accessed by cybercriminals, customer loyalty will be damaged and brand integrity will suffer long-term consequences.
What DNS Providers Can Do
The most important thing that DNS providers can do is focus on email.
When it comes to launching these attacks, cybercriminals almost always launch a phishing attack via email. That’s why email-based threat intelligence is so important. If you are using security intelligence appropriately, you can identify the source of a threat and even stop an attack before it happens.
Additionally, it’s important to take a look at which players in your organization have access to information that could be appealing to cybercriminals. There is another word for these employees: targets. Adjust the security level for these folks to provide additional protection against these kinds of attacks.
Share your thoughts. How can DNS providers protect themselves against phishing?
Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.” Despite its value, many organizations don’t have a way to get timely threat intelligence.
How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.
Corporations fight phishing each and every day. Large and recognizable financial institutions, retail companies, internet service providers/telecommunication companies are among those most heavily targeted victims of phishing.
While the aftermath of a phishing attack is costly and yields long-term consequences, it’s quite difficult to keep up with cybercriminals. It’s shockingly easy for cybercriminals to create a phishing site targeted at your brand, so easy that the cybercriminal simply needs to unpack and upload a pre-built “phishing kit” in order to create a new phishing website. Just one phishing kit can produce hundreds of phishing URLs.
With just a few clicks of the mouse, the cybercriminal attacks your brand, sending you scrambling to “take down the site.” One-by-one you take down each individual website, costing your brand time, money and reputation. As you take down, he creates. It’s a never-ending battle. In our data, we’ve found that it is often the case that the same attacker is using this method to attack several institutions or companies within the same industry over a period of several months or years.
While the term “big data” is both ambiguous and overused, it defines the new frontier in the fight against phishing. Data sourced from hundreds of phishing sites targeting hundreds of brands is analyzed to identify trends, which allow us to build more effective strategies to fight cybercrime and prevent future phishing attacks.
Below we’ll discuss how to use phishing intelligence to build more effective countermeasures to protect your brand from attackers:
- Isolate a single attacker. Instead of taking down each phishing site one-by-one, what if you could go directly to the source and stop the criminal in his tracks? Analyzing phishing data allows us to gain clues as to how the criminal operates. For example, in a recent analysis of phishing attacks targeting large financial institutions, we found one particular criminal who had created 604 phishing sites with a single phishing kit, 390 of which were hosted on a single IP address. We call this a “clue.” Using this data, we’re able to identify several details about the criminal, often including email addresses and social media profiles. If you could identify an attacker that’s behind multiple attacks against your brand, how would that change the way that you approach phishing in your organization?
- Identify the monetization path. Another important component of building effective countermeasures against cyber attackers is to take a close look at the monetization path. It’s critical to understand the motives behind the attack (is the attacker money-motivated in the first place?) and how he has constructed his scheme to put your money in his pocket. Understanding the process is a key step in building future strategies and barriers to stop cybercriminals in their tracks.
- Build barriers. Using intelligence and patterns that you’ve identified, build barriers to protect your brand against future cyber attacks in order to identify threats early and stop criminals from leaving a stealing from your customers.
Have you used phishing intelligence to build effective countermeasures against cybercriminals? Share your insight in the comments below.
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.
As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack. One of the commentators brings up the topic of phishing. Hannigan, the CEO of Q1 labs, rightly points out that “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.
Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)? How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)
What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!