David & Goliath – Winning Strategies in Cyber Warfare
Fortunately fashion is not key to helping us win the Cyber-War because sartorial elegance has never been a strong suit of the IT profession, but David and Goliath certainly teaches us some classic lessons. Growing up, many of us learned the famous story of David and Goliath, and even if we weren’t attending Sunday school in our youth, David and Goliath has passed into the English language as the epitome of the struggle between the little guy and the giant.
The story tells how David, using his sling and a pebble he picked up, killed the gigantic warrior-champion, Goliath, who until then had terrorized the kingdom. And during the 20th century, this came to symbolize the little guy beating a powerful opponent. We talk about giant killing acts in sports, when a participant who is considered to have no chance beats a better known opponent.
In the original story, everyone is resigned to the fact that they have no chance against a formidable enemy. And when David shows up and offers to take Goliath on, he’s dismissed as someone who is just trying to get attention. Finally word gets to the king that a volunteer has been found to tackle the giant, but when they meet he is initially dismissive of the little guy. However he is willing to give it a shot; after all its not every day you find someone who wants to defy the odds.
It’s decided that David needs some protection so they try and dress him up to look like a proper soldier. But it’s all very cumbersome. He can’t move for all the protective gear that he’s wearing, so he takes it off and heads out to battle against the giant with his sling shot and a couple of stones. Lo and behold, one clean shot takes the giant down, he cuts off his head, and giant killing has now been born!
The Giants of Cyber Attacks
Today we live in a world where the “giants” are lined up against us. Cyber Crime, Cyber Sabotage and Cyber Espionage are daily facts of life. Whether we’re talking about botnets, defacing of web sites, spear-phishing or theft of intellectual property, everyone seems to be defenseless against the relentless attacks that are targeting everything from your Facebook page to the SCADA systems controlling nuclear power stations.
Governments talk about the risk of Cyber-Attacks being more deadly than atomic weapons, and company after company are being pillaged for their intellectual property.
The technologies that have traditionally protected us are no longer able to provide any effective defense. Firewalls, Anti-Virus, and whatever other latest and greatest pancea that is being touted as the answer to our problems are all proving ineffective.
And yet every user, and organization, have the means to stop every giant in their tracks, but most are, as the saying goes: ‘so blind as those who will not see. The most deluded people are those who choose to ignore what they already know’.
As David discovered with Goliath, even the most powerful combatant has a chink in their armor!
Stopping Malware and APTs Dead In Their Tracks
Breaches such as those just discovered at Target, the NSA, or wherever, all follow a set pattern. Breaches are not a shot in the dark, but require careful planning and execution.
First, the attacker has to identify the target, essentially looking for the weakness in the defense. Multiple tools are available on the Internet that allow anyone to scan for systems or components that have vulnerabilities. Tools such as Nessus, and web sites such as Shodan provide an easy way for an attacker to identify a weakness.
Once the point of entry is identified, the next step is to gain entry. In other words, looking for access to a system which can then be used as an escalation point. Again tools such as Metasploit and others make it easy to do this at industrial scale, brute force attacks.
The book “Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners” by Jason Andress and Steve Winterfeld, clearly describes the attack process. The attack is usually focused on a particular system, or set of systems, which an attacker attempts to access, either by using an outright attack or using credentials that have been discovered somewhere in the environment through social engineering, or other means. Once access to a system is achieved, the next step is to escalate the account on the system in order to escalate the level of access of the attacker in order to accomplish his goals. The target for such privilege escalation is often root or administrator level access, giving the attacker relative freedom on the system. Given the needed level of access to the system, the attacker can then remove any information that they wish to, cause damage to the environment in any way that benefits them, and install any measures that they need to in order to ensure future access.
Getting the information out, and covering their tracks is relatively easy once a beachhead is established, using applications such as Corkscrew and others, and then using Tor or other deep web services to move the information. Additionally there are plenty tools available that make it possible to hide stolen data on USB drives, mobile devices, etc.
And of course, like Aramco discovered, once in, the destruction of data, software and even systems is relatively straight forward. Again the applications are easily available on the net.
Faced with giants that supply zero day exploits, with a guarantee that vulnerabilities will not be detected for several months, and the promise that all leading anti-virus and threat protection technologies have been tested before the release of these exploits, technologies that protect us against these attacks are helpless. It eventually gets very tiresome to be continually told by the security industry after the fact. It’s like my wife always telling me after the speeding camera has flashed that we’ve just passed a traffic camera! For once I’d love her to tell me where the camera is ahead of time. Of course my navigation system tells me where cameras are, or rather tell where they were when the GPS software was installed, so it’s equally useless!
But all malware and APTs, like the giants, have a chink in their armor. To be able to do their worst, they need privileged access to a system. Ultimately if they can’t install something, they can’t attack. The little pebble of managing privileged accounts, whether used by administrators, services, tasks, whatever, will stop them dead in their tracks. In other words, every organization has the means to protect themselves. If they simply enforce a policy of continuous monitoring and scanning of components such as registries, daemons, tasks, hardware components, services and privileged accounts, and eliminate all vendor default accounts, they can win. Or as in the words of Sun Tzu, “To Know Your Enemy, You Must Become Your Enemy.” Pebble beats sword, password management beats malware! It is just that simple!