Microsoft Vulnerability – Never Scramble To Patch Again

On March 2nd, 2021 Microsoft informed the world of a vulnerability in Microsoft Exchange. This vulnerability is active in the wild and has already been exploited by malicious actors from China and beyond. This well documented attack found by the security researchers at Volexity in Reston VA, exploits four different vulnerabilities in Exchange to gain access to emails without authentication.

Fact is, software teams are always under pressure to continuously release new features at breakneck pace. This is driven by the urgent need to keep up with market demands and competitive pressures.

This means that the vulnerability posture of all software continuously deviates with every update and upgrade. Software that at some point was free from vulnerabilities, may be riddled with them after updates. Even if the update includes security patches, the patches themselves along with new features may introduce new vulnerabilities.

So how can you defend against these popup vulnerabilities?

The traditional recommendations have been to implement “defense in depth”  — the layering of multiple security products. However, not only is this model expensive, it also does not address the challenges new exploits introduce. In most cases, it creates complexity that further weakens security.  This is especially true for hybrid infrastructure, where many different tools have to be implemented across offices, clouds, SaaS, data centers and remote users.

So “defense in depth” is not a viable security approach moving forward. It costs a lot of money and burns a lot of resources to actually make security worse. There is more information here: 5 Reasons Security Products Make You Less Secure.

Lots of attention and budget is going to the hip new security model “Detection and Response” (xDR). But what does xDR really buy you? It tells you when something bad has happened and  that you should do something about it — patch all systems, find the compromise and inform customers.

If there was ever a whack-a-mole approach to security, it is xDR. This is often referred to as the “you’re screwed” approach to security. Not particularly proactive, resource efficient or preventative, is it?

The key to prevention is reduction of the attack surface. Today, many applications have to be exposed to the Internet at-large so users can access applications before being authenticated. This is called “Access before Auth”.

Acreto however, uses a very different approach where there is a transparent authentication before users can gain any access to applications. This is called “Auth before Access”.  This approach completely shields the application from exposure to the Internet at-large.

The Acreto approach altogether eliminates the threats and exposures from Internet connected systems. And if authorized users mis-behave, the bad behavior is automatically mitigated.

Limiting access to the attack surface avoids mass exposure. In the case of the Exchange vulnerabilities, it would limit access of the Exchange server to authorized users only, no matter where they are located or what network or networks they operate on.

Reducing your attack surface in this case basically means that the Exchange servers — or any other system, server or application for that matter — will not be exposed on the Internet.

Access is allowed only after authenticating to Acreto and going through a set of controls, as well as ongoing threat and validation checks. This ensures that 1) the user is authorized, 2) the device is authorized, and 3) they never behave maliciously.

This is the default model with Acreto SASE+, where all customer systems benefit from a reduced attack surface — without any special effort, architecture or consideration.

Remote users connect to Acreto, and are transparently authenticated before access to systems,  servers, applications, SaaS, clouds or networks including Exchange or Office365. Acreto protects against Internet or internal attacks, even if the Exchange server or other application is left unpatched.

 

Get more detail on this best practice approach to reduce your exposure to Internet-born, Ransomware or zero-day attacks.  Contact us at info@acreto.io

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Undercutting the IT/OT Collaboration Delusion

Lately, I have seen two common themes whenever IoT security is brought up; 1) complete acceptance that IoTs pose unique security challenges, and 2) how they have an IT/OT collaboration process to address them. Everybody knows what IT is, but as a reminder, OT, or operationalized technologies, are network/Internet-connected technologies whose primary function is not IT related. Think network connected HVAC units, vending machines, elevator control systems, and the like.

I recently attended a Smart Building conference, and one of the stalwart technology companies was making a big deal about the addition of their fourth intelligent building. One of their talking points was how much they have learned from their last three smart building operations. With lessons learned, they continued, this fourth building incorporates an IT and OT collaboration process. This process is intended to ensure that their IoTs do not pose a risk to the organization.

Let’s get real. A people-driven process for cybersecurity has never, ever, ever worked– not even once. Perhaps a few got lucky, but last time I checked, luck is not a reliable component of security.

People-driven processes are what a lot of organizations fall back on when there are no meaningful legitimate security options and an issue is too center-stage to be brushed under the proverbial rug. People-driven processes work for business, not cybersecurity because an inevitable byproduct is exceptions. Managing exceptions in a business model is not only acceptable but a feature that can deliver good results. With cybersecurity, exceptions are a bug and can have a catastrophic impact. Why? Because exceptions add up quickly and require manual intervention. These exceptions can easily overwhelm teams and often wind up unaddressed.

