Who Are These Masked Attackers?

Who Are These Masked Attackers?

We talked about our lack of visibility into the attack horizon and the fact that we can’t predict future attacks in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. This post addresses our continuing failure to identify the exploitation of legitimacy or even the source or nature of our attackers.

Today, the average financial institution incurs an annualized cyber-attack expense of $13 million. The most prevalent types of cyberattacks are viruses and worms, malware, botnets, web-based attacks and phishing schemes. We believe that the primary actors targeting the financial services industry are often hackers connected to crime syndicates in former Soviet Bloc countries, but this is pure speculation.

The problem as always is we don’t actually know.

As cybercrime is emerging as the dominant financial news headline, banks have become especially vulnerable to scandal. 80% of banking CEOs consider cyber-attacks to be the biggest threats to their companies’ growth prospects. For an industry with a business model developed on the mantra of “trust,” safeguarding client account data should be a matter of life and death. But, if you just dropped in from Mars, you would have trouble believing that.

Formerly identified as the highest-volume cyber-attack in history, unidentified hackers launched a sweeping DDoS assault which crashed the websites of Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC. In these denial-of-service attacks, hackers took remote control of thousands of zombie desktops, which they then used to send massive amounts of traffic to unsuspecting websites, and since that worked so well, we saw a follow-on flood of DDoS attacks on Dyn in October which expanded on the banking model and took down hundreds of websites effectively bringing the Internet down for several hours across the US. Estimates suggest that tens of millions of users were down most of one day.

The bank attack was 20 times the volume of data that had previously been seen, and twice the previous record for a denial of service attack, with the follow-on attack at least 5 orders of magnitude the impact. We believe the point of each attack was disruption, and if that were the case, the attackers made their point quite convincingly. But, we will never know their real intent or whether these attacks were part of a larger scheme, because we don’t know who they are.

The Islamist terrorist group Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for the financial sector attack, but most of the forensic investigators expressed doubts based on their assumed in-ability to coordinate such a sophisticated series of attacks, and many US Senators are of course blaming Iran. If there were a comedy film making fun of Kim Jong Un involved, I assume we would be blaming the North Koreans. Both of these attacks underscore the problem we have with attribution.

Back in 2010, the NASDAQ was hit with a cyber-bomb that was planted by a suspected group of Russian hackers based on an FBI tracing of encrypted messages to a Russian IP address. Analysts from the NSA also found distinct similarities between the malicious software implanted in the NASDAQ and a program written by Russia’s Federal Security Service (FSB), the successor to the KGB.

But again, we have no concrete evidence of this anymore than we have concrete evidence that the Russians hacked the DNC, Hillary’s email servers or election sub-nets in Bloomington, Indiana.

In October 2014, JPMorgan Chase disclosed that cyber thieves had stolen account data for 76 million individuals and 7 million small businesses (in spite of the $250 million Chase spends every year on cybersecurity). Suspicion initially fell on Russian hackers believed to be working for the Kremlin. But, by mid-October, Federal investigators dismissed any connections to the Russian government.

In February of 2015, a cybercrime scheme concocted by a group of hackers stole over $1 billion from banks in China, Europe, England, Japan, the United States and 25 other countries.

The attackers, now referred to as the ‘Carbanak Gang’, were a multinational group thought to be made up of individuals from Europe, Russia, Ukraine and China. The syndicate infected more than 100 financial institutions around the world, and it is believed but not proven that this same family of malware was used to hack into U.S. Democratic National Committee systems and is the same strain that has also been found infecting an Android app used by artillery units defending eastern Ukraine after Russia invaded Crimea in 2014. But again, no one knows.

Are you getting the sense of a global chaos yet?

The malware, called X-Agent, is also apparently a variant used in a hack of the World Anti-Doping Agency which appeared to support Russian government disinformation campaigns. The forensic analysts identified this group as [probably] Fancy Bear. This strain is also known as APT28, Pawn Storm, Sednit and Sofacy and is guesstimated to originate with a related Russian group known as Cozy Bear - aka CozyDuke or APT 29.

