By Rick McElroy, Security Strategist and Tom Kellermann, Chief Cybersecurity Officer, both at Carbon Black
Corporations are regularly under siege from multiple threat actors within the cyberspace. The underground cyber marketplace that flourishes around the world has allowed criminals and nations to wage long-term campaigns against corporations and government agencies. These attackers target businesses and consumers from the fog of the Dark Web.
Evidence suggests the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the inter-dependencies of our networks, and the adoption of cloud technology has only made hindering these attacks more difficult. The cloud has given malicious actors blind spots to hide in and more avenues of attack. As our data moved to the cloud, our security programmes did not keep up.
When one starts to think of the risks facing organisations leveraging the cloud, one must begin to think about those brave fighters whose mission it was to fly into the clouds over enemy territory and deliver strategic bombing campaigns to weaken the enemy during World War II. Organisations that leverage the cloud are delivering services to customers and partners in a low visibility environment. Furthermore, as the cyber-criminal community burrows in to networks, we must appreciate that after the initial theft of data, they tend to hibernate. This hibernation allows for secondary monetisation schemes. Some of these criminal endeavours include reverse business email compromise against your customers and/or selective watering-hole attacks. Cyber criminals realise there is implicit trust in your brand – trust that can and will be exploited. The modus operandi of cybercriminals has been modernised and we should allow their offense to inform our defence, from who is accessing systems to what threats are hitting cloud endpoints. Even with anti-virus and other basic protections in place, organisations continue to be outpaced by attackers.
To analogise this challenge, consider how B17s were equipped with armour and machine guns and your servers may have AV and logging turned on, but much like early World War II, we continue to be outpaced in innovation and weaponry and we continue to lose the battles. The nickname given to the B17 was the “flying fortress.” However, it proved not to be.
One of the most complex cybercrime conspiracies of 2017 was leveraged by a group named StonePanda (that is, APT10.) Over the past year, these hackers have leveraged a sophisticated campaign of attack against Western corporations known as the “Cloud Hopper Campaign.” The BBC reported that firms in the UK, Europe and Japan were targeted by the group, and that by Infiltrating supply chains the attackers gained an easy route into many different targets. What began with a spear-phishing attack leveraging fileless malware escalated to hijacking the victim’s website and using their brand to target consumers. It then metastasized into the interconnected networks of their supply chain via cloud hopping. One important feature of this campaign was watering holes.
The Watering Holes executed a remote JavaScript-based reconnaissance to target MSSPs. Once in, they deployed HAYMAKER, a backdoor that can download and execute additional payloads in the form of modules and a secondary infection via an open-source, remote-access Trojan (RAT). These criminals were not conducting a burglary, but rather they were executing an invasion.
“During World War II, various methods were employed to protect high level bombers from flak, fighter aircraft and radar detection, including defensive armament, escort fighters, chaff and electronic jamming.”
To help ensure the success of bombing raids The Army (Air Force) failed fast and iterated through changes. One of the key takeaways was that their bomber would absolutely need fighter escorts in order to mitigate the risk of unseen attackers lurking in the clouds.
“Early models proved to be unsuitable for combat use over Europe and it was the B-17E that was first successfully used by the USAAF. The defence expected from bombers operating in close formation alone did not prove effective and the bombers needed fighter escorts to operate successfully.” The lesson here for cyber defenders is that trying to build a single “fortress” that is impervious to innovation on the attacker side is a recipe for repeated failure. Instead, organisations should deploy the following:
- The use of escort fighter pilots to ensure the safety and success of the missions (protection)
- The employment of the Norden bombsight and radar (visibility)
Next generation antivirus protection such as Cb Defense gives you prevention against attacks by interrupting attackers’ behaviour to ensure the systems supporting the strategic delivery of services for your organisation remain in service. It provides a proactive defensive posture, levelling the battlefield and tipping the advantage back to defenders.
Endpoint detection and response capabilities give visibility into tactics that attackers are using so that your team can respond and remediate faster. This raises the bar on each attack and forces the attacker to change what they are doing to attack you. It also allows your team to pinpoint root causes and remediate vulnerabilities more quickly. Furthermore, it gives them the ability to proactively find threats sooner, ensuring their strategic objectives.
It should also be noted that modern cyber operations consist of human(s) versus human(s). The adversaries want to interact with your systems when they get in. They want as much intel as possible to leverage against you and your partners. Whenever the offense pivots, so must defenders. The team that can better Observe, Orient, Decide and Act when under attack will be miles ahead of those that lack the basic visibility into what attackers are doing. This is especially true in a cloud environment. By employing both protection and visibility capabilities and partnering with a company that securely enables the cloud, organisations can move upstream of the problem and be well positioned to drive change.
So, in conclusion, how do you defend yourself from the cyber attackers looking to invade your cloud? You do it by securing the battlefield. You do it by providing better visibility into what the attackers are doing. You do it by rapidly providing visibility into what the enemy is doing and enabling teams to find them and remove them.