by Cameron Camp Security Researcher
We read in the New York Times that Google is rolling out a service that will attempt to alert users when it thinks their accounts might be subject to hacking by a government, hoping the user will take precautions after getting a notice that says “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.” When pressed for details about how Google thinks it will know this, the answers were fairly opaque, perhaps understandably so.
When queried on the subject Google said: “We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis–as well as victim reports–strongly suggest the involvement of states or groups that are state-sponsored,” so while they may not be forthcoming on the exact techniques being used, certainly it’s on their radar and they’re taking steps to notify folks. But better yet, can they stop it altogether?
This is a question being asked by droves of network owners. Industry sentiment among upper-echelon network gurus, when pressed on if they expect to see their networks compromised, seems to be “it’s not if – it’s when.” And when it occurs, increasingly there’s a state-sponsored “footprint” left as evidence.
My colleague Aryeh Goretsky recently opined there’s no such thing as cyber-spying; it’s just spying. And here that’s true as well: While cyber-theft groups set their sights on specific targets for specific reasons which then determine specific techniques, spying also has a set of tools and tactics that more clearly paint its intent, and this can be ascertained by looking at what they’re after and why.
For example, ATM skimmers seek maximum harvests of PIN/credentials per hour, so they install embedded USB and Bluetooth and pick high traffic ATM locations. By noting this, we can tell these scammers are neither hacktivists, nor are they state-sponsored, but rather just after the money. But when a piece of remote control software gets installed deep within a non-commercial organization or a loose collection of activists and doesn’t really seem to do anything – at first – there’s a good chance the motivation is intelligence-gathering for further discovery and eventual exfiltration, in other words state-sponsored-style.
So the better question is how to stop this type of attack, since it acts in a significantly different way, especially when viewed as a chain of events starting at initial discovery and installation, clear up through exfiltration and covering tracks. And when we see the list of search terms used in malware that include things like CIA, FBI, FSB, SVR and so forth, it’s pretty easy to guess what their intent may be.
So what should you do? Here a layered approach to network security design, along with minimum privilege policy is a good start. But your organization should also start to look for rogue access coming from non-standard, sometimes wireless, access nodes. By generating an “RF map” of your facility, you can start to note when new RF “suddenly” pops up, a tell-tale sign that someone left a node that’s trying to “phone home.” Also, start watching exfiltration, especially from data sources that should be staying in their own sandboxed network subnet. Data that tries to traverse multiple subnets trying to get out is a good bet for a trigger event to understand if exfiltration might be happening.
Of course, user training on password complexity and not clicking on suspicious links (and what those look like) are obvious steps, but ones which many organizations simply skim over, often at their own peril.
Another tactic that seems to be gaining traction is installing sinkhole and network decoys, and watching for errant network traffic trying to interact with them. In this way, if a piece of malware thinks it has found a way out of your network, you can capture the activity and narrow down the source of the culprit, without the scammers back at the “mothership” being the wiser. In this way, you can watch over time to see if it receives remote commands, and from where.
As always, one size definitely doesn’t fit all, and your mileage may vary, but having different defense layers and protections in place give state-sponsored scams a lot higher barrier of entry. There is no “perfect defense”, but a series of tough obstacles sure makes it lot tougher for overseas scammers trying to do harm.