There are few solid pieces of empirical evidence on what works in security. The Australian Defense Signals Directorate (DSD) Strategies to Mitigate Targeted Cyber Intrusions is one of those. We at Stratigos Security think a lot of what they do. So does just about everybody else who has come into contact with the documentation.
This post examines some of the assumptions, implications, and a conceptual framework to better understand the document. Let’s start with some of the stated background and assumptions.
- Investigation based – That the mitigations are a result of analysis of investigations carried out by the DSD, primarily in the government sector.
- Adversary focused – That the mitigations are meant to counter adversarial attack.
- Targeted attacks – That the adversaries are motivated to target the victim organization, specifically.
- High value information – That the adversaries’ objective is to steal intellectual property, national defense secrets, or other highly sensitive documents.
- Exhaustive application of mitigations – That mitigations will be applied to 100% of systems, not just a subset.
There are 35 total mitigations listed, almost all of which are specific technical controls. At Stratigos Security we tend to like to bundle technical controls into a higher level framework. This is more digestible for our clients, and allows for a better understanding of why these mitigations work. That’s the key to long-term success in design, implementation, operation, and maintenance of a security program.
Stratigos has aligned most of these mitigations into a few core objectives. In doing so, we seek to harmonize them so each builds on the others. The set works together much better than the sum of each of the individual ones. Our objectives are as follows, as well as examples of mitigations from the DSD document.
- Execute only trusted code – Authorized software packages, components, and functions are defined and enforced.
- User application configuration hardening
- Restrict administrative privilege
- Workstation and server configuration management
- Ensure code is trustworthy – Software is free from known defects.
- Patch applications
- Patch Operating System vulnerabilities
- Ensure trusted input – Information and commands are legitimate, meaningful, and non-malicious.
- Host and network firewall
- Email and web content filtering
- Education and awareness
- Manage access – Access proceeds only through known mechanisms, which validate authorization and identity.
- Multi-factor authentication
- Enforce a strong passphrase policy
- Contain failure – Security failures in one system or network segment do not affect other systems or segments.
- Network segregation and segmentation
- Host and network IPS
- Operating System generic exploit mitigation
- Eliminate anomalies – Causes of unknown and unexpected events are identified and eliminated, as appropriate.
- Logging of successful and failed system events
- Logging of successful and failed network events
- Capture network traffic
Astute readers will notice that there is a large gap between the objectives and the underlying mitigations. The mitigations are tools, or supporting technologies, that help achieve the objectives, but they do not ensure the objectives will be achieved. This underscores one of the major mistakes most organizations make when they go to implement such a set of mitigations. It’s worth going back to the background and assumptions and identify some of their consequences. Of course this is far from an exhaustive list.
- Limited applicability – These mitigations come from investigations of Australian government organizations. Other organizations may have different experiences.
- Accidents are excluded – Security risks which result not from adversarial attack, but from accidents are not included. (One of the most common is data breach caused by theft or loss of a mobile device, laptop, or backup tape.)
- Mobile devices are specifically excluded – The mitigations apply to workstations and servers, but not to mobile devices.
- Governance, process, personnel are poorly covered – The mitigations do not include non-technical approaches, which can significantly affect security, risk, and cost.
- Alternate risk mitigation – Risk mitigations available to corporate entities – such as insurance – are not available.
- Cost considerations – Corporations typically require some measure of value justification, associating costs and risks to profitability, rather than to national security or human life.
- Impacts – Impacts should be analyzed in the context of the specific solution in the proposed environment.
- Implementation quality – Poor implementation of the mitigations would result in reduced effectiveness.
- Implementation completeness – Implementing mitigations to fewer than 100% of systems would change effectiveness and cost estimates.
Knowledge of the underlying assumptions, their consequences, and unstated assumptions is key to implementing them appropriately. You can only fill in the missing pieces when you recognize they exist, and where. Some of these missing pieces can help you greatly reduce cost, not just add more to the shopping list.
But we’re diverging from the point here. These six objectives are not the only ones that can be derived from the Australian DSD’s guidance. They have worked for our clients and they allow a fairly complete mapping to the 35 mitigations. This superset also naturally aligns to strategic initiatives to develop processes to take full advantage of these tools. Maybe we’ll add more on that in a future post.
Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.
Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.
In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.
Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as
- Opportunism and fear mongering by politicians and our own industry.
- Vandalism portrayed as terrorism.
- The inadequacy of traditional investigative methods in cybercrime.
- Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.
- Pre-determined attribution in hacking and geopolitics.
- A geopolitical reaction to issues stemming from poor corporate oversight.
- The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).
- The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.
There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.
UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.
When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeoff most people will want. But that’s not always the case. In fact in most business that’s the opposite of what you really want.
Risk is at the heart of the capitalist system. Without risk there is either no room for profit except through exploitation and collision. So businesses must take risks. If there were no risk competitors could easily enter the market and disrupt the industry.
So risk is necessary; risk is good. There is value in risk just as there is in security. Understanding and undertaking smart risks allows you to balance concerns with ambitions. Balance gives health; imbalance can lead to total collapse.
Over the weekend, Beau Woods presented to OWASP Korea on the OWASP Mobile Security Project. The presentation focused on the OWASP Top 10 Mobile Risks, elaborating on the published list as well as outlining application boundaries and considerations based on differences between mobile and traditional devices, platforms and applications.
We have published the OWASP Top 10 Mobile Risks slides under a Creative Commons Attribution license, see details below.
Update March 22, 2013 18:00 (UTC+9): New information from the Korean Communications Commission (KCC) said that the earlier report connecting attacks to a Chinese IP address was wrong. Instead the IP address was used by an employee of Nonghyup bank. Reports claim that Shinhan and Jeju banks are fully operational, Nonghyup is partially recovered and the broadcasters are only about 10% recovered. Also it appears that 20% of Nonghyup ATMs are still offline after the attack. There’s an interesting first-hand account of the events from a MBC employee.
On March 20, 2013, several banking and media sites in South Korea came under attack. The attacks knocked critical systems offline at banks and media outlets. Initial suspicion pointed the finger at North Korean government, but it now appears that a hacking group may be behind the attacks. Reports are still coming in and some details may change as better understanding is gained. We will update the situation as it evolves.
At approximately 2:20PM in Seoul, computers at three media outlets – KBS, MBC, YTN – and two banks – Shinhan and Nonghyup – froze or rebooted. The banks’ ATM networks were affected, and companies using them for processing credit cards reverted to cash-only transactions. At the media outlets the computer problems did not prevent television broadcasts, but many employees were unable to use their computers. It’s estimated that an estimated 32,000 computers were infected with destructive malicious software.
Many of these computers – maybe all of them – will not come back online without lots of work. The malicious software is reported to make all the data inaccessible, either by deleting it directly or by destroying the Master Boot Record (MBR) – the table of contents, so to speak. South Korean officials and people within the affected companies are largely calling these events a “network paralysis” rather than a cyberattack or a Distributed Denial of Service (DDOS).
There has been a suggestion that the attack may be related to suspicious files discovered last week that appear to target KBS and MBC. SBS, another Korean broadcaster, may have also been targeted but is not reported to have suffered damage yet. Some of the malware may have the ability to damage Unix systems as well as Windows.
The South Korean government has raised cyber alert status in the country. The South Korean Army has changed their INFOCON (Information Operations Condition) from 4 to 3, indicating higher threat of attack. The normal status is 5. The Korean Computer Emergency Response Team (KrCERT) changed their status from 2 to 3, reflecting a “substantial” risk of attack.
A subsidiary of the technology maker, LG, called U Plus provides Internet service to all of the affected organizations. It is not known whether this link is related to the attack or whether it is coincidental. Initial reports claimed that U Plus claimed their systems were hacked – some stories quoting an unnamed spokesperson for the company and some attributing the information to social media posts claiming to be from an employee. CNBC quotes a U Plus spokesperson named Lee Jung-hwan as saying that no attacks were detected on their network. It may be that an attack on U Plus happened but was unrelated to the attacks against the media and banking companies.
There were likely several ways that the malicious software spread. Security systems detected and blocked the malware as it came through email. Analysis of the malicious code itself reveals a mechanism for spreading the malware within the affected companies through a Software Management Server used to distribute updates to computers. It is likely that multiple methods of propogation were used.
