Humans Just Can’t Cut it Anymore
By Peter Stephenson, PhD, CISSP (lifetime), FAAFS (2015-16)
Let’s face it, folks… when it comes to interdicting and stopping a cyberattack we’re tortoises racing the hare. When the adversary unleashes an automated attack on multiple locations of our organizations, by the time we can respond effectively using current-generation tools the damage has been done. Current generation tools – those that depend upon too much human interaction, are based upon databases of recently discovered threats, and human understanding of all of the latest threat intelligence – are woefully inadequate to the task of cyber protection.
Palo Alto Networks recognized in the “Cyberpedia” article, What is a Zero Trust Architecture? that “The Zero Trust model recognizes that trust is a vulnerability.” That’s fine – and accurate – as far as it goes – but as they say on the late-night infomercials, “wait… there’s more.” The more is that a true zero trust architecture recognizes the tortoise/hare analogy and incorporates next-generation tools in the security blob (no… it’s not a “stack” anymore… it’s an entire architecture in itself).
What do I mean by “next generation”? Put simply, I mean detection, analysis, infrastructure, and interdiction tools based upon some form of artificial intelligence, today usually machine learning. More importantly, why does it matter? What’s in it for you? The answer is simple: complexity.
Today’s networks are complicated. They often – perhaps usually – are software datacenters. That allows – encourages – server and, in some cases, workstation proliferation. They often enable multiple locations globally and equally often are connected to a public cloud such as AWS. Unused devices often are not removed because, unlike hardware devices, they need not be repurposed. They remain on the virtual network, essentially unprotected. This vastly increases the attack surface.
Another issue is internal malicious or accidental behavior. Clicking on an attachment or going to a web link in a Phishing email can literally invite that adversary into the network. If we add such innovations as a blockchain – including blockchain-based DNS, hive nets, and swarm-bots we have a very hostile environment that, in many cases can act on its own. Many of the malicious activities we see are designed to take advantage of legitimate dlls, applets, and servelets performing their malicious tasks is a perfectly acceptable manner that would not be tagged by current generation defenses as unauthorized. By the time humans can discover, understand and interdict, the attack is over. And, likely as not, successful. In other words, they live off the land bringing as little identifiable malware with them into the attack as possible.
Consider this hypothetical… at 3 AM on a Saturday morning leading into a long weekend, the on-duty NOC engineer notices thousands of simultaneous logins and accounts being emptied. These transactions are completed within the boundaries of permitted behavior and they raise no alarms. The sharp-eyed engineer happens to notice what she considers anomalous behavior and unplugs the network from the Internet. The activity continues, but, of course, has no Internet access so it goes nowhere.
She next captures some packets while the futile exfiltrations are continuing in an effort to trace their destination. Are these legitimate withdrawals or is something wrong? Something is wrong because she cannot trace any of the destination IPs. They all seem to go to web servers – that kind of traffic would appear normal to the monitoring tools – but when she attempts to learn about the IPs through the DNS she finds that they appear not to exist.
By pure luck, she intercepts a bank transfer – clearly an error on the part of the attacker – and finds that it goes directly into a bitcoin account on the blockchain. It disappears. The money is gone who knows where?
As this is going on our intrepid NOC engineer receives a text from her counterpart in India. That is followed by a text from her counterpart in the UK. All are reporting the same events. Losses are in the millions of US dollars. The forensic teams go to work but there is no forensic evidence on any machine. What has happened?
First, the attacker likely took advantage of some infrastructure preparation. The core of that is a bullet-proof network. A bullet-proof network usually is a collection of hosts in a fast flux network with front-end web servers, usually compromised. A fast-flux network changes its addressing rapidly so it is likely that you won’t get to an actual working server. The stolen front-end accesses are sold to attackers for use as entry points to the fast-flux which operates its own DNS. As a front-end becomes unavailable the hoster moves the customers to another front end. The attack appears to come from a legitimate host but it actually comes from the fast-flux. The front-end may be a command and control and very often will have a control panel that the operator gives access to his customers (other attackers).
Over a period of time, the attacker has sent out spam campaigns comprised of phishing messages. Those messages return account data for the recipient that allows the attacker to enter the network and harvest account information from multiple accounts. He does this very slowly and quietly. The penetration is by bots and when their task is done they destroy themselves. However, at no time do they violate any security rules that would trigger an alarm. The attacker now has a collection of accounts and credentials. He waits patiently for the right time. Now he brings the botnet into action.
Today, he will use a command and control server to manage his bots but the near future will bring autonomous bots in the form of hive nets and swarm-bots operated using machine learning. They won’t need the operator to function. once he is ready – in this case early morning on a holiday weekend – he will command his bots to perform a “smash and grab”. The bots log in using legitimate credentials, empty their assigned accounts – probably one per bot – send the money to the blockchain and destroy themselves. The trail stops at the blockchain going out and at the bullet-proof network coming in. There is no forensics.
This type of attack today is very difficult to manage, especially with current-generation tools. When the state of practice on the adversary side embraces next-generation tools it will be nearly impossible to manage without next-generation defenses.
What are these next-generation tools and where do we get them? This is not a product review – although there are some both on Cyber Defense Magazine and elsewhere. In CDM I focus exclusively on these tools – so I’m not going to get into specific products. What they are is another question entirely. There are some that are the general purpose for asks such as enterprise monitoring and response, some that are infrastructure especially deception networks, and some that are purpose-built for specific tasks such as enterprise forensics. These tools can enable a next-generation response to complicated attacks thus safely avoiding the removing of the enterprise from the Internet.
The moral of all of this is that our traditional security management techniques are woefully inadequate to today’s tasks. That, however – and I emphasize this – does not mean that our basic tenets of security should be ignored. We certainly will update old rules and policies to meet today’s challenges, but security still is security. And we still have the same basic objective: protect the data. How we do that is an ever-evolving challenge.
About the Author
Dr. Peter Stephenson has reactivated himself to exclusively focus on deep next-generation Infosecurity product analysis for Cyber Defense Magazine after more than 50 years of active consulting and teaching. His research is in cyber-legal practice and cyber threat/intelligence analysis on large-scale computer networks such as the Internet. Dr. Stephenson was technology editor for several years for SC Magazine, for which he wrote for over 25 years. He is enabled in his research by an extensive personal research laboratory as well as a multi-alias presence in the Dark Web.
He has lectured extensively on digital investigation and security and has written, edited or contributed to over 20 books as well as several hundred articles and peer-reviewed papers in major national and international trade, technical and scientific publications. He spent ten years as a professor at Norwich University teaching digital forensics, cyber law and information security. He retired from the university as an Associate Professor in 2015.
Dr. Stephenson obtained his PhD at Oxford Brookes University, Oxford, England where his research was in the structured investigation of digital incidents in complex computing environments. He holds a Master of Arts degree in diplomacy with a concentration in terrorism from Norwich University in Vermont.
Dr. Stephenson is a full member, ex officio board member and CISO of the Vidocq Society (http://www.vidocq.org). He is a member of the Albany, NY chapter of InfraGard. He held – but has retired from – the CCFP, CISM, FICAF and FAAFS designations as well as currently holding the CISSP (ret) designation.