In the early 2000s, security was mostly focused on perimeter separation between the trusted corporate internal network and the untrusted everything else. Separation was very clear, as most corporate applications were inside the perimeter and users were office based, with a very low amount of remote working.
Today, the number of applications a typical enterprise employs has expanded dramatically, and the applications are moving from on-premises to the cloud. In addition, there is a growing pervasive enterprise culture that allows employees to work from anywhere with almost any device. That makes it very hard to draw the line between the trusted versus untrusted and increases the attack surface that is used as a petri dish for threat actors.
This introduces new challenges in all disciplines and aspects of security, and forces security solutions, processes, and people to evolve beyond the simple firewall model of LAN | WAN | DMZ. Now you need to incorporate micro-segmentation, IDP, IPS, NAC, MDM, and multilayer solutions to enable complex environments and deployments in the safest possible way.
In the past, security was focused mostly on networking layers 1 to 4 -- physical to transport. But today's security is so much more challenging across all layers and threat vectors. Threat actors are also considerably more sophisticated and organized and now deliver well-crafted and targeted attacks. As a security defender, just like any like any other defender, we need to be as sophisticated, if not more so, than the attackers in order to identify and protect our enterprise.
The biggest challenge for security teams is the identification of threats. Let me illustrate this with an example:
What would you think/do when you saw a man walking by your car? What would you think/do if that same man returned again after five minutes?
There are two options:
- nothing happened, meaning the activity was legitimate
- five minutes later, the man was breaking into your car
The dilemma we face daily as protectors is at what point does an indication turn from legitimate to malicious? Unlike any other aspect of technology that is subject to rules, protocols, policies, and procedures, security threat identification is often quite the opposite -- no rules, no protocols. Threat actors are always trying to work around/disguise their activity, with the goal in most cases to gain the highest possible monetary value. However, that is not the only reason, and there are threat actors searching other attributes -- like political value, promoting an activist's agenda, or even cyberwar between nations.
Detecting unusual patterns and signs, especially when it comes to sophisticated phishing campaigns, is becoming more challenging than ever before. Attackers are trying to harvest victims' credentials (16Shop, Chalbhai) or financial or other personally identifiable information (PII) that may be used later in subsequent malicious activity. For example, the Emotet malware campaign that recently re-emerged after being dormant for the summer is based on a banking Trojan but has evolved to become a generic information stealer through spam or phishing emails. Usually, a macro is embedded within a PDF or Microsoft Word document. After a victim opens the document, the macro drops Emotet. This malware achieves persistence by injecting code into the machines running processes and adding registry keys. Once this is done, Emotet communicates with command and control (C2) servers to receive further instructions. Based on these instructions, Emotet may drop additional Trojans or transmit sensitive data that's collected from the victim's machine.
Pykspa is a worm that spreads through Skype instant messages. When installed on a computer, Pykspa spreads and infects systems while harvesting a machine's personal information. The worm communicates this information to the attacker's C2 server by using a domain generation algorithm (DGA). Pykspa has multiple variants that use evasion techniques to prevent system updates and detection by security software and modifies the host's file to block access to security websites. Others, like Defray ransomware, are known to target healthcare users in the U.S. and Europe, sending emails containing an embedded executable that triggers the malware download and execution.
Just this year, there was massive growth of over 300% in ransomware attacks reported by the FBI.
Here are some of the 2019 attacks that happened in the U.S.:
- September 2019: Back-to-school month seems to have had an impact over a massive amount of K-12 schools
- August 2019: In Texas, a 23-city coordinated attack brought an estimated loss around $12 million
- June 2019: Lake City, Florida, agrees to pay ransomware estimated around $500K
- June 2019: Riviera Beach, Florida, discloses a ransomware attack and payment of $600K
- May 2019: Baltimore was hit with a RobinHood ransomware attack, with damage costs estimated at $18 million
- April 2019: Cleveland Hopkins International Airport suffered a ransomware attack of around $17 million
- April 2019: Augusta, Maine, was targeted in a ransomware attack that froze the city's entire network and forced the city center to close; the attacker demanded $100K but the city did not pay, and committed to invest $500K USD
- April 2019: Hackers stole roughly $500K from the city of Tallahassee, Florida
- March 2019: A ransomware attack cost Albany, New York, around $400K
- March 2019: Jackson County, Georgia, officials paid cybercriminals $400K after a SamSam Ransomware attack shut down the county's computer systems
Above are only some examples of technical and monetary damage out of a massive amount of threat actors and attacks happening every second around the world. We, as defenders, need to identify these threats and protect our customers from them.
Now you may ask, how can you look at the threat landscape without going paranoid and blocking everything? And like any answer to complex problems, we need to start with "it's hard, but ..." So it's hard, but it is better understood when dissected into small parts:
- Perform continuous monitoring and activity auditing
- Analyze monitored traffic
- Identify anomalies or unexpected activity
- Correlate it to known or suspected threats
- Isolate and mitigate
- Recover and remediate
Each one of these parts has its own subsections and points that organizations today either need to address or identify someone else who can address them. That is where Akamai ETP (Enterprise Threat Protector) comes into play, analyzing large daily amounts of data available globally by Akamai, one of the biggest CDN and DNS cloud solution providers. ETP can help identify problems like DNS Exfiltration in near real time, utilizing proprietary machine learning algorithms to detect anomalies. Diligent, highly-skilled teams monitor traffic to distinguish between legitimate DNS tunneling -- used on a day-to-day basis by security vendors or in the advertising industry -- and malicious (or even Red Team) activity.
