You Don’t Have a Malware Problem

CrowdStrike was founded with the core belief that, “You don’t have a malware problem, you have an adversary problem.” Whether it’s a common banking Trojan or a sophisticated cyber weapon, there is a human element at work, and it is this human element that is the real threat.

It is important to recognize the threat comes from an adversary—human beings—not the malware they produce.

The adversary can be any individual, group or nation-state. Some adversaries are tied directly to the governments of China, Iran, India, North Korea and Russia. These nation-state-based adversaries have their own base cryptonym. For example, “Panda” is the umbrella term for all nation-state activity tied to the Peoples Republic of China. Non-nation-state-based adversaries are categorized by intentions. Activist groups like the Syrian Electronic Army (SEA) are categorized as “Jackal,” a name we have attributed to the group, which allows us to express both intent and motivation to our customers. Criminal groups are tracked under the “Spider” cryptonym. These groups are diverse and difficult to track, but they, too, leave human toolmarks in the binaries and tools they leverage to steal information and criminalize the Internet.

Like all manmade objects, electronic tools used in sophisticated cyber attacks have toolmarks left by their human creators. We watch for these toolmarks; they cannot be abstracted away by a compiler, or obfuscated out of the tools and weapons of the trade. By categorizing the tools, as well as the Tactics, Techniques and Procedures (TTPs) leveraged by these adversaries, CrowdStrike seeks to connect the humans back to the fragments and artifacts of the tools they leave behind in the remains of compromised systems and enterprises.

One example of an adversary is DEADEYE JACKAL, also commonly known as the Syrian Electronic Army. Our intelligence suggests the group formed in May 2011, and the initial activity conducted revolved around Facebook spamming and other disruptive attacks. Since then, it has defaced websites and exfiltrated data to more efficiently target against third-party service providers of victims. It is quite plausible this adversary would use the infrastructure of previously compromised victims as a resource to support ongoing campaigns.

Expected Trends

CrowdStrike expects to see a rise in vulnerability research, as well as exploit development and usage in several key areas through 2014.

• Windows XP End of Life: Microsoft Windows XP will reach end-of-life on April 8, 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, we expect to see a rise in XP-targeted exploits and a resulting rise in XP infections in the second and third quarters of 2014.
• Third-Party Targeting: Expect to see adversaries targeting third-party vendors in an attempt to compromise the ultimate target. Vendors often have less-robust security than their larger customers, and their networks offer an avenue through which those customers can be compromised. DEADEYE JACKAL used this tactic several times throughout 2013 when it compromised several third-party vendors offering DNS, social media and content management services to major U.S. media organizations.
• gTLDs: We predict that 2014 will see a great deal of activity around ICANN’s new generic top-level domains (gTLDs). These gTLDs will be used by adversaries to support more effective phishing attacks. CrowdStrike also expects new vulnerabilities to be discovered and exploited in network-facing software with regard to handling gTLD hostnames.
• Increased Use of Encryption: Malware in general will be developed with a greater focus on encrypted network traffic. In 2014, we will see a rise in malware that uses SSL and custom encryption methods in order to communicate with remote servers for beaconing, receiving C2 commands, performing data exfiltration, etc.
• Sandbox-Aware Malware: As more security technologies increase their reliance on sandboxes (a security mechanism that separates running programs) for malware analysis, we expect an increase in sandbox-aware malware. This functionality will cause the malware to appear benign to a sandbox, while performing its malicious functionality on a legitimate target system.
• Use of High-Level Languages: The past several years have seen a downward trend in the popularity of low-level languages such as C++, and an upward trend for high-level languages such as C# and Python. These trends are reflected in malware development, and as such we will see higher rates of high-level languages used to develop malware in 2014.
• More Black Market Exploit Activity: The past couple of years saw a surge in bug bounty programs from companies such as Microsoft, Yahoo! and PayPal, and a corresponding decline in public disclosures of vulnerabilities. This trend will continue in 2014 with an increase in black market activity of newly discovered vulnerabilities and newly developed exploits. As the black market activity increases, so will the demand for custom-made malware.
• Activity in the Physical World: Security organizations and other targets of interest should look out for more adversary interactions in the physical world. The physical world activity will not be the kind resulting in physical harm; rather, it will influence and complement cyber operations.