IT/OT collaboration translated to practical terms means that OT needs to get approval from IT for whatever they need to purchase. This interaction results in one of three responses. “We can secure your IoTs right away!”, “We can secure your IoTs, but there’s a backlog and there will be some delay,” or “No, you can’t use this technology.”

Anything other than the first response will result in the user immediately focusing their attention on bypassing IT. So, the collaboration has now turned into a cat and mouse game where the user tries to circumvent IT, and IT tries to implement restrictive controls to prevent being bypassed.

Have we not learned our lesson from the use of Cloud and SaaS in business? The users beat IT and executive management so overwhelmingly that there was no option other than complete and utter surrender.

The learning lesson is, don’t turn your users against you because you will not win. Any delay in facilitating the requirements of OT will result in scorn from the user community. And to further exacerbate the issue, there are far more IoTs that tend to be unique.

So, what’s the answer? The right answer requires re-imagining how we secure. Our current model for security dates back to medieval times. How is the industry standard of securing networks any different than securing a castle with a moat and drawbridge? The right answer needs innovation — and not just innovative technology, but also a whole new innovative model for cybersecurity. This model must accomplish two major tasks:

The first major task is to Simplify Security:

Today’s security tools demand well over 90% of the security team’s attention. Simply put, eliminating security tools eliminates distractions. Buying and stringing together a bunch of different products to fulfill various security functions creates complexity and is overwhelming to any size organization. In fact, security tools should be so simple to use that even quasi-technology people could operate them with ease.

Moreover, what if you had one security across all those technology silos like offices, data centers, clouds, SaaS, mobile devices, and yes, even the IoTs. This single security non-tool will not be network sensitive. It should not matter which type of network technologies use. Eliminating complexity not only improves security but offers agility and cost savings.

Takeaway #1: Implement a common security platform that delivers uniform and consistent security across all technology silos in the form of a security utility.

The second major task is to achieve User Empowerment:

With security simplified, everyone is empowered to self-serve. This puts the power of security in the hands of users. Now users are contributing positively and in the best interest of the company rather than fighting to bypass the security edicts. User empowerment drives much more collaboration than the IT overlord model that has been dubbed “collaboration.”

Takeaway #2: Empower users to self-serve so they are aligned with the best interest of all rather than fighting IT in their own interest. 

Today, more so than innovative technologies, we need a sound, well-thought-out security model. After hundreds of years in practice, we need to retire the medieval model for cybersecurity– especially in areas that depend on people-driven processes. Aside from simply not working, people-driven cybersecurity actually increases workloads and has inherent gaps in the form of exceptions. How can this possibly contribute to better security? Ultimately, there are no well-known cybersecurity technologies or models that can claim to be simple or sustainable. Perhaps the cybersecurity industry just needs to dream bigger or stop playing it unreasonably safe — or both. I am announcing that Acreto is making a play for both simple and sustainable security that empowers people. The above rules are fundamental to the foundation of Acreto’s platform, which is intended to take on and overcome the challenges of generation IoT.

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Hacking A $Trillion Fund – Why HTTPS is Not Secure

Some years back, a trillion dollar financial fund hired me as an Ethical Hacker to test their security system. They had just spent millions with Cisco to implement a brand new security infrastructure. We started the project and within a day had compromised them 139 different ways. Of the 139 compromises, 138 of them were over HTTPS encrypted connections.

When we reported this to the client, they were miffed. Their director of security asked “How could that be? We just spent millions with Cisco. Their engineers approved the design!” And as soon as he got his bearings, he snapped, “You have to write in your report that there was no data exposed or accessed.”

“No data was taken because we chose not to take any data,” I replied.

Instead, we had successfully planted a flag on their systems. This is a practice used by white hat hackers of installing a file at some deep point on a compromised system to demonstrate privileged access. The ensuing three months involved a ton of back and forth in educating the customer on precisely why we were able to compromise them, and the wording of the final report. However, over that same time they had successfully managed to fix only one of the 139 vulnerabilities — the non-HTTPS exploit.

So, why were we able to compromise them, and how did HTTPS play into this?

Contrary to the implications in its name, Hypertext Transfer Protocol Secure (HTTPS) does not offer security. It is privacy. That means it purely serves to ensure that 1) the communications destined to the application server is validated against DNS, and 2) the communication is encrypted. Because this encryption was between the client and the server, their gateway security tools were bypassed. The only visibility and enforcement their tools could provide was access control allowing network protocol TCP using network port 443 to communicate to the appropriate server. Because of the encryption, their intrusion detection system (IPS) could not look inside the payload to identify the content’s intention — well or mal intended.

We found multiple systems on their network that were accessible externally via HTTPS and then, we had at them. One advantage for the hacker / disadvantage for the company is that HTTPS-based attacks do not need to be tempered. We could be as aggressive as we wanted to be because their security tools had no sense that any of the communications were malicious. Once we identified vulnerabilities, we exploited them and compromised the first system.

Another limitation in their security was that it was a thin hard shell on the outside with a soft gooey mess inside. Because they used gateway security, once we were in, we had access to cross-contaminate everything. And that is precisely what we did, until we gained access to some pretty critical systems.

So, what did the customer learn from this experience?

Well, he was successful in lawyering the report to not look bad, yet not lie. But what you should learn from their experience is that when HTTPS makes a connection private, it makes it private to everyone — including you and your security tools. This applies to communications you originate and communications destined to you.

Today, every SaaS company is in a mad dash to roll out HTTPS. The term they keep using is that it’s “for your security!” And I get pissed off every time I hear this. It is not for your security, it is to ensure that your communication to their systems remains private.  They continue to tout this even though many of these same SaaS companies have learned from the experience to decrypt before a communication hits their threat management tools. This protects them – but not their users.

For the user of these applications, the HTTPS communications initiated outbound to third-party sites are significantly harder to protect. The result is that any site that uses HTTPS can behave maliciously toward the user, and it is very difficult for the user to identify and mitigate the attack. Yes, perhaps we could learn to trust some companies, but would you trust Google, or worst yet, Facebook? Would you trust some small unknown arbitrary site you may find yourself on?

A monster security hole.

Considering that over 60% of all Internet communications are encrypted, an investment in robust security tools without an effective means of decrypting all the HTTPS connections in and out of your network leaves a monster security hole.

The tunnel-visioned focus on preventing man-in-the-middle attacks has created a much greater security challenge for many organizations.

In another instance, at an IoT event, I asked the CTO of a IoT system integrator who builds large-scale “smart city” platforms, how he secures his technologies. His response: “We use HTTPS.” I waited for the rest, but it never came. This issue is not clearly understood even by technology, even some security, professionals.

As an industry we have done a piss-poor job of building clear and concise awareness that security is not any one of six things, but a harmonious combination of control, threat management, identity and yes, privacy. So the next time someone tells you they use HTTPS for security, nudge them to this article before they commit security suicide.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

The Security of Business vs. Business of Security

The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.

It’s like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned.

We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score.

Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages.

Let’s Get Medieval On Security.

The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy).

Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).

However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle”. In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle.

There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why — Tradition? Lack of alternatives? It’s what they know? Or a combination of these.

Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch.

What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS.

Compute and technology has been democratized, however the way we secure is still medieval.

We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?

There are a few reasons:

First, it’s what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.

Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now.

Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers.

In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff.

Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. An arrangement that benefits the vendor and the professional – just not security.

This brings me to the third point: the security of business.

It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.

Now, let’s talk about the Cyber Hare vs. the Security Turtle.

Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault.

Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore!

Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?!

Aside from the security functions the product offers, nothing in the process above even comes close to security operations.

What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.

Cyber – The Longest War.

Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT).

If we have learned anything from the Afghani and Iraqi conflicts it’s that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict.

Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:

First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security.

Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.

Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases.

The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

Secured IoT Just A Delusion Away!

I reached out to an old colleague to get some input on how different organizations are working to achieve secured IoT platforms. To my surprise he did not see it any different from securing anything else. Regardless of the many unique aspects of IoT Security I threw at him, nothing resonated. It was then that I realized that many in the industry just don’t realize the perfect storm that they are being hit with.

My colleague just did not share or buy into the challenges of distributed IoTs, their cloud application dependencies, resource limitations or proprietary hardware and software. He had quick answers for everything. Segmentation via VLAN, Communication — Route Control. Access Control with firewalls. He was convinced the tools, process and procedures he had developed over the past years would work just as effectively for secured IoT as it does for secured enterprise.

For some, unless Cisco has a product to address a problem, the problem does not exist. They have deluded themselves that when it comes down to it, the industry behemoths will provide. But keep in mind that success for the behemoths means squeezing every last bit of profit from their investments in current technologies. So it’s fair to say they are not jumping to be the tip of the spear. They are in the rear, with the gear – literally.

For many, secured IoT is achieved with “proven effective methods” using “proven effective products” to achieve “industry standard” security. But are these methods and products really proven or effective for that matter? And what does industry standard security mean?

