While talking with a few federal security analysts at the recent GFIRST Conference, I was reminded of just how challenging the job of information security really is at the government level today. Most anyone who follows security, knows that state and federal agencies have been repeatedly targeted in the recent rash of network breaches. However the thing that really stands out to me is that these agencies are in actuality engaged in a battle on at least two fronts – each with unique adversaries who use very different techniques and have very different goals. On the one hand you have decentralized, opportunistic attacks driven by political motivations such as the hacking group Anonymous, and on the other you have very well organized and targeted attacks supported by nation-states and organized crime. Both of these classes of threat are very real, but take very different approaches to breaching the network. Lets take a look at both of these scenarios in turn.
Anonymous and the many groups similar to them are at their heart, politically motivated and as such are more than happy to have their battles in public. As a case in point, the recent AntiSec campaign has seemingly deviated away from whistle-blowing activities to simply attempting to embarrass the government by publishing email exchanges, login credentials, internal documents, and personal information of government employees and actively serving personnel. The targets of the attacks have been equally opportunistic, targeting federal, state and local government, and all levels of law enforcement and the U.S. military.
In terms of technique, many of the breaches have been relatively straightforward, relying on SQL injection and targeting known vulnerabilities in exposed websites and resources. The challenge for this type of attack is not the innovation of the attacker per se, but rather the enormity of the attack surface. The next-generation firewall can help reduce the attack surface and enforce policies based on application and user that can significantly reduce the exposure.
- Reduce the Attack Surface – Agencies need to limit the applications and users that have access to databases and other servers. There is no need for an unknown user to be talking to a database server, for example. Simple policies like this can easily reduce the opportunities for an external attacker.
- Cover the Basics, Universally – The reliance on known vulnerabilities and techniques means that traditional vulnerability audits and intrusion prevention are a must. However, these must be consistently enforced everywhere, even when users travel off-site.
- Strong Segmentation and User-Based Controls –Limit the scope of an exposure and detect user roles attempting to access restricted information
- Control Applications That Can Transfer Data – Once a system is compromised, the attackers may still have the problem of getting the information out of the network. By monitoring and controlling applications that can transfer files, security teams can prevent restricted data from leaving secure zones of the network.
- Prevent the Use of Tor, Encrypted Tunnels, P2P and Proxies – Heavily used by Anons to both preserve their anonymity and to hide the destination of exfiltrated data.
While keeping up with Anonymous-style attacks could be a full-time job on it own, the government is also engaged with a very different type of adversary. In this case the key operators are nation-states and organized crime, who are far more targeted, organized and stealthy in their approach. These attacks represent even more risk simply due to strategic nature of the information being targeted.
Targeted attacks typically begin with a spear-phishing campaign focusing on carefully selected and researched individuals. The targeted user is compromised with malware (often by a drive-by-download), and the infected machine can then be used to expand the operation deeper into the network and into more secure areas. These attacks have all the hallmarks of today’s most sophisticated attacks such as customized malware, advanced command and control infrastructures, and heavy reliance on evasion techniques that allow the attack to hide from traditional security solutions. (You can learn more about the lifecycle of these attacks in our recent Threat Review here).
For these attacks, full visibility and control of traffic at the application is an absolute prerequisite. Targeted attacks excel at circumventing security controls throughout the lifecycle of the attack, and security staff must regain control in each of these steps:
- Detect and block drive-by-downloads – These attacks deliver malware to a target simply by luring the user to an infected webpage. This has the advantage of delivering the malware in real-time to a machine that has been compromised by the website.
- Control applications known to deliver malware – Obviously not all applications are created equal, and hackers have their own list of favorites based on their ability to evade security and transfer important information. Palo Alto Networks makes it easy to target these applications by policy by creating application filters.
- Control All Traffic on All Ports –Advanced malware is quite prone to hiding command and control traffic over non-standard ports to avoid inspection. As a practical example, the firewall should recognize and prevent malware that is attempting to send IRC traffic over a non-standard port.
- Detect command and control traffic – This is the life-blood of an advanced attack, enabling the attackers to finely control an ongoing attack.
- Detect and block the use of unapproved proxies or unapproved encryption – Again, keeping an attack hidden is of paramount importance in targeted attacks, and proprietary encryption, SSL, proxies and reverse proxies are standard tools of the trade.
- Search for anomalous behavior using the Behavioral Botnet Report – The Botnet Report exposes and correlates a variety of behaviors that indicate the presence of a user who is infected with advanced malware.
While these are hopefully helpful examples, the common thread across all of them is the need to have full visibility across all types of applications and users. Attackers of all types thrive on their ability to find and exploit our assumptions, whether its an evasive botnet hiding traffic on a non-standard port, or a simply a user who is unprotected by IPS when outside the office. The real key is the need for full, consistent visibility and control of all our traffic.