Targeting Around Major Events in 2014

Targeted intrusion operators like to leverage major events in their operations. This is most often done through spear phishing emails that use a particular event as a theme in order to grab the interest of a target. There are a number of significant global events in 2014 that malicious actors could leverage in their operations, including the Winter Olympics in Russia and the World Cup in Brazil. The G20 Summit being held in Australia, and the many elections being held this year will also offer opportunities for phishing.

Organizations should also be aware of targeting around major holidays, as they also present opportunities to target individuals throughout target organizations. Furthermore, major events that occur throughout the year are often closely followed by malicious activity. Significant natural disasters, violence or economic events could be used in targeted campaigns, as could major business events like mergers or IPOs.

Cyber Spillover from Regional Conflict

Private Entities Acting on Behalf of Nation-States

We are seeing more indications of nation-states using actors for hire, which is another trend to follow in 2014. VICEROY TIGER is an adversary that appears to fall into this category, and that was very active over the past year. Public reporting suggests this actor is actually an India-based security firm known as Appin Security Group that may have been contracted by the Indian government. Investigation into VICEROY TIGER’s operations shows that it targeted numerous entities across the globe that would be of strategic interest to India’s government, including heavy targeting of Pakistani military and political entities.

Criminal Activity Becomes More Targeted

In the latter part of 2013, several major retailers were compromised in high-profile attacks. These attacks appear to have taken a page from the targeted attacker playbook. In these attacks, the adversary moved laterally across the enterprise and leveraged specialized tools for scraping the process space memory on Point of Sales (POS) devices. The POS devices are where the actual credit and debit cards of customers are swiped. As this swipe occurs, the magnetic track on the card is read into memory and encoded to be transmitted to the payment processing systems.

The adversaries behind these attacks understood that the POS devices were effective collection points for the track data, and they specifically targeted these devices in order to collect a substantial amount of credit card account information. The fallout from these attacks has been well publicized, and as a result it is likely that other criminal adversaries will develop tactics to leverage lateral movement and memory scraping techniques in the immediate future.

The Best Defense

Dozens of countries have electronic espionage programs in place, looking to steal information from competitors. There could be hundreds of billions in intellectual property at risk. By just focusing on eliminating malware from your system, you leave in place the humans—and the organizations—that are looking to steal data. If you got home and the door to your house had been kicked in, would you just call a locksmith to fix it? It’s more likely you would call the police and try to find out who kicked it in, and why. Perhaps more importantly, you would want to know if the adversary was still there in your home, looking to harm you.

In the case of cyber threats, we recommend several strategies to defend your company from attacks.

1. Accept that cyber attacks are among the most significant risks your organization faces.
2. If the company’s leadership doesn’t think this is important, than staff won’t think it is important, either. The leaders set the pace for the rest of the pack.
3. The response to this is within the whole organization. Don’t make just one person accountable for cyber security. You must have a very candid conversation with everyone. It is through employee e-mails that many attacks have been launched.
4. Make it clear that your company’s reputation is at risk, and security is essential for the health of the organization.
5. Compliance and continued accountability is critical. Everyone needs to be involved and engaged.
6. Better intelligence leading to understanding of the adversaries and their tactics will allow you be more strategic and resilient. Detecting the adversary and responding quickly will allow you to mitigate the damaging consequences from these attacks.

Conclusion

Last year was a very busy one for the adversaries and network defenders who are responsible forfending off the multitude of attacks. Advanced adversaries targeted a number of critical sectors for espionage; at least one actor, SILENT CHOLIMMA, actively engaged in a destructive attack, and criminal and activist groups were able to impact billions of dollars of commerce.

In 2014, the fight will be driven lower down the stack in terms of hardware security threats, and up the stack through high-level programming language malware at the same time. The threat actors are proliferating, and the ability to conduct these attacks is being made easier through regionalized malware packages and builder tools.

Intelligence-driven security is the mantra this year as organizations look to impart threat intelligence into security operations to focus on what really matters. Knowing the adversaries and being prepared for them through a comprehensive strategy for defense, deterrence and detection is your best defense.

Shawn Henry is the president of Crowdstrike Services (www.crowdstrike.com) and CSO and a retired executive assistant director of the FBI specializing in cybersecurity. Reach him at Shawn@crowdstrike.com.