The DNC intrusion has been allegedly attributed by all U.S. intelligence agencies to senior Russian officials, yet not one of these 17 agencies has offered any forensic evidence of the attack.

Attribution has been the Achilles heel of our cyber defense program for years. We don’t know who the actual perpetrators are [as there are so many ways bad guys can obfuscate their trails and/or mis-direct sourcing efforts toward false flags] or what their ultimate objectives may be [was the SONY hack about retribution for a stupid movie insult, or a devious way to oust an unpopular executive through an email outing?] or how on earth they got to be so darned sophisticated so fast.

We have seen story sub-headlines like this one throughout 2016: “The Islamic State’s hacking army doesn’t actually work for ISIS—It’s part of the secret Russian online espionage effort against the West”

Although the loaded term (False Flag) has been hijacked by tinfoil-hat wearers and cyber-wackjobs, it’s a perfectly legitimate and widely used espionage method of venerable heritage. Spy agencies have routinely throughout the years, masqueraded as third parties for operational purposes such as agent recruitment and covert action. The nastier intelligence services will even disguise themselves as active terrorists to further their agenda.

Whether the Russians are or are not responsible for these or other hacks misses the point. The fact that we don’t know who it is or what they want and most importantly how to defend against it is by far the larger issue. Whether the recent use of Android-based malware against the Ukrainian artillery is the work of the Russian military or not, what exactly is anyone going to do about it?

The idea that Vladimir Putin authorized his intelligence agencies to go to cyber war against the West under an ISIS cloak is anything but shocking to anybody informed about longstanding Russian espionage tradecraft. The only innovation here is that it is being conducted in cyberspace. If we knew for sure it was the Russians and had indisputable evidence, do we present it to the UN and demand sanctions? Do we call Vladimir and ask him to stop it please? Do we nuke the whole country and everything around it just in case? Do we set up a closed Internet like China? Of course we don’t.

Targets in recently alleged Russian cyber-attacks include numerous think-tanks, law firms, lobbyists, government agencies, and consultants. There were also almost 4,000 Google accounts targeted in a “spear-phishing” campaign to steal personal and privileged information. It’s clear that this coordinated offensive aimed at the heart of our nation’s capital stole a great deal of inside knowledge about America’s political elite that would be of high value to any foreign intelligence service, not just the Russians.

But again, so what? What was the purpose in the CIA asserting that the attacks on the voting system were of Russian origin and then refusing to offer evidence in support of that claim? When was the last time the CIA ever offered any opinion about anything to anyone?

If you were to just take the small group of data points discussed here and then imagined them multiplied 100-fold, you would have a pretty clear picture of the chaotic cyber-world we live in today. America has neglected counterintelligence for so long that we have allowed foreign intelligence into the heart of our national security services and in business, our failure to take the threats seriously have rendered us virtually defenseless in the face of seemingly countless forms and styles of attack vectors from script kiddies to DDoS floods.

When we flail around in this level of confusion about the identity and purpose of the enemy, combined with the absurd imbalance of information between attackers and defenders and a cybersecurity economy that pits a thirteen million dollar defender against a five dollar attacker, meshed with our inability to see beyond the next hill of threats, it is not surprising that we are losing this war.

The way to win? Put 10 guys in a room for 6 months. And I’ll tell you who they should be.

Merry Christmas.