Initially most reports suggested that North Korea may be behind the attack. Yesterday Pyongyang derided the joint military actions of the US and South Korea and recent rhetoric from the North has been very aggressive. Last week North Korea suffered Internet outages, the cause of which are still not publicly known. But they claimed to be victims of a US and South Korean cyberattack. The South Korean government earlier claimed that the malicious code had been traced back to a location in China. However they have retracted the claim, saying that the data they had was misleading and the system was related to Nonghyup bank.
However, evidence is starting to emerge pointing to a hacking group called Whois Team. A website was posted by the group claiming to have stolen all the information and deleted it from the computers. At the moment no official reports from the US or Korean governments have identified the group they think is responsible for the attack. However Seoul has said no Korean government computers have been affected.
These aren’t the first cyberattacks on South Korean institutions. In 2009 DDOS attacks hit several companies, including the banks affected today. And in 2011 DDOS attacks again hit Seoul. However, these are different in that they are not tying up the Internet resources, but are knocking out computer systems in a way that will keep them offline for a while. Analysis of the malicious software revealed the word HASTATI – the first line of attack in the Roman army. A new variant appears to have been found with the word PRINCIPES embedded, which is the second of three waves in a Roman army.
The information above is all from press reports. But there is doubtless much more to the events than has been reported. Most of this is likely because of the confusion that surrounds the early stages of these kinds of events. We are going to try to do some analysis, but because of language and knowledge barriers in media reporting we may come up with some conclusions that aren’t quite right. We apologize in advance and will try to be conservative with our analysis. Here are our hypotheses.
This was not an APT. Several reports have suggested that this attack was perpetrated by an Advanced Persistent Threat (APT). We suspect that this attack is one that was targeted at the victims specifically, but that the techniques were not all that advanced. Truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in. Instead, they try to remain undetected for months or years and take information or affect normal operations for some more strategic advantage.
This was probably not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the “skull” website would either be unrelated or a false flag. That doesn’t seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The allusions to Roman army structure, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism. But it is entirely plausible that North Korea enticed the Whois Team to carry out the attack.
There may be a Middle-Eastern and North African connection. The type of malicious software used, called “wipers”, has been seen in other attacks. Two of these attacks highlighted by Kaspersky have a Middle-Eastern connection. The skulls image that the Whois Team used has also been used in other attacks against Middle Eastern targets by French-speaking Muslim groups Xrapt0r and Mauritania Hacking Team (links withheld). It’s too early to say if there is a link, but circumstantially it appears that there is. If there is a connection, it may be that the attackers were hired by others in order to cover their tracks. It is also possible that the link is a false flag, designed to throw investigators off.
The LG U Plus link is significant. We don’t believe it is a coincidence that the same service provider counted all of the victims as customers. There are hundreds of ways that an attacker could use this relationship to infect customers with malware. It may not be related to Internet services, but others such as desktop maintenance or server administration. It’s too early to say. But that link could be a red herring. It’s not clear to us whether LG U Plus provides services for other major Korean banks and media outlets or not. It may, in fact, be that LG U Plus is simply the largest Internet and Computer Services company in Korea and that everybody uses them.
This event will end up costing hundreds of millions of dollars. The way in which these computers were affected means there will likely have to be a lot of work that goes into fixing them. That means lost productivity – the largest cost – as well as time from the IT department and other cleanup costs. And there will doubtless be outside investigations to pay for, government oversight questions to answer and purchases made to prevent this kind of thing from happening again. The companies will undoubtedly lose revenue because of these attacks. And any data that isn’t backed up will be lost or will have to be recreated.
There may be more waves of attack. The second (PRINCIPES) variant found strengthens the case that the attacks will proceed in waves. As of yet it is not known if the second variant was a part of the first wave or whether it will cause an impact later. To complete the Roman military structure a third variant should be expected, using the word TRIARII.
Are sloppy security controls actually beneficial to a company during a breach? This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.
A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:
- Whenever our server rebooted previously logged card numbers were removed.
- Our server reboots. A lot. So often that no credit card numbers were ever in the log files.
- We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.
- We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.
This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.
But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.
Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.
It was recently announced that Korean hackers had breached Korea Telecom (KT) and sold personal information on 8.7 million individuals to telemarketers for nearly $900,000 (1 billion KRW). Both the two hackers, as well as seven telemarketers have been arrested and charged with crimes. But soon Korea Telecom may find themselves in court under a new Korean law.
The KT breach may have taken 7 months to execute, though it is not clear whether this indicates how long the attackers had access to KT networks. The breach was said to have been detected by internal security systems in mid-July. In a statement by Korea Telecom, they say that the information has been “returned” and that there should be no further damage; however the Korean Telecom Commission has said that they can’t be 100% certain of that. KT has not said whether the information leaked includes financial information such as credit card numbers or bank accounts, but given the extensive list of items that were leaked it is likely that this information was at least accessible to the attackers. The information the company admits was leaked includes the following.
- Mobile number
- Customer number
- Customer name
- National ID number (also called a Resident Registration Number)
- Mobile device model
- Date of registration
- Date of mobile device model change
- Payment plan
- Total monthly payment
The attackers, as well as buyers of the illegal information have been arrested. Based on early reports it appears that the attackers had help from an insider to bypass security systems and gain information on Korea Telecom’s internal systems. The attackers are reported to have claimed they attacked KT because KT has the highest profits, though it’s not clear whether there was a political motivation as well as financial for the attacks.
Korea has experienced many high profile breaches over the last 5 years. Most Koreans have likely been affected by many of these personal information compromises. All told, the number of records breached exceed the number of citizens of the country by a wide margin. What’s unclear is whether the actual number and severity of breaches has increased or whether they’ve gotten more attention. But the rate of breaches seems to have increased. Here is a brief list of several high profile breaches since 2008:
- Korean Educational Broadcasting System (EBS) – 4,000,000
- Maple Story (Internet Game) – 13,200,000
- Nate / Cyworld (social networking) – 35,000,000
- Hyundai Capital (financial) – 1,700,000
- Sinseagye (Internet shopping mall) – 3,300,000
- GS Caltex (LG-owned oil company) 12,500,000
- Auction Korea – 18,600,000
Legal remedies for individuals harmed have been tough to come by. A court case against Auction Korea, for example, was unsuccessful because judge decided that the plaintiffs had failed to demonstrate causality. That is, they couldn’t show that the defendant had caused the breach, nor could they show that poor security was chiefly responsible for it. Therefore Auction Korea was not deemed liable for the associated damages. At the time it was not possible to sue for negligence under Korean law.
The Korea Telecom breach is the first one since the Personal Information Protection Act (PIPA) came into effect in 2012 in Korea. (Note that this is not related to the US Protect IP Act.) The Korean PIPA law is described as a “comprehensive personal data protection law,” which restricts collection of personal information and specifies handling precautions must be in place to prevent breaches. And in a reversal of the provision that has prevented successful legal actions, PIPA allows the plaintiffs to sue for negligence. This tactic puts the burden of proof on the company that suffered the breach to demonstrate that their measures were compliant with PIPA.
If a case is brought against Korea Telecom under PIPA, the result will set a precedent in the Korean legal system. But that case may not be hard to prove. A Korean lawyer is quoted as saying “As the results of the investigation haven’t been announced, it is hard to make a provisional conclusion. But that fact that the criminals who leaked KT personal information prepared their hacking program for 7 months and it was hardly detectable as they leaked samll amount of information. For now, there still a possiblility that KT can claim that they upheld their duty of technical protective action well.”
Privacy rights proponents should carefully weigh the benefits of taking this case to court. On the one hand, they should seek justice on the part of the wronged and consequences on the part of the breached. On the other, if they fail to make a strong case the precedent set may set privacy rights back. Either way, this will be a case to look for if it appears on the dockett.
DISCLAIMER: Stratigos Security is not offering a legal opinion, nor has this article been written by a lawyer. Although we did use the services of a Korean translator for much of the research and fact checking, there may still be errors due to the language barrier. We ask that you take our words with a grain of salt and independently verify important facts. That’s just good journalistic practice. We did the best we could, but you shouldn’t believe it just because it’s on the Internet. That’s just plain common sense.