Wednesday, August 3, 2011

Sand Boxes for Advanced Persistent Threats

McAfee’s VP of threat research in a recent blog post noted "The targeted compromises--known as 'Advanced Persistent Threats (APTs) … we are focused on are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat."

The actual attack method is familiar. The compromises follow standard procedures of targeted intrusions: a “spear-phishing” e-mail containing an exploit is sent to an individual with the right level of access at the company.  The exploit when opened on an unpatched system will trigger a download of the implant malware.

That malware will then execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

In a recent study by the Intrepidus Group, which is behind the PhishMe.com awareness service allowed companies to attempt to phish their employees. Findings based on 32 phishing scenarios tested against a total of 69,000 employees around the world. Here they are:
23% of people worldwide are vulnerable to targeted/spear phishing attacks;
Phishing attacks that use an authoritative tone are 40% more successful than those that attempt to lure people through reward-giving;
On an average 60% of corporate employees that were found susceptible to targeted spear phishing responded to the phishing emails within three hours of receiving them;
People are less cautious when clicking on active links in emails than when they are requested for sensitive data.

SUMMARY
Given the tendency of users to be open to targeted attacks, the only solution is to isolate all traffic originating from un-authorized locations – that is sources not on a “white” security list - into an isolated “sand boxes”.

Sandboxing protects the system by limiting what an application can do, such as accessing files on an internal disk or any other desktop over the network. Limiting an app inside the sand box to just operations that it needs to perform keeps the rest of the system secure in case a downloaded app is corrupt or compromised.

Since all social computing in DoD, which now constitutes a large share of total transactions, is the primary sources of targeted spear fishing, DoD should set up its desktops on PaaS based virtual computers at central servers where all transaction are subject to automated surveillance. As a first priority, DoD should proceed with providing completely isolated “sand boxes” on all desktops, laptops and smart phones.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com