Brian Beyst, MBA

Director of Research and Development, Co-Founder, Cognitive Function Development Institute

8 年

There are two distinct questions that need to be addressed - each of which has a distinctly different purpose. The question as to the identity of the attackers is necessarily forensic - it can only be answered AFTER an attack occurred and has as its focus sorting out who the guilty party is for a specific attack. It should be clear, however, that viewing from a forensic perspective does little to prevent future attacks - at best it applies a measure of justice to past events. The second, and arguably more important question from a security point of view is what are the attributes which describe the most probable attacker relative to a given organization? If the security team can understand the attributes which a potential attacker needs to overcome the currently implemented security controls, then the controls can be modified accordingly. When done properly, the attack will be prevented before the forensic team needs to be involved. Thus, knowing who the attackers are is only important after the breach. Understanding the potential attacker's attributes, on the other hand, is the key to properly prioritizing the organization's cybersecurity initiative. Paying attention to the forensic rear view mirror rather than the potential attackers in my immediate path does little to make my company more secure. That would be like gawking at law enforcement pulling over a reckless driver rather than paying attention to the careless driver changing lanes directly ahead of me.

回复
Cesar Rodriguez ?

CTO @ IQ / Co-Founder IQAI.com - Exploring the Boundless Possibilities of AI

8 年

question is not who are these masked attackers, it's why do they wear a mask, it's pretty useless for a hacker :P

Peter Rus

Innovative enterprise solution/security architect/DORA /CRA /Digital Compliance Strategy/ Ensure successful innovation projects in less time with more value

8 年

"cybersecurity economy that pits a thirteen million dollar defender against a five dollar attacker, meshed with our inability to see beyond the next hill of threats, it is not surprising that we are losing this war." its a thirteen million dollar screen observatory, reactive technology....and sold to companies that these way to tackle threats is intelligence. Well your intel is as good as it gets, and if you don't know who your attackers are, not all info is shared and apt keep comming you can only count your assets and hope there not gone..otherwise you find out not because you have seen it but they have published the records on the dark net for sale- yahoo, target, sony . Get from that reactive stand and become preventive..you might switch the advandtage back since an ounce of prevention is better than a pound of reactive complex firefighting .

要查看或添加评论,请登录

Steve King, CISM, CISSP的更多文章

  • Connected Device Security: A Growing Threat

    Connected Device Security: A Growing Threat

    Many cybersecurity analysts have warned of the rapidly emerging threat from an expanded IoT space. And as you have…

    3 条评论
  • China’s Ticking Time-Bomb.

    China’s Ticking Time-Bomb.

    It should now be clear to even the casual observer that China has been spying on us for years and stealing reams of…

    7 条评论
  • Comparing Major Crises To COVID-19: A Teachable Moment

    Comparing Major Crises To COVID-19: A Teachable Moment

    Lessons from past financial crises might prepare us for the long and short-term effects of COVID-19 on the economy and…

  • The Escalating Cyber-Threat From China

    The Escalating Cyber-Threat From China

    A Modern-day Munich Agreement In an article penned back in May of 2015 in a policy brief published by the Harvard…

    1 条评论
  • Cybersecurity: Past, present, future.

    Cybersecurity: Past, present, future.

    We have made a flawed assumption about cybersecurity and based on that assumption we have been investing heavily on…

    15 条评论
  • Three Marketing Tips for Improved Conversion Rates

    Three Marketing Tips for Improved Conversion Rates

    While we are all devastated to one degree or another by this outbreak and with the knowledge that it will likely change…

  • Coronavirus in the Dark.

    Coronavirus in the Dark.

    So, yes. It is now very clear that the outbreak of the COVID-19 virus and the concomitant investor panic leading to a…

    13 条评论
  • Panicky Investors Issue Dire Warning On Coronavirus

    Panicky Investors Issue Dire Warning On Coronavirus

    Sequoia Capital just issued a dire warning to its portfolio companies. “Coronavirus is the black swan of 2020.

    5 条评论
  • AI in Cybersecurity? Closing In.

    AI in Cybersecurity? Closing In.

    "AI Needs to Understand How the World Actually Works" On Wednesday, February 26th, Clearview AI, a startup that…

    8 条评论
  • Do CapitalOne Shareholders Have a Case Against AWS?

    Do CapitalOne Shareholders Have a Case Against AWS?

    An adhesion contract (also called a "standard form contract" or a "boilerplate contract") is a contract drafted by one…

    1 条评论

社区洞察

其他会员也浏览了