Wednesday, December 31, 2014

Let's try this again! My 2015 predictions!


2015 Predictions Paper
Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs
December 31, 2014


I started writing the papers in 2011. My earlier papers are all available on this blog. Surprisingly enough, even with some being a total stretch, many came true. This year is a little different. Where I'd looked at tech exploitation in previous years,  my fear is that this year, technical exploitation will take a backseat to "we're already in and this is what we want". So watch out for objectives on target. This, in my opinion, is what's going to be the big message for 2015.

2015 will bring massive change. 

Ransomware will become highly targeted, significantly more efficient and far more damaging

In October, Wapack Labs responded to a call from help from a local company. The company had fallen victim to ransomware.  While Wapack Labs doesn’t normally undertake incident response, the request came in from a friend, and we felt compelled to assist.  In this case, the CEO paid the ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his personal computer.  The corporate drives however, were a different story.  The company’s IT staff had been forced to restore the entire company from backup taken 24 hours earlier.  Our analysis resulted in sink-holing the command and control channels, revealing nearly 1500 other victims - within the first hour!

Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.[2] Ransomware often times uses scare tactics to coerce the owner of the victim computer into paying money to unlock or unencrypt files or the computer that will be held until the ransom is paid. In many cases, users are even walked through the process of paying the ransom.  It is a non-discriminating attack.  Nearly anyone can fall victim.  Figure 2 shows the screen presented to an earlier victim at Scotland Yard.[3]



The idea that ransomware has become a big deal should come as no surprise. But when you combine it with underground currency (thereby removing controls imposed by the banking and finance system) and couple it with highly efficient delivery mechanisms (see the next prediction), the use of ransomeware could, and likely will, become a very real and significant threat. 


Malware delivery will become highly efficient, utilizing traffic delivery systems to increase the probability of successful intrusions.

Imagine walking into a massive grocery store to buy a carton of milk.  You’ve never been to this store before.  You can run through every isle looking for the dairy case, or you ask a clerk to walk you to it.  Now imagine that the clerk knows the exact kind of milk you like, and hands it to you before you even ask him/her for directions to the dairy case.  Traffic distribution systems (TDS) work the same way in cyber space.  They know the configuration of the computers, and push specific legitimate content only to computers who actually want it, or in the case of malware delivery, the TDS knows the configuration of specific computer systems, and delivers malware only to those computers who will actually be able to execute the payload.  By knowing which computers have specific vulnerabilities, and delivering malware only to those computers, the likelihood of a successful exploitation increases dramatically, thereby increasing the attacker’s return on his hacking investment with very little additional effort.

For example, Wapack Labs witnessed and reported on (November 2014) hackers abusing a Traffic Distribution Service (TDS) called Sutra.

The Sutra TDS is designed with the intention of managing (and capturing) legitimate analytic data from a web server’s traffic.  In design, Sutra systems are designed to manage affiliate advertisements and maximize referral monetization through advanced management.   However, malicious actors have found a way to abuse this technology.[4]




This occurs by the system understanding not only the IP or MAC address of the system to which content should be delivered, but also the operating system, patch status, vulnerabilities and port openings.  The system acts as a traffic cop delivering malware to only those systems vulnerable to a specific attack.

We believe this will only grow in 2015.

OEM trojaning activities will become the norm.

In August 2014, Wapack Labs received malware specimens that were reported as targeting a Russian commercial bank.  Analysis of the malware uncovered a wide criminal infrastructure as well as a targeted malware component designed for attacking a specific application used in many financial institutions.  While the activity appeared to be targeted in nature, the associated infrastructure had also been linked to a number of other generic cybercrime activities.  The interesting thing was that all of the malware, after triggered remotely, communicated back to the software developer that built and sold the application to the banks.  While this may suggest the OEM wrote the backdoor into the code, it may also suggest that the OEM had been exploited.  We are not clear on which option may have been true, but the fact that the command and control channels called home to the developer suggested at a minimum, some involvement.

We’ve heard of other cases of suspected OEM poisoning, but this, although unproven, suggests, at least to us, a leading indicator.  OEM poisoning through companies with distribution channels for software, hardware, and services should consider themselves prime targets for exploitation for hackers who look for the early foothold.

Companies will (if  not already) will grow tired of being victimized.  Top companies (the “one-percenters”) will begin to shoot back.  The Sony case is famous. 