Identifying botnet activity utilizing DGA techniques or complex phishing campaigns can't happen without also making false positive detections. Threat actors are working hard, at massive scale, to reach their goals and bypass defenders, trapping victims by improving and combining multiple methods, such as:
- Compromising legitimate sites
- Exploiting known vulnerabilities over servers and applications such as Apache and WordPress
- Registering domains that are very similar to origin (typosquatting), like the below examples:
- Identifying sources of activity, such as known security vendors or federal governments
- Incorporating into the code analysis evasion techniques like not running over VMs or not responding to a C2 resolved to RFC 1918 (allocated private address used inside the corporate)
- Code obfuscation in order to make analysis harder (see below examples of before and after decoding)
- Using methods like DGA/fast flux to disguise C2 communications
- Using TOR or other proxy services for anonymity and evasion
- Relying on human nature to trust and automatically respond/click or do what the attacker asks, if requested in the right way and/or moment
- Using benign domains/services that provide legitimate social networking to be used as C2 for their malicious activity
With ETP, Akamai is committed to enabling security by incorporating sophisticated big data analytics and monitoring techniques to generate high-quality detections and intelligence, ensuring minimal disruption and a high security posture.
We incorporate multiple curation techniques focusing on minimizing the false positive ratio and still identifying some of the major attacks of 2019, such as:
Mylobot is a DGA botnet that's used to download and execute malware such as banking, miners, Trojans, and ransomware (including Locky, and GandCrab). It uses sophisticated evasion techniques like shutting down endpoint security, opening ports in the operating system firewall, and code injection. It also implements anti-debugging capabilities to prevent researchers from identifying and studying the malware.
Mirai is a botnet that targets Linux-networked devices and infects vulnerable Internet of Things (IoT) devices. Infected devices scan the Internet for other IoT devices to access with common usernames and passwords. If a login is successful, malware is then used to turn these devices into bots that can launch a large-scale distributed denial-of-service (DDoS) attack. Mirai does not scan private IP addresses (RFC 1918) or those owned by some large organizations (e.g., GE and the U.S. Department of Defense).
Dark Caracal is a spyware campaign that has been active since 2012 but was only discovered in 2018. It uses a Trojan to impersonate legitimate mobile applications such as WhatsApp. Dark Caracal mainly targets Android-based mobile devices, but it's also known to use other malware such as Bandook RAT and CrossRAT to infect Windows, Mac, and Linux systems. According to researchers, this campaign uses spear phishing to target specific individuals such as military personnel, journalists, lawyers, activists, and more.
Emotet is malware that was first known to drop banking Trojans through spam or phishing emails. Usually, a macro is embedded within a PDF or Microsoft Word document. After a victim opens the document, the macro drops Emotet. This malware achieves persistence by injecting code into the machine's running processes and adding registry keys. Once this is done, Emotet communicates with C2 servers to receive further instructions. Based on these instructions, Emotet may drop other Trojans or transmit sensitive data that's collected from the victim's machine. As of September 2019, it seemed to have returned to its high activity levels, this time leveraging its scale as a botnet -- and reemerged not only as a banking Trojan downloader but also as a generic Trojan downloader.
Phishing kits are often used as the entry vector for most types of attacks, including ransomware:
- The Chalbhai phishing toolkit is a widely-spread phishing campaign abusing a variety of brands around the globe. The primary goal is to obtain victims' email addresses, where each phishing campaign can be customized to the criminal's goals. Chalbhai phishing kits have been observed targeting major brands including Charles Schwab, Bank of America, Chase, Wells Fargo, LinkedIn, Comcast, Yahoo, Microsoft, and Adobe.
- The Quiz phishing toolkit is a widely-spread phishing campaign abusing commercial brands worldwide, including those in the retail, food and beverage, airline, and entertainment sectors. Each phishing campaign starts with a short quiz that asks the user three questions related to the imitated brand. The victim is forwarded to a website requesting their private information. The primary goal is to obtain the victim's email address, home address, and age, but each campaign can be customized to the criminal's goals.
The threat landscape is always evolving and changing. Threat actors are getting more sophisticated and requiring higher effort from the enterprise. The biggest advantage of the Akamai cloud is the massive amount of daily worldwide data from both DNS and web activity observed and analyzed by highly-sophisticated algorithms based on machine learning -- created, maintained, and evolving according to the observed trends and live activity. In addition, it is a flexible product that allows each customer to set it up in a very easy, fast, and user-friendly way according to their own security appetite.
The policy wizard offers templated setup as well as custom options for advanced and granular setup.
High-level visibility provides an overview and easy drill-down into raw event activity.
Tools integrate easily into existing incident response infrastructure. Customers can integrate the available reporting and configuration tools into their own SIEM and generate additional visibility such as the example below, and much more:
ETP as the security enabler 2020 and beyond accomplished in a methodical, agile way by diligent and caring teams to customer's security posture.