In a previous post, we focused on organizations’ characteristics, such as sector, geography, risk and impact, when discussing the pillars of building a threat identification program. Now, we move deeper into the concept and expand upon the threat identification process through example scenarios, helping translate the conceptual framework into daily practice.
It’s Always About Business Risk
Too often, our cybersecurity story is “pay no attention to the man behind the curtain.” We provide updates on new projects and significant attacks; we talk about blocking an attack in isolation and not in terms of business risk; and our success seems almost magical. The narrative can, thereby, remain limited and doesn’t communicate how our efforts are enabling the business. Our predictive work is hidden and our success is difficult to quantify or evangelize.
Coming into that overall picture, breach and attack simulation (BAS) platforms have been able to provide data on stopping attacks on time. It has changed our thinking and capabilities. By running thousands of potential attacks against a real, but non-production environment, we can generate data that validates which controls block an attack and which do not. We can also show the step-by-step success and missed opportunities in blocking a cyberattack, such as a phishing campaign, for example. This new ability to visualize and quantify was the missing link in communicating the value of predictive and preventative security work.
With this in mind, let’s look at putting threat intelligence to work and making it predictive, preventive and proactive (our three Ps).
Sector Example: Ransomware in Health Care Organizations
Ransomware has seen a disturbing increase over the past two years. As of September 2020, one in four attacks remediated by IBM Security X-Force Incident Response was the result of ransomware. Alongside the rise in attacks, ransom demands are also increasing exponentially. In some engagements, IBM Security X-Force has seen ransom demands of more than $40 million. One gang that deploys ransomware is suspected to have amassed over $150 million in 2020 alone.
Ransomware begins with cybercriminal gangs infiltrating an organization with a simpler piece of malware or a loader. Then, the actors install Trojans or other backdoor software on critical systems and lock the rightful owners out. These types of attacks, facilitated by malware strains, such as Ryuk, DopplePaymer and others, have caused billions of dollars in damages to victimized organizations. Those behind the attacks often combine ransomware with spear phishing, data theft and extortion techniques to target specific sectors where downtime is a major detriment to operations and victims are more likely to pay.
As reported in the 2020 IBM X-Force Threat Intelligence Index, there was a dramatic increase in ransomware attacks that began in the last quarter of 2019. Many of the targets were health care organizations. Hospitals and health care systems have many critical medical instruments and systems based upon the commonly targeted Windows operating system. Because of the risks and challenges of updating these systems, hospitals can have significant delays in deploying critical patches, which in turn leaves security gaps that cybercriminals prey on and leverage in their attacks.
The 2020 COVID-19 pandemic has put even more pressure on hospitals and medical research institutes. Ransomware gangs understood that this added pressure translated into heightened urgency to resolve an attack, making hospitals more likely to pay a ransom. For example, in July 2020 a large hospital and medical school paid a seven-figure ransom within days of an attack to unlock the computers and data of COVID-19 researchers. In October 2020, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory ‘Ransomware Activity Targeting the Healthcare and Public Health Sector’ based on a fresh wave of ransomware attacks against the U.S. healthcare system.
Applying the threat identification process (Figure 1) to potential attacks, we first survey the threat landscape and see what threats are likely to target the health care sector. For threats that pose a critical risk, we designate attack exercises to show what might happen. This exercise uses known techniques, tactics and procedures of typical actors and illuminates attack trajectories from ingress to horizontal traversal to payload delivery and execution.
The results highlight proactive efforts for vulnerability mitigation, such as unpatched systems, a predominance of BYOD devices and recent attack trends on entities in the sector. To summarize, we construct a threat graph (Figure 2) that makes it simple to drill down to any specific threat category related to the sector. We design the graph to show which threats pose the greatest concern so analysts and security operations teams can prioritize those.
Figure 1: Threat Identification Procession
Figure 2: Threat Graph
Once we determine attack scenarios to simulate, we run the exercise and review those that had success against the environment.
Today’s organizational cybersecurity programs use defense-in-depth doctrines that layer and multiply controls to prevent actors from achieving their objectives. Insights on each layer validate the value they provide for the business.
Equally important is how attackers can succeed, as many sophisticated attacks today have multiple tactics to deliver their payloads. We use data from simulations to recommend adjustments and identify what preventative steps can block successful attacks. By doing this, we shift from reactive to proactive security. It is the constant probing and testing with BAS that yields a mindset of continuously improving security posture.
In the longer run, this process provides specific metrics about attacks that failed and succeeded in the first pass and how we have improved that ratio with our analysis. This is one method of demonstrating the business value of a strong threat identification program teamed with BAS.
Geography Example: COVID-19-Related Attacks
When the COVID-19 pandemic spread, fear of the pandemic ran much higher for several weeks in Asia before concern heightened in the rest of the world. It was then that we identified emerging cyber threats that sought to take advantage of this trend. Campaigns included ransomware, malware and phishing attacks, often with social engineering lures exploiting fears or purporting to provide news through fake websites. With the evolution of COVID-19 information, we collected data from various sources (news outlets, security analysis, phishing campaigns, etc.) and tracked the attacks as they developed.
In our threat identification process, we prioritized the new COVID-19 attack types for operations in the Asia-Pacific region because of the higher likelihood of exposure there at a given time. This prioritization covered all economic sectors, as the targeting of the campaigns was broad.
Because attacks were rapidly emerging, it was important to run scenarios almost as soon as the publication and discovery of the tactics and techniques took place. Based on the various scenarios, clients predicted potential breaches, changed controls to prevent impact and adopted a proactive, situationally aware stance. The attack exercises generated initial data on successful and unsuccessful attempts and documented improvements in security stance resulting from evolving mitigation steps.
Targets Example: Card Data — Magecart, POS Attacks and Credential Stuffing
Cyber criminals have been aggressively targeting payment card data for well over a decade, stealing it in a variety of ways online and at physical locations, and buying it from other criminals.
One of the most pernicious attack types that aim to steal payment card data in recent memory is Magecart. This is an umbrella term for a family of data skimming attacks that target retailers by injecting malicious code into the ‘cart’ areas customers use to check out with their purchases.
Another way attackers have been targeting payment card data is point-of-sale (POS) skimming, which is an attack that plants a card-copying device on the terminals in physical stores. The skimmer can copy the card’s magnetic stripe. POS terminals have also been the target of malware that is set to scrape sensitive payment data from the servers that process transactions, also known as random access memory (RAM) scraping.
Credential stuffing attempts happen when cybercriminals use mass amounts of known password and login pairs across many sites to take over legitimate user accounts, most often targeting e-commerce retailers, travel and hospitality brands.
Let’s look closer at each attack type.
As online retail has grown, malicious actors have adapted to digital trends, with e-commerce skimming acting as the new POS malware. A Magecart gang compromises the client-side application code and changes it to capture sensitive information from customers, stores it in an obfuscated file, then sends the file back to a command-and-control server elsewhere in the world. Usually, a Magecart attack seeks to capture login and password data as well as financial data, such as credit card numbers and the victim’s contact information. The more complete the record, the more it is worth in the fraud arena. A Magecart attack gets its name from the open-source Magento commerce platform, although now there are Magecart-style attacks against all major commerce platforms, including Salesforce and Shopify. By compromising an underlying platform, attackers deploying malicious code have been able to rob thousands of websites using the same vulnerability.
Because Magecart operates in the background, both customers and e-commerce site operators may not realize a compromise has occurred for months or even years. Magecart is probably the most substantial risk today facing online retailers. The largest General Data Protection Regulation (GDPR) fine to date resulted from poor security practices that failed to protect against and stop a Magecart attack. For retail clients, Magecart is one of the top issues they face. We ranked it heavily in creating attack scenario exercises that can help detect and mitigate the attacks.
Another common form of attack that focuses on payment card data is to compromise in-store POS systems with digital skimming agents. This can happen anywhere — coffee shops, gas stations and retail shops, to name a few. In-store POS targeting is becoming less common, however, as shoppers move their purchasing to online channels.
RAM scraping malware is another issue in physical locations that process payment data. Malware-compromised terminals are harder to manage remotely and provide far less volume nowadays than Magecart attacks on an online checkout page. Nonetheless, by running attack scenarios against all known relevant POS malware variants, we can document how security controls reduce risks and recommend mitigations to prevent POS compromise.
A third common attack against retailers, credential stuffing is an automated attack that uses known and often validated password/username pairs to take over existing customer accounts.
A detrimental user habit to reuse passwords across many accounts helps this type of attack succeed. A single email address can provide substantial value as often the same password corresponds to hundreds of online resources. After fraudsters take over one account, they may use it to make additional purchases, drain loyalty points or execute ‘buy online pick up in-store’ fraud. Credential stuffing focuses on login pages or application programming interfaces (APIs), and in recent years malicious tools are available to reduce detection by running at low volumes on distributed IP address networks or botnets.
As part of our simulation exercise to better protect card data, we weigh the potential impact of each of the three attack types. Then, along with the likelihood of attack attempts, we prioritize in descending order. Finally, we use this list to determine:
- Allocation of our research time;
- Potential geographical areas as launchpads for attacks;
- Most relevant tactics of the actors.
Putting the Three Ps Into Proper Focus
The devil is in the details with threat identification and assessment, but this is where the three Ps come into focus. When we miss an attack, that’s an opportunity to dive into the data and understand what happened by answering the following key questions:
- Was a preventative control missing?
- Did someone override a control?
- Was a control misconfigured?
- Did the attack use social engineering to achieve its objective?
- How can we prioritize security awareness education to counter the tactics?
During this process, we move along the continuum from predictive to preventative to proactive with each iteration. Because of the developing nature of cyber threats, the three Ps process is continuous. For each threat, we need to assess the potential impact based on the latest information and ask questions such as ‘Will a threat actor attack just one device or many?’ and ‘Will it take down a less important part of an enterprise or a more mission-critical part?’ Each time we run the process, we evangelize the results to communicate value.
Threat identification is never over, but it can be more efficient and useful if you effectively deploy the three Ps alongside a means of testing and retesting, such as BAS or running attack scenarios.
Learn more about IBM Security’s Threat Intelligence Services.
Global Threat Intelligence Analyst, IBM Security
Colin Connor is a global threat intelligence strategic analyst with IBM X-Force Threat Intelligence. Colin has 22 years of experience in cyber security and i...