According to one media report, Sony Pictures is alleged to have conducted a retaliatory DDoS attack against websites currently holding its leaked information for public download.  The unconfirmed strike-back follows the two weeks of relentless attacks on Sony networks, punctuated by extortion demands, and the theft and release of personal information, emails and other business documents, all supposedly by the hacker collective the "Guardians of Peace".[5]  I’ve heard this before. Sony isn’t the only one.  .  Over ten years ago while working onsite at a bank, the CISO talked openly about hiring an offshore company to attack servers that were used to spam bank customers and the servers hosting the fake banking sites they linked to.

During our first year with Red Sky Alliance, we visited a non-member defense contractor who’d fallen victim several times to determined adversaries who were believed to be state sponsored, and who were stealing intellectual property being developed by them for the US Department of Defense.  The company spoke openly about having taken the offensive during attacks where sensitive technologies were believed targeted and being stolen. 

So is this real? Absolutely. Is it likely? Absolutely. Widespread? Probably not yet but it should come as no surprise that cyber activities are popping up in some unlikely locations around the world –possibly those locations that do not yet have strict cyber laws –and my belief is they will be used for proactive offensive, retaliatory, and active defensive operations.

The continued growth of government-sponsored operations will dramatically alter the cyber landscape.

In 2013 Wapack Labs analysts began tracking the growth in numbers of countries building their own ‘Cyber Command’. At the time, we found evidence of six versions of government sponsored cyber organizations.  In February ’14 when we mapped it out, there were 22, and today, not even a year later, there are believed to be over 100 in various stages of maturity.

What does this mean?  I use a term that I heard David Awksmith use at a conference in Colorado a few years ago.  He used an economics term –disintermediation, to describe removing the middleman (middleman being the military) in cyber space. Why?  Old-school military leaders won’t give up their bullets, but the younger generation of officers are believers that cyber is a viable weapon, and non-kinetic, non-blood yielding options can have as good or better effects on many fronts than kinetic weapons.   We’ve seen the removal of the military middleman play out already in several cases, and even in those countries with strong national level computer emergency response teams, non-governmental victims who are attacked can suffer significant damage.  

According to one source, Smart TVs were hacked during the Ukrainian parliamentary election.  Local channels were blocked and ‘aggressor’ (according to our source, Russian) messaging was played instead.   The Ukrainian military was not targeted, rather the population in an attempt to sway voting.

In another, Privatbank, Ukraine’s largest commercial bank was hacked repeatedly because the owner of the bank spoke out against Putin and personally funded much of the Ukrainian resistance.

Voter election, tampering and monitoring of the telephone systems, use of traffic cameras and security webcams to collect intelligence, the ability manipulate through cyber connections to just about any controller, media outlet, and telephone system offer significant advantages.  Cyber activities do not carry the same “Washington Post effect” --generate public outcry and influence US leadership through media reporting, as physical bombings and killings of people, are far less expensive to carry out by an adversary, and offer significant plausible deniability -but on the targeted victim(s), can be devastating.

So yes, future cyber, in my opinion, will remove the middleman and companies will be targeted directly by state sponsored (or at a minimum, state condoned) activities.  This will become the norm.  Need other examples?

The leader of the Syrian Electronic Army is actually President Assad’s cousin. The SEA was created in as a result of, and for retribution for the assets of the Assad regime being frozen.  We’ve seen heavy SEA activity over the last twelve months, and from our perspective, we should expect to see more.

North Korea’s unit 121 is reported by the FBI to be the actor behind the Sony breaches.  Regardless of heavy public speculation on attribution, the activity certainly cost Sony –both hard and soft dollars, and the fight, if the FBI is correct, was military-on-private corporation, not military-on-military.

China has long believed to be using government sponsored cyber espionage units to target and exploit intellectual property residing in corporations outside of China.  State sponsorship (or, at a minimum, state countenance) of activities against global corporations suggests governments are targeting non-government victims when that non-government entity has something in their collection requirements.

The US Cyber Command nearly doubled its budget heading into 2015.   There should be no doubt that others will follow, if only to protect themselves against future cyber, SIGINT, and espionage activities.


Life in cyber is not all that bad

There are some very strong positives.

First, the intelligence space is maturing nicely.  Not only are CISO’s becoming aware of the need for intelligence (even though risk models called for it years ago!), the idea that effort and spend can be prioritized by having great intelligence is a good thing. In fact, not only is it maturing, verticals are forming! 