For the past 30 years, the industry has been handling security the same way. Identify a singular target silo that needs to be secured and buy a bunch of high-priced disjointed security products, then pay different high-priced security people to set each of them up, and another set of high-priced security administrators to keep them up-and-running. Oh yeah – along the way you keep an eye out on security – when your team gets a chance – and hopefully you have the right products – and the right people – and some means of consolidating the different outputs and piecing them together to have digestible data.

There is a well defined and proper order to this effort: identify, evaluate, select, acquire, implement, integrate, operationalize, monitor, manage, troubleshoot, refresh – Lather – Rinse – Repeat! It’s fair to say that 90% of most organizations’ security resources are focused on keeping their security products functional and not security. And a good portion of the people employed in the security industry are product experts first and foremost.

What has this traditional model gotten us? Between the hacked social media, hacked Internet services, hacked financials, hacked power grid, hacked political parties and hacked elections we are more exposed than ever.  We have compromised records that are in-the-wild numbering in the hundreds of millions. Moreover, the US and EU are both facing their own existential crisis because of it. All of this happened only in the last few years and to organizations that could afford security. What about mid-size and small operators that have limited funding and access to expertise?

It’s time that we as an industry admit that the product-centric security model is not just a failure, it’s a breathtaking failure. And we are only in the early stages of distributed compute era. Imagine the challenges that have to be overcome to have properly secured IoT platforms. Here are some comparisons of what is standard with enterprise security today and the emerging challenges to have secured IoT.

• Intel based multi-purpose standard hardware vs. imagination driven purpose-built proprietary hardware.
• Mac, Linux or Windows vs. Many Operating systems that are as of yet undefined.
• Near unlimited resources and power vs. resource challenged devices with limited access or even finite power resources.
• Localized technologies you can touch vs. highly distributed devices around the city, state, country or the world.
• Technologies that operate in concentric networks vs. those that operate on may different public or private networks.
• Lifespan of 3-5 years for enterprise technologies vs. 8-20 for IoT technologies.
  

Secured IoT is already starting to devastate today’s industry standard enterprise security approaches. We can either delude ourselves into thinking that the product companies will fix the problem or we can take control and define our own success. As Gene Kranz, the venerable flight director of the troubled Apollo 13 mission said: “Work the Problem”.  Let’s take Gene’s advice in this era of distributed, mobile and dependency compute. Let’s work the problem, not the product!

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

Russian Nation State Hackers & What We’re Not Doing

The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We’re still licking our wounds and not doing anything about it. In fact, we are arguing if it happened at all!

Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”.  Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity.

As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These “kids with rocks” fall into four major categories.

 

Four Major Types of Hackers

First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels’ online arm. And finally, the most dangerous are state-sponsored hackers.

Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints.

Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That’s a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years!

 

Hacking Fingerprints

Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APTs – use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary.

Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT28 and APT29 – which are obviously Russian nation state hackers. In fact, APT28, otherwise known as “Fancy Bear”, is a completely different team than APT29, “Cozy Bear”, both of which work for the Russian Government.  As an example, here is a sample of the fingerprint for Fancy Bear (APT28) that has been tracked since 2007, and the reasons for American intelligence agencies’ confidence in Russia as source for the election hacks:

APT28	Source: FireEye
Target Sectors:	The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms
Type:	Cyber Espionage
Overview:	APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government.
Associated Malware:	CHOPSTICK, SOURFACE
Attack Vectors:	Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort.
Operations:	Operation RussianDoll:  Adobe & Windows Zero-Day Exploits Likely Leveraged by Russian APT28 in Highly-Targeted Attack
Detailed Report:	https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

 

There are other means for determining the source of attacks.  Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities.

 

Exploits on the Market

There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities.  Once the exploit is developed, it’s put up for bid – and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries.

Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may be counter hacks, economic sanctions, embargoes, or a combination.  However, countering the attacks on commercial and critical infrastructure is often reserved for the largest organizations and limited to the largest and most egregious attacks. American election compromises is such an example.

At this particular point in time, America has opted for a “go it alone” approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of “The Big Glass House” in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever.

 

Hacked America Not Minding The Store

Collaboration between government and commercial threat intelligence is key to a successful cyber strategy.

The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 that the “persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks.” (nytimes.com) “The system was blinking red,” Coats said. “Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors – the worst offenders being Russia, China, Iran, and North Korea – are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States.”

Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage.

Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill.

Next in this series we will look at an example of Russia’s nation-state hacking teams and their construct in our blog: Putin’s Eleven: Nation State Hacker Teams Uncovered.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.