Chapter 10 - Pulling It All Together: Using the SDL to Prevent Real-World Threats (2/6)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

330 Core Software Security

Cyber espionage is highly strategic in nature; key targets include critical

infrastructures, industrial attacks, manufacturing, research and develop-

ment, pharmaceuticals, finance, and government. Government targets

may also include the defense industrial base (DIB), which includes

defense contractors, research organizations, and political and other high-

ranking individuals.

Examples of espionage attacks are Aurora (GhostNet), Shady RAT,

Titan Rain, and Night Dragon. Note that some of these attacks can be

counted both as espionage and as cyber warfare. They may have multiple

utilities depending on how they are deployed. It might be helpful to think

of cyber espionage as one part of cyber warfare.

Operation Aurora and GhostNet. The 2012 USCC Annual Report on

China contains the following statement:

China’s cyber capabilities provide Beijing with an increasingly

potent tool to achieve national objectives. In a strategic

framework that leans heavily on cyber espionage, a diverse set

of Chinese hackers use pilfered information to advance political,

economic, and security objectives. China’s pursuit of intellectual

property and trade secrets means that much of this espionage

targets private enterprises.

The information security community has been aware of cyber espio-

nage activities for some time now. However, the extent and impact of

such activities surprised many of us. In 2009, researchers at Information

Warfare Monitor gave the name “GhostNet” to large-scale cyber espionage

operations conducted by the Chinese government. These operations,

associated with advanced persistent threats (APTs), raised awareness of

APT attacks in the security community and among the general public.

GhostNet enabled infiltration of high-value political, economic, and

media targets spread across 90+ countries around the world. Though its

command and control centers were based in China, there was plausible

deniability for the Chinese government, as there was no way to associate

it with actual operations. Note that successful cyber espionage operations

will have this trademark, allowing governments to disassociate themselves

from the actual groups carrying out these attacks.

The attackers would “social engineer” targets to open a document or

a link infected with malware. After that, malware would be installed on

Pulling It All Together: Using the SDL to Prevent Real-World Threats 331

the target’s system (without raising any red flags for most users). Once

this happened, malware would provide almost unrestricted access to the

attackers. Code was obfuscated, and multiple Trojans were used to avoid

detection by many popular antivirus/antimalware software.

Operation Aurora was a cyber attack conducted from China. Attacks

begin in 2009 and continued until the end of the year. The targets for

these attacks were multinational companies including Google, Adobe,

and Rackspace. Some companies chose to disclose publicly that they had

been the targets of attacks, while others remained under suspicion but

never came out publicly. According to McAfee, the primary goal of the

attack was to get access (and modify) source code of these multinational

companies. One should note that many of these companies have develop-

ment offices in Asia (including China). Thus, protecting their bread and

butter—source code—is of paramount importance to them, though it

was not considered “severe” enough by some companies before this attack.

This trend is changing, but not fast enough. If anything, it has resulted

in chaos, especially in China, and suspicion of employees working in off-

shore offices. This complicates any SDL activities a security group would

like to implement in a global enterprise.

Operation Shady RAT. Dimitri Alperovitch of McAfee reported

Operation Shady RAT in 2011. Like Operation Aurora, Operation Shady

RAT consists of ongoing cyber attacks and has targeted 70+ countries as

well as the United Nations and the International Olympic Committee.

RAT is an acronym for Remote Access Tool, and though it is not con-

firmed who is behind these operations, suspicions point to China in this

case a well—especially due to the targeting of Olympic organizations

around the time of the Beijing Olympics in 2008.

Among other tar-

gets were Associated Press offices, the U.S. Energy Department, and U.S

defense companies. In this case, as in GhostNet, attackers would “social

engineer” users of selected organizations into opening documents, spread-

sheets, and other innocent-looking files that actually contained malware.

Once the end user complied, malware would be installed and would try

to connect to its remote server (hard coded into the malware) and provide

attackers with a remote shell.

Night Dragon. In 2011, McAfee reported that well-organized and tar-

geted cyber attacks were taking place on key international oil and energy

companies. These attacks seem to have started in 2009 (though, as for

332 Core Software Security

many attacks in this class, there is no sure way of knowing this defini-

tively). Based on investigations by McAfee, fingers point again to China

(or China-based hackers). Targeted companies were spread across many

different countries, including the United States, Greece, and Taiwan.

Information that was stolen included specifics on companies and their

operations, bidding data, as well as financial information on projects.

Attackers exploited vulnerabilities in Windows operating systems, appli-

cations (including SQL injection), and active directory infrastructure.

Remote Access Tools (RATs) were used to harvest and steal sensitive infor-

mation. First, the companies’ external-facing infrastructure (e.g., Web

servers) was compromised through SQL injection attacks. This allowed

attacks to execute remote commands to target and compromise internal

desktops and servers within the enterprise. Additional information was

harvested (e.g., passwords), allowing attackers to access sensitive infor-

mation inside the infrastructure. Attackers were able to establish direct

connections from infected systems to the Internet and infiltrated sensitive

information including from senior executives’ systems.

13,14

Titan Rain. APT class attacks were launched against infrastructure in the

United States and its allies by hackers believed to be working on behalf

of the Chinese government. Attackers were able to get access to many

sensitive systems of defense contractors and federal agencies. The purpose

of these attacks was to obtain sensitive information, thus putting Titan

Rain into the espionage category rather than warfare, although it could be

easily used for cyber warfare as well.

15–18

10.1.1.2 Organized C rime

Along with the evolution of the Internet, cyber crime has evolved from

the domain of individuals and small groups to traditional organized

crime syndicates and criminally minded technology professionals work-

ing together and pooling their resources and expertise. This has been

largely due to the speed, convenience, and anonymity that modern tech-

nologies offer to those wanting to commit a diverse range of criminal

activities. Consequently, just as brick-and-mortar companies moved their

enterprises to the World Wide Web seeking new opportunities for prof-

its, criminal enterprises are doing the same thing. The global nature of

the Internet has allowed criminals to commit almost any illegal activ-

ity anywhere in the world, making it essential for all countries to adapt

Pulling It All Together: Using the SDL to Prevent Real-World Threats 333

their domestic offline controls to cover crimes carried out in cyberspace.

These activities include attacks against computer data and systems, iden-

tity theft, the distribution of child sexual abuse images, Internet auction

fraud, money laundering, the penetration of online financial services,

online banking theft, illicit access to intellectual property, online extor-

tion, as well as the deployment of viruses, botnets, and various email

scams such as phishing. Organized crime groups typically have a home

base in a nation that provides safe haven, from which they conduct their

transnational operations. In effect, this provides an added degree of pro-

tection against law enforcement and allows them to operate with mini-

mal risk. The inherently transnational nature of the Internet fits perfectly

into this model of activity and the effort to maximize profits within an

acceptable degree of risk. In the virtual world there are no borders, a

characteristic that makes it very attractive for criminal activity; yet when

it comes to policing this virtual world, borders and national jurisdictions

loom large— making large-scale investigation slow and tedious at best,

and impossible at worst.

19–21

Some of the more noteworthy groups are the

European crime rings, state-sponsored criminal groups and proxies, U.S.

domestic crime groups, and Mexican cartels.

As payoff from cyber crime grows, it is no surprise that organized

crime groups seek a share in it. Cyber crime allows organized syndicates to

finance their other illicit activities in addition to providing hefty profits.

Criminal syndicates are involved in everything from theft to extortion,

piracy, and enabling online crime in the first place. They are providing a

new meaning to the “as-a-service” term. In addition to exploiting cyber

infrastructure for monetary gains, they are enabling cyber attacks by pro-

viding vulnerabilities, creating tools and offering resources to people who

will pay for it. These services include selling vulnerabilities (proactively

looking for them in new software products and infrastructure), creating

and selling exploits for existing vulnerabilities, spam services, infrastruc-

ture (botnets, hosting), as well as malware.

10.1.1.3 Socio - Politic al At tac ks

Socio-political attacks are often intended to elevate awareness of a topic

but can also be a component or a means to an end with regard to political

action groups, civil disobedience, or part of a larger campaign, and they

may be an indicator and warning of bigger things to come.

334 Core Software Security

Evidence is growing that more cyber attacks are associated with social,

political, economic, and cultural (SPEC) conflicts. It is also now known

that cyber attackers’ level of socio-technological sophistication, their

backgrounds, and their motivations are essential components to predict-

ing, preventing, and tracing cyber attacks. Thus, SPEC factors have the

potential to be early predictors for outbreaks of anomalous activities, hos-

tile attacks, and other security breaches in cyberspace.

Some well-known examples of socio-political attacks have been the

result of efforts by Anonymous, WikiLeaks, and Edward Snowden (also

an example of an insider threat), and attacks by radical Muslim groups or

jihadists (e.g., Al Qaeda).

Anonymous. Anonymous is a group of activists that over the last few

years has become well known for its attacks on government and corpo-

rate infrastructure. It has a decentralized command structure and can

be thought of more as a social movement. This movement has targeted

everyone from religious institutions (Church of Scientology) to corpo-

rations (Visa, MasterCard, PayPal, Sony) and government institutions

(the United States, Israel, Tunisia). Some of the most famous attacks

launched by Anonymous are Project Chaology and Operation: Payback

Is a Bitch. After a video of Tom Cruise was posted on a blog, the Church

of Scientology responded with a cease-and-desist letter for copyright vio-

lation. The project users organized a raid against the church, including

distributed denial-of-service (DDoS) attacks. In 2010, they targeted the

RIAA and MIAA, bringing down their websites.

This action was a pro-

test to protect their rights to share information with one another—one of

their important principles, in their opinion.

WikiLeaks published classified diplomatic cables in November 2010.

Under pressure from the U.S. government, Amazon.com removed

WikiLeaks from its servers, and PayPal, Visa, and MasterCard stopped

providing financial services for WikiLeaks. This resulted in attacks

against PayPal, Visa, and MasterCard, disrupting their websites and

services.

25–27

Anonymous also launched a number of activities in support of the

“Arab spring” movement and has targeted websites hosting child por-

nography. After San Francisco’s Bay Area Rapid Transit (BART) blocked

cell service to prevent a planned protest, Anonymous targeted the BART

website and shut it down.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 10 - Pulling It All Together: Using the SDL to Prevent Real-World Threats (2/6)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 10 - Pulling It All Together: Using the SDL to Prevent Real-World Threats (2/6)