Second, nearly every company that I wander into today either has a CISO or understands the need. That’s not to say they’ll all run out and hire one, but the awareness is there. I see this as a positive.
The ISO 27001 business is booming.  ISO isn’t going to stop determined adversaries, but it marks progress.  Again, I see this as a strong positive.




[1] Henrybasset.blogspot.com
[2] http://en.wikipedia.org/wiki/Ransomware
[3] http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg
[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf
[5] http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/





Table 1: Stutzman’s 2015 Predictions
Stutzman's 2015 Predictions
Type of risk
To whom
Risk
Probability
Impact if successful
Stage of maturation
Leading indicators present?
Overall risk score
Ransomware will become highly targeted and significantly more efficient
Tech exploitation and ransom
All
5
5
5
3
Yes
4.5
Malware delivery will move from broad phishing delivery through content aware (traffic cop) systems
Tech exploitation
All
5
5
3
3
Yes
4
Previously unpublished activities surrounding OEM integrated trojaning activities will become more public
OEM exploitation
All
4
3
5
3
Yes
3.75
Companies will grow tired, and begin shooting back
Policy and Legal
Top 1 percenters
5
5
1
1
Yes
3
The continued growth of government sponsored cyber operations will drastically alter the landscape.
GEOPOL
Targeted companies
4
5
3
2
Yes
3.5


Jeff Stutzman, Co-Founder, Red Sky Alliance and Wapack Labs
December 29, 2014

I started writing these prediction papers in 2011, and while many people author prediction papers, one of the differences in the way I write mine is that I like to look back and see how many of mine actually came true. The old ones are published earlier in this blog. Please feel free to check them out.

2015 will bring massive change. 

In October, Wapack Labs responded to a call from help from a local company. The company had fallen victim to ransomware.  While Wapack Labs doesn’t normally undertake incident response, the request came in from a friend, and we felt compelled to assist.  In this case, the CEO paid the ransom (about $800 in Bitcoin) to retrieve the files that were encrypted on his personal computer.  The corporate drives however, were a different story.  The company’s IT staff had been forced to restore the entire company from backup taken 24 hours earlier.  Our analysis resulted in sink-holing the command and control channels, revealing nearly 1500 other victims - within the first hour!

Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.[2] Ransomware often times uses scare tactics to coerce the owner of the victim computer into paying money to unlock or unencrypt files or the computer that will be held until the ransom is paid. In many cases, users are even walked through the process of paying the ransom.  It is a non-discriminating attack.  Nearly anyone can fall victim.  

The idea that ransomware has become a big deal should come as no surprise, but when you combine it with underground currency; thereby removing security controls imposed by the banking/finance system; and couple it with a highly efficient delivery mechanism (see the next prediction), the use of ransomware could, and likely will, become a very real, and significant threat.

Imagine walking into a massive grocery store to buy a carton of milk.  You’ve never been to this store before.  You can run through every isle looking for the dairy case, or you ask a clerk to walk you to it.  Now imagine that the clerk knows the exact kind of milk you like, and hands it to you before you even ask him/her for directions to the dairy case.  Traffic distribution systems (TDS) work the same way in cyber space.  They know the configuration of the computers, and push specific legitimate content only to computers who actually want it, or in the case of malware delivery, the TDS knows the configuration of specific computer systems, and delivers malware only to those computers who will actually be able to execute the payload.  By knowing which computers have specific vulnerabilities, and delivering malware only to those computers, the likelihood of a successful exploitation increases dramatically, thereby increasing the attacker’s return on his hacking investment with very little additional effort.

For example, Wapack Labs witnessed and reported on (November 2014) hackers abusing a Traffic Distribution Service (TDS) called Sutra.   The Sutra TDS is designed with the intention of managing (and capturing) legitimate analytic data from a web server’s traffic.  In design, Sutra systems are designed to manage affiliate advertisements and maximize referral monetization through advanced management.   However, malicious actors have found a way to abuse this technology.  This occurs by the system understanding not only the IP or MAC address of the system to which content should be delivered, but also the operating system, patch status, vulnerabilities and port openings.  The system acts as a traffic cop delivering malware to only those systems vulnerable to a specific attack.

We believe this will only grow in 2015.
In August 2014, Wapack Labs received malware specimens that were reported as targeting a Russian commercial bank.  Analysis of the malware uncovered a wide criminal infrastructure as well as a targeted malware component designed for attacking a specific application used in many financial institutions.  While the activity appeared to be targeted in nature, the associated infrastructure had also been linked to a number of other generic cybercrime activities.  The interesting thing was that all of the malware, after triggered remotely, communicated back to the software developer that built and sold the application to the banks.  While this may suggest the OEM wrote the backdoor into the code, it may also suggest that the OEM had been exploited.  We are not clear on which option may have been true, but the fact that the command and control channels called home to the developer suggested at a minimum, some involvement. 

We’ve heard of other cases of suspected OEM poisoning, but this, although unproven, suggests, at least to us, a leading indicator.  OEM poisoning through companies with distribution channels for software, hardware, and services should consider themselves prime targets for exploitation for hackers who look for the early foothold.



During our first year with Red Sky Alliance, we visited a non-member defense contractor who’d fallen victim several times to determined adversaries who were believed to be state sponsored, and who were stealing intellectual property being developed by them for the US Department of Defense.  The company spoke openly about having taken the offensive during attacks where sensitive technologies were believed targeted and being stolen. 

So is this real? Absolutely. Is it likely? Absolutely. Widespread? Probably not yet but it should come as no surprise that cyber activities are popping up in some unlikely locations around the world –possibly those locations that do not yet have strict cyber laws –and my belief is they will be used for proactive offensive, retaliatory, and active defensive operations.


What does this mean?  I use a term that I heard David Awksmith use at a conference in Colorado a few years ago.  He used an economics term –disintermediation, to describe removing the middleman (middleman being the military) in cyber space. Why?  Old-school military leaders won’t give up their bullets, but the younger generation of officers are believers that cyber is a viable weapon, and non-kinetic, non-blood yielding options can have as good or better effects on many fronts than kinetic weapons.   We’ve seen the removal of the military middleman play out already in several cases, and even in those countries with strong national level computer emergency response teams, non-governmental victims who are attacked can suffer significant damage.  

·       In another, Privatbank, Ukraine’s largest commercial bank was hacked repeatedly because the owner of the bank spoke out against Putin and personally funded much of the Ukrainian resistance.
·       Voter election, tampering and monitoring of the telephone systems, use of traffic cameras and security webcams to collect intelligence, the ability manipulate through cyber connections to just about any controller, media outlet, and telephone system offer significant advantages.  


·       The leader of the Syrian Electronic Army is actually President Assad’s cousin. The SEA was created in as a result of, and for retribution for the assets of the Assad regime being frozen.  We’ve seen heavy SEA activity over the last twelve months, and from our perspective, we should expect to see more.
·       North Korea’s unit 121 is reported by the FBI to be the actor behind the Sony breaches.  Regardless of heavy public speculation on attribution, the activity certainly cost Sony –both hard and soft dollars, and the fight, if the FBI is correct, was military-on-private corporation, not military-on-military.
·       China has long believed to be using government sponsored cyber espionage units to target and exploit intellectual property residing in corporations outside of China.  State sponsorship (or, at a minimum, state countenance) of activities against global corporations suggests governments are targeting non-government victims when that non-government entity has something in their collection requirements.
·       The US Cyber Command nearly doubled its budget heading into 2015.   There should be no doubt that others will follow, if only to protect themselves against future cyber, SIGINT, and espionage activities.
There are some very strong positives.

First, the intelligence space is maturing nicely.  Not only are CISO’s becoming aware of the need for intelligence (even though risk models called for it years ago!), the idea that effort and spend can be prioritized by having great intelligence is a good thing. In fact, not only is it maturing, verticals are forming! 

Second, nearly every company that I wander into today either has a CISO or understands the need. That’s not to say they’ll all run out and hire one, but the awareness is there. I see this as a positive.  The ISO 27001 business is booming.  ISO isn’t going to stop determined adversaries, but it marks progress.  Again, I see this as a strong positive.


Risk scoring is qualitative, from 1-5 with one being low and 5 high. The model is simple. Overall risk scores are a simple un-weighted average of Risk, Probability, Impact, and Estimated Stage of Maturity. Leading indicators are Yes or No.



[1] Henrybasset.blogspot.com
[2] http://en.wikipedia.org/wiki/Ransomware
[3] http://en.wikipedia.org/wiki/Ransomware#mediaviewer/File:Metropolitan_Police_ransomware_scam.jpg
[4] https://www.usenix.org/sites/default/files/conference/protected-files/leet_ferguson_threats_preso.pdf
[5] http://www.theregister.co.uk/2014/12/12/sony_allegedly_targets_file_sharers_following_guardians_of_peace_hack/

No comments: