CYBERSECURITY

COUNTERINTELLIGENCE

RESEARCH, STRATEGY AND TACTICS

WHITE PAPER

Audience CISOs, CIOs, IT Managers, Risk Managers, Business Systems Owners

Author Keith Price, Director and Principal Consultant, Black Swan Group

Date June 2013

Contents

1.0 Executive Summary ...................................................................................................................................... 3

2.0 Why You Will Be Attacked ............................................................................................................................. 5

3.0 Who The Attackers Are ................................................................................................................................. 8

Organised Criminal Groups

State-Affiliated Groups Radical Activists

Insiders and Employees

4.0 How You Are Vulnerable ............................................................................................................................. 12

5.0 How You Will be Attacked ........................................................................................................................... 14

The Attack Lifecycle Malware and Hacking

External Targeted Attacks Phishing

Web-Based Attacks Exploit Kits

Botnets Denial of Service Attacks

6.0 The State of Security Technology Defences................................................................................................ 25

7.0 Recommendations ..................................................................................................................................... 28

Security as a Counterintelligence Function Break the Cyber Kill Chain

The Necessity of a Zoned Security Architecture

Develop a Security Improvement Roadmap

8.0 Conclusion .................................................................................................................................................. 34

9.0 About the Author ......................................................................................................................................... 35

10.0 About Black Swan Group ........................................................................................................................... 36

11.0 References ................................................................................................................................................ 37

Contact

Keith Price

Director & Principal Consultant

Black Swan Group Australia Pty Ltd

+61-438-138-535

keith@blackswangroup.com.au

3

After the 1984 IRA

bombing at the Grand

Hotel in Brighton

England targeting the

British cabinet the

IRA issued a

statement saying

“We only have to be

lucky once. You will

have to be lucky

always.”

1.0 Executive Summary

In cyberspace, attackers only have to be lucky once to compromise your

network, while you must be constantly vigilant, never letting your guard down.

Fail just once, and you’re owned. Your entire technology infrastructure –

operating systems, applications, user access credentials, and most importantly,

your information – is all in the attacker’s hands.

Protecting your business assets is challenging. Technology plays a major part,

but is not the whole solution. Cyber threats are evolving faster than the

technologies we can deploy against them, and no organisation can afford to

eliminate all cyber risks - the cost/benefit justifications just aren’t there.

To effectively manage cyber risk, the best response we have today starts with

asking the right questions, researching attackers’ motivations, capabilities, and

methods, identifying our most important assets, understanding where we’re

vulnerable, and being vigilantly aware of our own unique situation.

Our adversaries are highly sophisticated and deeply resourced. Preventing,

detecting and responding to today’s cyberattacks requires organisations to start

viewing information security more like a counterintelligence function.

“Counterintelligence” from over 50 recent security reports and online resources

This white paper provides you with the latest cybersecurity counterintelligence

as a starting point to explore new defensive measures. If there is one source of

counterintelligence you need to read, this is it. This paper incorporates key

findings from 25 recently released threat reports, surveys and databases from

vendors, consultancies, governments and industry associations, and more than

25 other online references. A comprehensive list of threat reports is provided

(see P37) for further reference and in the footnotes throughout.

Recommendations in response to key findings

This paper describes the “cyber kill chain” (see P29), a new model which helps

turn counterintelligence into action. Originally a military concept, the kill chain

refers to the stages of a cyberattack and the critical intervention points in the

chain to respond to an attack. The model enables us to analyse attacks in a

new way and direct resources to where they will have most impact. Break the

kill chain of the attack at any one point and you have thwarted the attacker.

The kill chain model highlights the need for a zoned security architecture that

includes concentric layers of protection. A zoned security architecture (see P31)

provides multiple barriers that the attacker must penetrate one at a time,

dramatically increasing the difficulty of exploitation and giving businesses an

increased opportunity to detect and stop attacks at various stages.

Bearing in mind that the ultimate objective of information security is business

process assurance, security also needs to grow from a collection of disparate

technologies and practices to an effective business process. A prioritised, risk

based “security improvement road map” (see P33) addressing people, process,

technology and organisational controls helps achieve this objective.

For more information about how to manage cybersecurity threats, contact Black

Swan Group for a discussion about how the strategies outlined in this paper may

help protect your organisation.

4

CYBER THREATS IN A BUSINESS CONTEXT

The diagram below illustrates how cyber threats fit in the context of your

business. Cyber threats arise through your business’s operating requirements.

Threat agents attempt to exploit vulnerabilities and compromise business

assets, and countermeasures must be put in place to defend against them.

Business asset owners need to be confident that the countermeasures are

adequate to protect against threats to assets. This paper provides the latest

research and thinking about threat agents, attack methods, vulnerabilities and

countermeasures to help business asset owners evaluate risks and protection

strategies. It should support your own knowledge about your business’s needs,

risks and the value of your assets.

Business Needs

Threat Agents

Threats

Countermeasures

Vulnerabilities

Risk

Assets

exploit

reduce

to

give rise to

Continuous Improvement ProcessLoop to Business Needs

are reduced by

Business Asset

Owners

impose

are

concerned

with

Figure 1: Business Needs, Threats, Vulnerabilities, and Countermeasures

(Source: Keith Price based on ISO/IEC 15408-1)

5

2.0 Why You Will Be Attacked

A recent survey released by CERT Australia1 found that over 1 in 5 organisations

experienced a cyber incident in the previous 12 months. It further found that

50% of organisations considered attacks on their organisation to be targeted.

This indicates a shift from previous views or conceptions, that most attacks are

non-targeted or indiscriminate. And while the majority of attacks were reported

to come from external sources, the fact that 44% originated from within

organisations serves as a reminder that internally-focused cyber security

controls and measures are important.

Of the Australian organisations that experienced cyber incidents, 17% suffered

from loss of confidential or proprietary information, 16% encountered a denial-

of-service attack, and 10% financial fraud.

The findings are revealing because they indicate that 17% of the organisations

had their information compromised despite having the following people,

processes, and technologies in place:

Over 90% of respondents deployed firewalls, anti-spam filters and anti-

virus software

66% had documented incident management plans

About 60% of organisations used IT security related standards

About 65% of organisations had staff with tertiary level IT security

qualifications

Over 50% had staff with vendor IT security certifications

The following graph shows that the volume of malware infections on average

during this financial year was about 16,500 malware reports each day –

representing what the Australian Internet Security Initiative (AISI)2 says is a

"significant level of malware" affecting Australians. These malware infections

were reported daily to about 130 ISPs and other network operators through the

AISI network.

1 Cyber Crime & Security Survey Report, 2012, https://www.cert.gov.au/ 2 http://www.acma.gov.au/Industry/Internet/e-Security/Australian-Internet-Security-Initiative

“There are two types

of companies: those

that have been

hacked and those

that will be hacked.” Robert Mueller, FBI Director,

speaking at the 2012 RSA

Conference.

6

Figure 2: Daily Count of Australian IP Addresses Identified as

Having Malware-infected Devices Behind Them Source: Australian Communications and Media Authority

The majority of cyberattacks by far occur in the United States but Australia,

India, and the Netherlands are tied for third at 3%.IBM

Figure 3: Security Incidents by Country, 2012

Source: IBM X-Force Trend & Risk Report 2012

The general trend today is a greater overall number of breaches involving

different kinds of assets. Information is being stolen and sold online in

unprecedented levels and professionally written malicious code is behind most

of this data theft.

Cybercriminals favour payment and personal information that can easily be

converted into cash. Spy types prefer trade secrets (eg schematics and

formulas), internal organisational data (eg e-mails and reports), and system

information. Hacktivists like the titillating aspect of personal information and

internal organisational data. Credentials are fun for the whole family.Verizon

7

The following figure indicates the types of data that were compromised or

breached in the past 12 months:

Figure 4: Types of Data Compromised

Source: The State Of Data Security And Privacy: 2012 To 2013, Forrester

IBM declared 2011 the “Year of the Security Breach” because it had the highest

number of recorded data loss incidents to date.3 In 2012, there were 1,502

documented incidents — a rise of nearly 40%.IBM 2012 data makes it clear that

any business, no matter its size, was a potential target for attackers. In fact,

50% of all targeted attacks were aimed at businesses with fewer than 2,500

employees. And 35% of all targeted attacks are targeted at companies with

fewer than 500 employees.Sym_Supp

For Australia this is significant because the vast majority (96%) of Australian

businesses are small businesses.4 Many small businesses assume that they

have nothing an attacker or hacktivist would want to steal. But most every

company regardless of size has money in the bank, some customer or business

partner information, and, for others, proprietary information. Certainly the

rewards of attacking a large enterprise are more significant than that of a

smaller company however smaller companies just don’t have the funds or

skilled staff so they make for easier targets.

Governments too are targets. The U.S. government’s National Security Agency

(NSA) works under the assumption that they have been compromised. Deborah

Plunkett, who heads the NSA's Information Assurance Directorate says “There’s

no such thing as ‘secure’ any more. The most sophisticated adversaries are

going to go unnoticed on our networks. We have to build our systems on the

assumption that adversaries will get in. We have to…assume that all the

components of our system are not safe, and make sure we’re adjusting

accordingly”.5

3 https://www-950.ibm.com/events/wwe/grp/grp004.nsf/vLookupPDFs/IBM%20X-

Force%202012%20Cyber%20Security%20Threat%20Landscape/$file/IBM%20X-Force%202012%20Cyber%20Security%20Threat%20Landscape.pdf 4

http://www.abs.gov.au/ausstats/abs@.nsf/Latestproducts/8165.0Media%20Release1Jun%202007%20to%20Jun%202011?opendocument&tabname=Summary&prodno=8165.0&issue=Jun%202007%20to%20Jun%202011&num=&view= 5 http://www.reuters.com/article/2010/12/16/us-cyber-usa-nsa-idUSTRE6BF6BZ20101216

8

3.0 Who The Attackers Are

Attacker’s actions can be malicious or non-malicious, intentional or

unintentional, causal or contributory. Identifying actors is critical to immediate

corrective actions and longer-term defensive strategies.Verizon

There are four general attack groups:

Organised criminal groups

State-affiliated groups

Radical activists

Insiders

ORGANISED CRIMINAL GROUPS

Criminal gangs in Eastern Europe have historically dominated financially

motivated attacks. Their preferred method is to compromise a card processing

vendor or transaction clearing centre to get access to the card data. Other

methods also include fake electronic funds transfers (EFTs) and secret premium-

rate SMS messages on smartphones.

More than half of all external breaches are tied to organised criminal groups.

This reflects the high prevalence of illicit activities associated with threat actors

of this ilk, such as spamming, scamming, payment fraud, account takeovers,

identity theft, etc. For professional criminals, the “why” is simple and consistent

- money. Most attacks originate either in the U.S. or Eastern European countries

(eg Romania, Bulgaria, and the Russian Federation). Payment cards have been

a lock as the most oft-stolen data type.Verizon

STATE-AFFILIATED GROUPS

State-affiliated groups seek data that furthers national interests, such as military

or classified information, economy-boosting plans, insider information or trade

secrets, and technical resources such as source code. They will generally not

target payment systems and information. Phishing-malware-hacking-

entrenchment is the staple of espionage campaigns. Verizon See page 18 for more

about phishing.

96% of espionage cases were attributed to threat actors in China.Verizon China

once again overwhelmingly remained the source of the largest volume of attack

traffic as well, accounting for 40% of the total, up from a third in the prior

quarter.AKAMAI

When Mandiant first published details about the Advanced Persistent Threats

(APT) in their 2010 M-Trends report, they stated that “The Chinese government

may authorize this activity, but there’s no way to determine the extent of its

involvement.” Now, three years later, Mandiant’s 2013 report states they have

analysed new evidence from hundreds of investigations to conclude that the

groups conducting these APT activities are based primarily in China and that the

Chinese Government is aware of them.Mandiant

Organisations in all industries related to China’s strategic priorities are potential

targets for APTs’ comprehensive cyber espionage campaign. The following

figure indicates the industries compromised by cyberattacks:

The enemy invariably

attacks on two

occasions:

a. When they're ready.

b. When you're not. Canonical Murphy's Laws of

Combat

9

Figure 5: Industries Compromised by Cyberattacks

Source: Mandiant APT1 Report, March 2013

RADICAL ACTIVISTS

Another name for radical activists is hacktivists. Hacktivism exploded in 2012,

and became the number one cyber outlet of choice for the public expression of

controversial opinions – political and economic – as well as a means for

protesting ideological conflicts. Today’s hacktivist groups predominantly are

non-related teams (or individual hackers) who attack entities – alleged “culprits”

– according to the attackers’ own political, religious, social or economic

agendas.RSA Anonymous is the largest and most well-known hacktivist group.6

The proportion of incidents involving activist groups has been consistent over

the past year or so but the amount of data they stole this year is down

substantially from 2011. Much of the activity claimed by hacktivists in 2012

shifted primarily to denial of service (DoS) attacks.Verizon See page 23 for more

about DoS attacks.

INSIDERS AND EMPLOYEES

Findings from PWC global survey of 12,052 senior executives identified current

and former employees as the greatest source of risk to their organisations, as

indicated in the following figure.

6 For more information, visit: http://www.informationweek.com/security/attacks/who-is-anonymous-10-key-facts/232600322?pgno=1

10

Figure 6: Estimated Likely Source of Incidents

Source: Key findings from the PWC Global State of Information Security Survey

A 2012 IBM/Ponemon study of 265 C-level executives reinforced this finding,

with 43% of respondents saying that negligent insiders were the number one

greatest risk to sensitive data.PONEMON

Contributing to risks, in 91% of organisations, users were found to be using

applications with a potential to bypass security, hide identities, cause data

leakage or even introduce a malware infection without their knowledge.CHECK POINT

Weak and default passwords continue to be a notable risk. Unbelievably, the

most common passwords for 2012 were still “Welcome1” and “Password1”.

These two passwords, based on the requirements of Active Directory, are no

different than the password “J*1maw)2” even though one password is obviously

far harder to guess than the other. This is the result of Active Directory

examining the password as a whole to determine whether it follows the rules

instead of comparing it to dictionary words or slight variations like Linux does.

Passwords once thought to be complex enough to make cracking improbable

are now able to be reversed in hours or days. This requires users and

administrators to rethink how they create passwords and how users are

educated about password security. A passphrase is also easier to remember

and doesn’t need to be written down. Not only do long passphrases make brute

force attacks impractical for an attacker, they also combat rainbow table-based

attacks given their large disk space requirements.Trustwave

11

In summary, the following table lists threat agents and their preferred methods of attack:

Figure 7: Threat Agents and Exploits

Source: ENISA Threat Landscape Report, January 2013

12

4.0 How You Are Vulnerable

Well known vulnerabilities7 are key targets for hackers who rely on the simple

fact that many organisations do not update their software on a regular basis.

The bigger the organisation, the harder it is for security administrators to keep

all systems fully updated.

In 2012, IBM saw 8,168 publicly disclosed vulnerabilities, an increase of 14%

over 2011.IBM No IT administrator is going to be able to manually keep constant

track of the patch state of all the programs on all computers in their system.

Vulnerabilities in software will continue to be a major risk factor, increasing the

importance of patch management in the critical path to security.

The following figure shows the top 10 vendors by vulnerability disclosures in

2012. Compared to the average numbers of the preceding 10 years, only one of

these 10 vendors (Microsoft) managed to decrease the number of vulnerability

disclosures in its products in 2012. All other vendors increased their

vulnerability numbers in 2012NSS_1

Figure 8: Top 10 vendors by vulnerability disclosures Source: NSS Labs Vulnerability Threat Trends 2013

Web applications are still topping the chart of most disclosed vulnerabilities,

rising 14% in 2012 over the 2011 end of year numbers. Cross-site scripting

(XSS) dominated the web vulnerability disclosures at 53% of all publicly released

vulnerabilities. Although SQL injection attack methods remain as a top attack

technique, the actual disclosures of new SQL injection vulnerabilities remain

lower than the 2010 peak IBM recorded.IBM

7 For more information on vulnerabilities, visit the U.S. National Vulnerability Database site at http://nvd.nist.gov/

13

The following figure shows web applications vulnerabilities by attack technique:

Figure 9: Web Application Vulnerabilities by Attack Technique, 2006 to 2012

Source: IBM X-Force Trend & Risk Report 2012

The complexity to execute a successful attack is an important factor to assess

the risk of a vulnerability. A highly critical vulnerability that can only be exploited

under very specific circumstances might require less immediate attention than a

less critical vulnerability for which automated exploitation functionality is easily

available in crimeware or penetration testing kits.NSS_1

The figure below illustrates that the share of low complexity vulnerabilities – the

easiest to exploit – repeatedly decreased from a high on over 90% early in the

century to 48%, or a total of 2,534 in 2012.

Figure 10: Complexity Required to Successfully Exploit a Vulnerability (lower complexity = greater risk)

Source: NSS Labs Vulnerability Threat Trends 2013

In the same period, medium complexity vulnerabilities increased their share

from below 5% to 47%, or 2,431, in 2012. Disclosures of high complexity

vulnerabilities have been mostly stable in the last decade at an average share of

4%. This data documents a clear (but slowing) trend towards an increase in

attack complexity. Vulnerabilities with a high criticality paired with low attack

complexity pose a clear and present threat to the user of the affected software.

A considerable 484, or 9.2%, of the vulnerabilities disclosed in 2012 had a

CVSS8 base score of 9.9 or more paired with a low attack complexity.NSS_1

8 See www.first.org/cvss

14

5.0 How You Will be Attacked

The Internet connects criminals to a virtually limitless host of potential victims.

It is boundary less in that cybercriminals can sit at their computers in one

country and attack a person or company in another country.

Cybercriminals have been successful for six primary reasons:

The basic protocol of the Internet – TCP/IP – is inherently insecure and

was not designed with security in mind

There are over a billion people who use the Internet and each one can be

a potential victim

The sheer number of machines with unpatched operating systems and

applications creates a massive array of potential targets to compromise

with the latest malware

Software programmers have not historically considered security as a

primary part of their software design, leaving a treasure chest of

vulnerabilities that cybercriminals exploit

The Internet is an open network of networks with no central police or

regulatory authority

Spoofing IP addresses, compromising legitimate servers from where to launch

attacks, deleting log files, all to cover their tracks. The Internet enables many

hacking methods to be highly scalable, automated, targeted, and conducive to

anonymity. AKAMAI

The rise of ecommerce, increased network connectivity with business partners

and employees, the complexities of bespoke applications and legacy systems,

and the increasing threat from nation-states, cybercriminals and hacktivists

make cyber black swan events9 inevitable.

Hackers’ techniques are constantly changing, using more advanced and

sophisticated attack methods, raising the security challenge year after year.

Attack trends in 2012 took advantage of well publicised legacy issues such as

password security, ineffectual security controls, and legacy devices, protocols

and attacks. What is different about today is the attacker’s “own the

environment” nature of attacks.

There are multiple entry points to breach an organisation’s defences: malicious

attachments, browser-based vulnerabilities, removable media, mobile devices,

etc. The initial point of entry is rarely the ultimate target; additional

reconnaissance and lateral movement are needed to identify the location of

valuable data (commonly called “establishing a beachhead”). Once a

beachhead is formed, attackers conduct network scanning to determine what

other systems are either on the same network segment or communicating with

the compromised host. This information is then used to move laterally and

penetrate deeper into the target’s infrastructure and find valuable data.Trustwave

9 In his book The Black Swan, IMF advisor Nassim Taleb describes a ‘black swan event’ as having three attributes: rarity, extreme impact and

retrospective predictability.

What is different

about today is the

attacker’s “own the

environment” nature

of attacks.

15

THE ATTACK LIFECYCLE

Cyberattackers typically operate in a few broadly defined steps as indicated in the following attack lifecycle:

Figure 11: Attack Lifecycle

Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013

Lifecycle Step

Objective

Conduct background research Detailed research on targets to identify targeted avenues of attack.

Execute initial attack The initial attack targets one or more specific individuals through some form

of social engineering.

Establish foothold Establish an initial foothold into the target environment using some version

of customised malicious software.

Enable persistence Establish persistent command and control over compromised computers in

the target environment.

Conduct enterprise reconnaissance To find the computers, servers or storage areas holding the information they

have been instructed to steal.

Move laterally to new systems

Understand to what new parts of the enterprise the attacker might gain

access from the new systems. Also install command-and-control software

on new systems to expand persistent access to the environment.

Escalate privileges Escalate from local user to local administrator to higher levels of privilege so

that attacker is not constrained to any specific part of the environment.

Gather and encrypt data of interest

Gather captured data into an archive and then compress and encrypt to hide

from technologies such as deep packet inspection capabilities and from

data loss prevention (DLP) at the enterprise boundary.

Exfiltrate data from victim systems Use HTTP, HTTPS, FTP or custom data transfer technologies operating on

standard and nonstandard ports.

Maintain persistent presence Maintain long-term access to the target environment.

Table 1: Attack Lifecycle Steps and Objectives

Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013

16

MALWARE AND HACKING

Malware and hacking still rank as the most common attack methods, but they

scaled back rather significantly among 2012 breaches. Direct installation of

malware by an attacker who has gained access to a system is again the most

common vector.Verizon

Attackers use various techniques referred to as attack vectors. The following

figure lists some of these attack vectors, according to the percentage of

organisations that suffered from them. Memory Corruption, Buffer Overflow and

Denial of Service are the most popular attack vectors found in Check Point’s

research.Check Point

Figure 12: Top Attack Vectors

Source: Check Point Security Report 2013

75% of the malware files reported to Sophos are only ever seen in one

organisation. This level of polymorphism is unprecedented. What’s more,

attackers have begun to develop and use far more sophisticated approaches to

polymorphism to hide their attacks from security vendors and IT

organisations.Sophos

In 2012 more than 80% of the threats Sophos saw were redirects, mostly from

legitimate sites that have been hacked. A powerful warning to keep your site

secure and your server scripts and applications up to date.Sophos

Client-side attacks—both targeted and en masse—are also on the rise. These are

perpetrated by both Web-based systems and email, two vectors that are most

used but in many cases least protected.Trustwave

17

The vast majority of attacks are opportunistic. Opportunistic attacks are those

where the victim isn’t specifically chosen as a target; they were identified and

attacked because they exhibited a weakness the attacker knew how to exploit.

It’s notable that the majority of breaches result from simpler opportunistic

attacks than from money-hungry organised criminal groups.Verizon

EXTERNAL TARGETED ATTACKS

While the majority of cyberattacks are opportunistic, targeted attacks can be the

most dangerous. A targeted attack occurs when attackers target a specific

organisation over a long time span. Often the objective of targeted attacks is

either data exfiltration or gaining persistent access and control of the target

system. These attacks need time (in some cases a few years) to be detected

and are rather hard to avoid.

Targeted attacks are commonly used for the purposes of hacktivism and

industrial espionage to gain access to the confidential information on a

compromised computer system or network. They are rare but potentially the

most difficult attacks to defend against. Targeted attacks combine social

engineering and malware to target individuals in specific companies with the

objective of stealing confidential information such as trade secrets or customer

data. They often use custom-written malware and sometimes exploit zero-day

vulnerabilities, which makes them harder to detect and potentially more

infectious.

Targeted attacks use a variety of vectors as their main delivery mechanism, such

as malware delivered in an email, or drive-by downloads from an infected

website the intended recipient is known to frequent, a technique known as a

”watering hole” attack.Sym

Over the past year, we’ve seen a significant rise in the volume of external

attacks as indicated in the following figure:

Figure 13: Change in the Risk Environment during 2012

Source: Ernst & Young’s 2012 Global Information Security Survey

In 2009, 41% of respondents noticed an increase in external attacks. By 2011,

that number had leapt to 72%. In 2012, the number of respondents indicating

an increase in external threats has risen again to 77%.E&Y

In terms of cyber security incidents, more than half of Australian organisations

surveyed considered attacks on their organisation to be targeted. This indicates

a shift (in an Australian context) from previous views or conceptions, that most

18

attacks are non-targeted or indiscriminate. And while the majority of attacks

were reported to come from external sources, the fact that 44% originated from

within organisations serves as a reminder that internally-focused cyber security

controls and measures are also important.CERT_AU

PHISHING

Phishing refers to hoax e-mail messages that look like they are from your bank,

another financial institution or business, that ask you to visit a fraudulent

website that looks like the bank’s or other financial institution or business, in

order to confirm account information including usernames and passwords.10

From 2010 to 2012, the email scam/phishing volume nearly quadrupled,

reaching more than 83% of the 2008 levels in spring 2012. IBM In February

2012, the number of unique phishing sites recorded by APWG reached an all-

time high of 56,859 which indicates this criminal activity is not decreasing.

While the overall number of targeted institutions has dropped, phishers continue

to target larger or more popular targets.Anti

Phishing attacks are often through emails containing an infected PDF, Word, or

Excel document to a targeted individual known within an organisation. This is

called “spear phishing” or “whaling” when directed specifically at senior

executives and other high profile targets.

Phishers use various social engineering techniques to lure their victims into

clicking on an infected attachment, a link to a malicious website, or providing

information such as passwords or personal details. When opened, the PDF,

Word, or Excel document triggers a previously unknown or zero-day exploit to

compromise the machine. The attacker can then use this foothold to get deeper

into the network and complete the breach.Verizon

A successful phishing campaign requires a series of “and” statements for every

step in a campaign. With each added step, the probability of a system

compromise goes down. For example, a user needs to take action AND there

needs to be a vulnerability on the system AND software has to be quietly

installed AND there has to be a communication path back to the attacker, and,

and, and this is why we have the term “defence in depth.Verizon

There are four general approaches to targeted attacks through phishing

emails:Trustwave

Social engineering: Common email themes are conferences, internal

communications, employee reviews, surveys, meeting invitations and

security updates.

Context: The email makes sense to an employee of that organisation.

Homework: Attackers do their research, collect employee email addresses,

and the “From” field is changed so it appears to come from someone

known to the organisation.

Attachments/links: There is typically a malicious attachment (.doc, .xls,

.pdf) that contains exploit code. Executable file attachments and links are

also used.

10 http://www.protectfinancialid.org.au/default.aspx?ArticleID=16#phishing

The fact that 44% [of

attacks] originated

from within

organisations serves

as a reminder that

internally-focused

cybersecurity

controls and

measures are also

important.CERT_AU

19

As indicated in the following diagram, in 2012 the most frequently targeted

job role for phishing was in R&D, which accounted for 27% of attacks (9% in

2011). The second most notable increase was against sales

representatives, probably because their contact details are more widely

available in the public domain, with 24% of attacks in 2012 versus 12% in

2011. In 2011, C-level executives were the most targeted, with 25%, but

this number fell to 17% in 2012.Sym

Figure 14: Targeted Attack Recipients by Role, 2012

Source: Symantec Internet Security Threat Report, Volume 18, 2013

Executives and managers make sweet targets for criminals looking to gain

access to sensitive information via spear phishing campaigns. Not only do they

have a higher public profile than the average end user, they’re also likely to have

greater access to proprietary information. Plus, we all know how much they love

.ppt and .pdf attachments.Verizon

WEB-BASED ATTACKS

Web browsers are the most used programs to access the Internet from

desktops, laptops, tablets, and mobile devices. Web browser vulnerabilities are

a serious security concern due to their role in online fraud and in the

propagation of malicious code, spyware, and adware. In addition, Web browsers

are exposed to a greater amount of potentially untrusted or hostile content than

most other applications and are particularly targeted by multi-exploit attack

kits.Sym_Supp

The following figure shows web browser usage over the past 12 years with

Google’s Chrome skyrocketing to the top spot:

20

Figure 15: Web Browser Usage

Source: NSS Labs Vulnerability Threat Trends 2013

Overall web browser vulnerabilities declined slightly for 2012. While the overall

number of web browser vulnerabilities dropped by a nominal 6% from 2011, the

number of critical and high severity web browser vulnerabilities saw an increase

of 59% for the year.IBM The following figure represents the increasing number of

critical and high web browser vulnerabilities over the years:

Figure 16: Web Browser Vulnerabilities, Critical and High 2005 to 2012

Source: IBM X-Force Trend & Risk Report 2012

Expanding on functionality beyond just the browser, a web client is much more;

it’s a full-blown platform, with infrastructure, utilities and extensibility via plug-

ins. This extensibility is what poses the most vulnerability, as malware authors

disguise exploit kits as browser plug-ins. For years, malware authors have been

obfuscating their code to avoid AV signature detection, and this process is now

automated (polymorphic JavaScript obfuscators are common in exploit kits, for

example). With the shift from HTML/JavaScript-centric browser attacks to

browser plug-in attacks, it was only a matter of time before malware authors

would adopt the same techniques. This means Java and ActionScript (the

programming language used in Flash) now use automated obfuscation tools to

avoid AV signature detection.Trustwave

Ever expanding sophistication of malware and the increasing number of

vulnerabilities makes the web the most formidable malware delivery mechanism

21

we’ve seen to date, outpacing even the most prolific worm or virus in its ability to

reach and infect a mass audience silently and effectively.Cisco.

Web malware encounters occur everywhere people visit on the Internet including

the most legitimate of websites that they visit frequently, even for business

purposes. Business and industry sites are one of the top three categories

visited when a malware encounter occurred. Malicious scripts and iFrames

comprised 83% of encounters in 2012, relatively consistent with previous years.

These types of attacks often represent malicious code on “trusted” webpages

that users may visit every day, meaning an attacker is able to compromise users

without even raising their suspicion. Cisco

The number of web-based attacks has increased by almost a third in 2012.Sym

These attacks silently infect enterprise and consumer users when they visit a

compromised website. Drive-by downloads attacks against web browsers have

become the top web threat. ENISA A drive-by exploit refers to the injection of

malicious code in HTML code of websites that exploits vulnerabilities in user web

browsers. These attacks target software residing in Internet user computers

(web browser, browser plug-ins and operating system) and infect them

automatically when visiting a drive-by download website, without any user

interaction.

Typically, attackers infiltrate a legitimate website to install their attack toolkits

and malware payloads, unbeknown to the site owner or the potential victims.

The malware payload that is dropped by web-attack toolkits is often server-side

polymorphic or dynamically generated, rendering enterprises that rely on

signature-based antivirus protection unable to protect themselves against these

silent attacks. A hidden piece of JavaScript or a few lines of code linking to

another website can install malware that is very difficult to detect.Sym

Analysing more than 5 million malicious URLs passing through Trustwave Secure

Web Gateway, Trustwave found that the popular exploits targeted products like

Internet Explorer (IE), Adobe Acrobat Reader, Adobe Flash Player, Oracle Java,

and Microsoft Office. Of all client-side attacks observed, 61% targeted Adobe

Reader users via malicious PDFs. Trustwave

As we saw earlier in Figure 8, Oracle was the vendor with the most vulnerability

disclosures in 2012. In early 2013, Oracle rushed out a security update

repairing a Java zero-day vulnerability that was being actively targeted by

attackers. Soon after, Oracle released a Java security update to repair 50

vulnerabilities, 49 of which are remotely exploitable by attackers in the browser.

This prompted the US-CERT to recommend disabling Java in web browsers.11

Another attack through web applications is a code injection attack such as SQL

injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), and

Remote File Inclusion (RFI). The goal of these attacks is to extract data, steal

credentials, or take control of the targeted webserver. A significant increase in

reported XSS attack cases has been observed during the last years. Moreover,

XSS attacks work on any browsing technology including mobile web browsers.

The most critical vulnerability for traditional and Web 2.0 applications is XSS.ENISA

Naturally, the majority of web-based attacks exploit the most common

vulnerabilities. These attacks are successful primarily because enterprise,

11 http://www.us-cert.gov/ncas/alerts/TA13-032A

Drive-by downloads

attacks against web

browsers have

become the top web

threat. ENISA

22

government, and consumer systems are not up to date with the latest patches

for their many IT products.

EXPLOIT KITS

An exploit kit is a purpose-built, ready-to-use software package that automates

attack activity. They first appeared in 2006 and continue to be popular because

they provide attackers a turnkey solution for installing malware on end-user

systems. A sophisticated underground economy provides both the malware to

enable hackers to commit their cybercrimes and the ecommerce facilities to sell

the financial data and intellectual property they steal. Financially motivated

developers keep creating new and better versions, supplying the marketplace

with exploit kits. The Blackhole exploit kit remains the most popular. Blackhole

exploits vulnerable browser plug-ins such as Java, Adobe Reader and Adobe

Flash Player. ENISA

A close inspection of Blackhole reveals just how sophisticated malware authors

have become. Blackhole is now the world’s most popular and notorious

malware exploit kit. It combines remarkable technical dexterity with a Software-

as-a-Service rental model that could have come straight from a Harvard

Business School MBA case study. And, barring the unlikely takedown by law

enforcement, security vendors and IT organisations are likely to be battling it for

years to come.Sophos

Over the past 12 months we observed significant investment by cybercriminals

in toolkits like the Blackhole exploit kit. They’ve built in features such as

scriptable web services, APIs, malware quality assurance platforms, anti-

forensics, slick reporting interfaces, and self-protection mechanisms. In the

coming year, you should expect to see a continued evolution in the maturation of

these kits replete with premium features that appear to make access to high

quality malicious code even simpler and comprehensive. Sophos

By far, remote access remained the most widely used method of infiltration in

2012. Custom remote access tools are more closely related to common Trojans

and malware kits. The skills to develop completely custom remote access tools

limits this technology to the higher tiers of attackers. Although the complexity

and behaviour of these tools introduce additional challenges in antivirus

evasion, their limited distribution appears highly effective in preventing

detection. Remote access can range from full-on remote desktop to simple bot-

like command and control (C&C) channels. Poorly configured remote

administration is a leading infection vector, and maintaining that access is often

vital to exfiltration.Trustwave

2012 saw Trojan development increase more than in any previous time

period.RSA Zeus is the most popular banking Trojan in use and the most

successful Zeus offshoot so far also surfaced in 2012. Citadel, a banking Trojan

that was introduced to the underground early in the year, has evolved into the

most sophisticated Trojan business model the world of commercial malware has

ever known. It even has the ability to map corporate networks.RSA

Citadel, a banking

Trojan, has evolved

into the most

sophisticated Trojan

business model the

world of commercial

malware has ever

known.RSA

23

BOTNETS

A botnet is a large group of compromised computers under the direct control of

an attacker (bot master). Compromised systems are called bots (short for web

robots) and they communicate with the bot master who controls them for email

spamming, distributing malware, and infecting other systems, turning them into

bots. Interestingly, the U.S. was home to 1 in 7 (15%) of global bot-infected

computers with an average lifespan of 13 days.Sym

It has been estimated that up to one quarter of all personal computers

connected to the internet may be part of a botnet. In 2011, the TDL Botnet

infected more than 4.5 million computers and approximately 100,000 unique

addresses per day.12 Check Point found that 63% of organisations are infected

with bots, with most organisations infected by a variety of bots.Check Point Ever

evolving, the more experienced attackers are using smaller botnets with

decentralised command and control infrastructure that are more difficult for law

enforcement to track and take down.

DENIAL OF SERVICE ATTACKS

DoS attacks are not new but in recent years, they have been gaining in

popularity in large part because the technical barriers to creating such an attack

are small and because it is difficult and time consuming to track an attack back

to its true source.AKAMAI

When hacktivists use DoS attacks, the attacks are aimed at gaining notoriety

and making a political statement so hacktivists focus on disrupting online

services through DoS and distributed denial of service (DDoS) attacks. To

achieve this goal, adversaries take control of multiple hosts on one or more

networks, without the owner’s knowledge, to launch automated requests at

online services such as Domain Name Services (DNS), websites and email.13

Figure 17: DoS Attacks on Industry

Source: Arbor Worldwide Infrastructure Security Report Volume XIII 2012

The number of DDoS attacks in 2012 grew significantly from 2011. 2012 saw

768 attacks reported by their customers, a year-over-year increase of more than

200%. This includes lower layer attacks such as SYN floods, UDP floods and

many other common types of volumetric attacks including higher level attacks

12 http://www.scmagazine.com/botnets-the-backdoor-to-the-enterprise-network/article/242016/ 13 For more information about DoS attacks, visit: http://www.dsd.gov.au/publications/csocprotect/ddos_mitigation.htm

63% of organisations

are infected with

bots, with most

organisations

infected by a variety

of bots.Check Point

24

that target the application layer, such as massive amounts of HTTP GET

traffic.AKAMAI

Figure 18: DDoS Attack Types

Source: Arbor Worldwide Infrastructure Security Report Vol. XIII 2012

Recent DoS attack traffic volume rate is almost impossible for the typical

enterprise to defend against. We are now seeing over 10% of DoS attacks

exceeding the 60GB threshold.Prolexic The largest DDoS attack was a massive

300GB using DNS reflection, launched through Open DNS resolvers rather than

directly via compromised networks. Because the attacker used a DNS

amplification, the attacker only needed to control a botnet or cluster of servers

to generate 750Mbps - which is possible with a small sized botnet.14

The DoS attacks associated with Operation Ababil15 is an example of terrorists

expanding their activities and developing new methodologies and tools to make

their DoS efforts more effective. Their motivation can be political or religious

and their capability varies from low to high. Preferred targets of cyberterrorists

are mostly critical infrastructures (eg health, energy, telecommunications, etc.),

as their failures causes severe impact in society and government.ENISA

DoS attacks can be a diversion

Cybercriminals too are involved in DDoS attacks, the goal is often to distract the

targeted business while the criminals commit fraud or simply extort money from

their victim.AKAMAI

In September 2012, the FBI issued a warning to financial institutions that some

DDoS attacks are actually being used as a “distraction.” These attacks are

launched before or after cybercriminals engage in an unauthorised transaction

and are an attempt to avoid discovery of the fraud and prevent attempts to stop

it. They may or may not bring the website down as that’s not the main focus of

the attack; the real goal is to divert the attention of the company’s IT staff

towards the DDoS attack. Meanwhile, the hackers attempt to break into the

company’s network using any number of other methods that may go unnoticed

as the DDoS attack continues in the background.16

14 http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/ 15 http://analysisintelligence.com/cyber-defense/deconstructing-the-al-qassam-cyber-fighters-assault-on-us-banks/ 16 http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf

25

6.0 The State of Security Technology

Defences

In security everything fails to the lowest common denominator. We are

predictable to cyberattackers in that they know our weaknesses (multiple

vulnerabilities, poor configurations, gullible people to target for phishing, etc.).

They understand our security defences in that they know we use firewalls,

logging, some IPS, some DLP, maybe proxies.

Perimeter controls were extremely effective…until about three years ago. Two

significant waves have hit already which demonstrate that perimeter defences

are inadequate. One is this new wave of advanced, targeted attacks that are

multi-vector and are perpetrated by well-funded and well-trained adversaries.

Then there is what is called the “ZeusiLeaks Effect”17 – the pervasive use of

high-grade Trojans used by thousands of petty criminals and the fact they are

already operating inside the firewalls of almost every Fortune 500 company.

External attackers are infecting employee PCs, either deliberately or as a side-

effect of financial fraud attacks. Following the successful infection of an

employee PC, the corporation is left with a huge blind spot. Most perimeter

defence technologies are set up to look at and stop threats outside the firewall

and are blind to the ones that have already made it inside.18

With what we’ve learned so far in this report about attackers and their methods,

it’s interesting to note in the figure below that only 48% of companies use

intrusion detection tools and 39% use DLP tools. Consolidated event collection

through security event correlation tools is used by only 36% of companies.

Figure 19: Information Security Technology Safeguards in Place

Source: Key findings from the PWC Global State of Information Security Survey 2013

It will be problematic for these organisations because defending against highly

skilled, well-funded hackers using sophisticated malware and attack scenarios

requires effective people, process and technology defence in depth and diversity

of defence tactics. With less than half the companies in the PWC survey using

advanced detection tools, they’re easy targets for hackers who use low and slow

techniques to evade detection.

17 http://www.cio.com.au/article/396014/mcafee_rsa_entire_fortune_500_compromised/ 18 http://blogs.rsa.com/rivner/it-security-in-the-age-of-apts/

26

Findings from the NSS Labs19, the world’s leading information research and

advisory company, show that technology products alone do not provide

adequate protection.

In 2011, NSS Labs tested six enterprise network firewall products (including

Check Point, Cisco, and Juniper). They found that three of the six firewalls

crashed when subjected to stability tests, indicating opportunities for denial of

service attacks.20

In 2012, NSS Labs tested 15 enterprise network intrusion prevention (IPS)

products from ten vendors in the industry’s most comprehensive test to date. As

indicated in the following graphs, the result was that none of the devices tested

achieved 100% block protection.21

Figure 20: Number of Undetected Exploits by IPS Product (left pane)

Correlation of Undetected Exploits Between Vendors IPS Products (right pane)

Source: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness November 12

Also in 2012, NSS Labs tested 13 popular endpoint security suites. These

endpoint security suites were tested against 144 exploit attack scenarios to

measure their effectiveness in protecting Windows computers against exploits

which have been publicly available for months (and some for years) prior to the

test. Their findings indicated that with a few notable exceptions, endpoint

products are not providing adequate protection from exploits. Even more

troubling was the finding that keeping endpoint protection software up-to-date

does not yield adequate protection against exploits, as evidenced by coverage

gaps for vulnerabilities several years old.22

19 https://www.nsslabs.com/ 20 www.nsslabs.com/reports/network-firewall-group-test-2011 21 www.nsslabs.com/reports/ips-comparative-analysis-2012 22 www.nsslabs.com/reports/consumer-avepp-comparative-analysis-exploit-protection

27

The following figure indicates the percentage of undetected exploits out of 144

exploits:

Figure 21: Endpoint Protection Products – Undetected Exploit

Source: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness November 12

The deficiencies noted in NSS Labs’ test results mean that, based on market

share, about 70% of the world is poorly protected. Most vendors lack adequate

protection against exploits and simple evasions like switching from HTTP to

HTTPS are often effective in bypassing attack detection.

“Simply put, endpoint

protection suites do not

prevent a dedicated

attacker from

compromising a

target.”NSS_2

28

7.0 Recommendations

Modern malware and cyberattack methods are a new attack doctrine built to

circumvent conventional approaches to information security. Unfortunately,

today’s reality is that advanced attack techniques are so successful and

rewarding to attackers that organisations must operate under the assumption that

such attacks are inevitable.

Prevention and detection of cyberattacks now requires an evolved situational

awareness strategy that facilitates the anticipation, discovery and investigation of

anomalous behaviour.

While firewalls, IPSs and antivirus software can catch a lot of malware, every

corporation should assume that some malicious code has gotten through to infect

systems. That means your CIO, business managers, and security team should be

operating under the assumption your organisation is already compromised.NSS_3

Given the pervasive nature of cyberattacks, it is not possible to protect everything.

Security teams will have to focus on protecting the organisation’s most critical

information and systems. That changes the definition of successful defence from

“keeping attackers out” to “sometimes attackers are going to get in”.

Detection is difficult because there is no single event to indicate compromise.

Low and slow actions by skilled attackers will not stand out from the thousands of

events occurring in an IT infrastructure every day – the proverbial needle in a

haystack. Many victims have been compromised for a long time and relevant logs

have long since passed. The majority of breaches take months or more to

discover.Verizon

SECURITY AS A COUNTERINTELLIGENCE FUNCTION

Situational awareness is being aware of one's surroundings and identifying

potential threats and dangerous situations. It is a fundamental building block in

collective security and is more of a mindset than a hard skill.

Developing this mindset in light of today’s cyberthreat landscape requires us to

rethink our position and start viewing information security more like a

counterintelligence function. This new thinking should compel us to

operationalise defensive measures such as identifying and prioritising information

assets and the systems that store and transmit critical information, developing

mitigation strategies and tactics, exercising response plans, creating separate

networks for mission critical information assets, and developing an end to end

view of network and system activity to improve situational awareness.

Just as traditional intelligence ascertains an understanding of adversaries’

capabilities, actions, and intent, the same values carry over to the cyber domain.

Cyber counterintelligence seeks to understand and characterise things like: what

sort of attack actions have occurred and are likely to occur; how can these actions

be detected and recognised; how can they be mitigated; who are the relevant

threat actors; what are they trying to achieve; what are their capabilities in the

form of tactics, techniques, and procedures they have leveraged over time and are

likely to leverage in the future; what sort of vulnerabilities, misconfigurations, or

weaknesses they are likely to target; etc.23

23 http://www.mitre.org/work/cybersecurity/pdf/stix.pdf

Rethink your

cybersecurity

situation by taking

on an “assume

you’re breached”

mentality.

29

The cyber counterintelligence approach shares many characteristics of traditional

intelligence analysis. The figure below shows the key activities of the classic

intelligence Observe-Orient-Decide-Act loop. The loop begins with collecting and

correlating a broad range of technical and environmental data and then

developing and testing hypotheses about adversary capabilities and intentions.

Like traditional intelligence analysis, cyber counterintelligence seeks to provide

actionable information to friendly forces.24

Figure 22: John Boyd’s Observe-Orient-Decide-Act Loop

Source: http://pogoarchives.org/m/dni/john_boyd_compendium/essence_of_winning_losing.pdf

BREAK THE CYBER KILL CHAIN

Cyber counterintelligence analysis strives to better position cyber defences to

prevent or quickly contain cyber intrusions that occur. Cyber counterintelligence

analysis is aided by the attack lifecycle model built upon the kill chain

framework25. In military parlance, a kill chain is a phase-based model to describe

the stages of an attack, which then informs ways to prevent such attacks. Kill

chain analysis is a model to analyse the intrusions in a new way. In a kill chain

model, just one mitigation breaks the chain and thwarts the attacker.

Defenders collect and analyse data and correlate it against the stages of an

attack. Defensive engagement of the threat across the whole kill chain is critical.

The early stages of the kill chain represent an opportunity to proactively detect

and mitigate threats before an adversary establishes a foothold.26

For example, to compromise a target system, an attacker follows a defined

methodology as indicated in the figure below. Ideally, the earlier in the kill chain

an attack can be stopped, the better chance you have of stopping the attack.

24 http://www.mitre.org/work/cybersecurity/pdf/protex3.pdf 25 http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf 26 http://www.mitre.org/work/cybersecurity/focus/threat_based_defense.html

30

Figure 23: Attack Lifecycle

Source: E&Y/ISACA Responding to Targeted Cyberattacks Report, 2013

In a cyberattack, the kill chain defence leverages the fact that a successful attack

must complete all stages from planning and malware introduction to expansion

and one or more command and control phases, until the target is identified,

manipulated and exfiltrated. The goal of a kill chain defence is to break one or

more stages in the attack chain to stop the progress of the attack and force the

opponent to start over.

Responding to incidents after the exploit has already occurred is costly, both in

the effective impact and in the level of effort necessary to root out the adversary’s

established foothold. To be proactive, cyber defenders need to fundamentally

change the nature of the game by stopping the adversary’s advance, preferably

before the exploit stage of the attack (that is, moving left of the attack). Moving

left of the attack requires defenders to evolve from a defensive strategy based

primarily on after-the-fact incident investigation and response to one driven by

cyber threat intelligence.27

In figure 23 above, the steps left of Establish foothold represent an opportunity to

proactively detect and mitigate threats before the adversary establishes a

foothold. To the right of Establish foothold, incident detection and response can

be exercised along with assurance of mission-critical assets. To best leverage the

opportunity for active defence, it is necessary to perform a retrospective analysis

of threat characteristics across the entire kill-chain and correlate the results to

produce tell-tale indicators.28

It’s important to remember three things about this method: 1) the attacker must

make the entire chain work to succeed; 2) you need only kill one link to stop them;

and 3) having detection and kill capability at each point in the enemy’s attack

chain gives you the highest probability of success in this defence.29

Most detected intrusions will provide a limited set of attributes about a single

phase of an intrusion. Analysts must still discover many other attributes for each

phase to enumerate the maximum set of options for courses of action. As

defenders collect data on adversaries, they will push detection from the latter

phases of the kill chain into earlier ones. Detection and prevention at pre-

compromise phases also necessitates a response. Defenders must collect as

much information on the mitigated intrusion as possible, so that they may

synthesise what might have happened should future intrusions circumvent the

currently effective protections and detections.30

27 http://www.mitre.org/work/cybersecurity/pdf/stix.pdf 28 http://www.mitre.org/work/cybersecurity/pdf/active_defense_strategy.pdf 29 http://www.enterprisecioforum.com/en/blogs/jim-ricotta/cyber-attack-kill-chain-defense 30 http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

“If the enemy

attacks first you

can lead him

around. In strategy,

you have effectively

won when you

forestall the

enemy.” Miyamoto Musashi

31

Kill chain analysis makes it more effective for organisations to implement

appropriate defensive controls at each stage of the attack lifecycle. Clearly, as

this author has been advocating for years, the best way to protect yourself is to

build a defence-in-depth strategy with multiple layers of security through a well-

constructed zoned security architecture.

THE NECESSITY OF A ZONED SECURITY ARCHITECTURE

Current attack scenarios should be shifting your security environment away from

the fortress model of security strategies that are perimeter based with disparate

security controls operating independently. To combat today’s cyberthreats, your

security architecture must be based on strategies like least privilege, defence in

depth, diversity of defence, choke point, systems segmentation and dedicated

functionality. The security architecture must include concentric layers of

protection that provide multiple, diverse and complex protection barriers that an

attacker (or automated malware) must penetrate one at a time. This dramatically

increases the difficulty of exploitation and the time it takes, giving businesses an

increased opportunity to detect and respond to attack activity.

A formal security architecture framework is a foundational model and

methodology for developing a tactical security architecture. It provides the

fundamental technology components and interconnecting structure required to

support the security requirements of the business. The security architecture

framework provides for the organisation and placement of the primary functions

of service presentation, business logic and secure data storage and the internal

and external users of information processed through these primary functions.

Using this structure of functions, the security architecture overlays the existing IT

architectural structure for business solutions development while facilitating the

logical grouping of users and devices of similar trust levels and the information

assets that require varying protection and controls.

Enterprise networks are composed of users, devices, and systems with varying

security requirements with regard to confidentiality, integrity, availability,

authenticity, and non-repudiation. Because the risks facing users, devices, and

systems are different, it is logical to separate higher risk entities from lower risk

entities and group like entities requiring common protection strategies. Like

entities can then be grouped into zones.

A zone is a collection of users, devices and systems with a similar level of trust or

those requiring similar protection and controls, logically bound together.

32

A simple security architecture zone model is shown in the following diagram:

Figure 24: Simple Security Architecture Zone Model

Source: Burton Group, Reference Architecture Decision Point - Zones

Zoning can be viewed as an organising vehicle to reduce architecture complexity,

facilitate cross-functional understanding between security, IT infrastructure,

applications development, and outsource partner teams, and ultimately provide

an inherently more secure infrastructure.

Zones are demarcated by perimeters. Perimeter topologies vary in complexity

based on the risk profile of a particular zone. Perimeters are designed specifically

to implement physical and logical separation and isolation mechanisms to control

the communications flow into and out of a zone. The basic mechanism to mediate

perimeters is the firewall. The firewall serves as a policy enforcement point

regarding access control and network traffic. A full risk assessment would

determine the required boundary controls in addition to the firewall such as

application proxies, intrusion prevention systems, strong authentication, and other

security controls.

The real benefit of introducing a security architecture zone model results from the

gradations of protection against the volume, variety, and velocity of information

security threats facing the typical organisation. Zone modelling employs

concentric layers of protection to dramatically increase the difficulty of

exploitation. Concentric layers of protection provide multiple and diverse

protection barriers that an attacker must penetrate one at a time. A properly

constructed zoned security architecture provides formidable challenges to the

attacker and is your best chance of protection complexity, time required for the

attacker to penetrate multiple layers, and the increased opportunity to detect

attack activity.

DEVELOP A SECURITY IMPROVEMENT ROADMAP

One of the best defence strategies against cyberattack is to assess the

effectiveness of your internal people, process, technology and organisational

controls to understand your current state of security. Once you have determined

“In all forms of

strategy, it is

necessary to

maintain the combat

stance in everyday

life and to make your

everyday stance your

combat stance.” Miyamoto Musashi

33

where gaps exist, you can develop a prioritised risk improvement roadmap to get

to your desired future state of information security.

The following example depicts a high level prioritised, risk based improvement roadmap:

Figure 25: Example of a Prioritised, Risk-based Improvement Roadmap

(Source: Keith Price)

The example improvement roadmap above shows the implementation plan, including

the sequence of implementation for the recommended technologies and service

capabilities. The roadmap shows four distinct streams which run in parallel:

Quick wins & expanded capabilities

Business alignment

Integrated solutions

Optimised capabilities & visibility

The quick wins and expanded capabilities stream expedites initiatives already under

way, expands the full functionality of technologies already deployed, or kicks off

initiatives that can be enabled quickly.

The business alignment stream facilitates development of a governance, risk, and

compliance management system to implement the recommended technologies and

service capabilities. It starts with executive briefings to cultivate support for the

program and includes an expanded security awareness program for all levels of staff.

Asset management and network security architecture align protection efforts.

The integrated solutions stream introduces new technologies necessary to prevent or

detect a sophisticated attack.

The optimised capabilities and visibility stream is designed to enhance the

configuration and vulnerability management programs as well as operational services

around incident management and penetration testing.

34

8.0 Conclusion

Cybercrime hurts everyone. Not just because of the damage it causes businesses,

governments, and consumers but because it undermines the confidence in ecommerce

and the Internet. In a world where practically everything depends on connection to the

Internet, protection is crucial.

Yet no organisation can afford to eliminate all cyber risks - the cost/benefit

justifications just aren’t there. The trade-off between risk exposure and risk

management is becoming increasingly complex, and there's no silver bullet for

managing cyber risk. Each organisation needs to establish its own risk tolerance

threshold. Some cyber risks will be accepted because the exposure is so small or the

cost too great to eliminate them; others must be mitigated because the potential of a

cyber black swan event is too great.

As this paper has demonstrated, the best response we have today starts with asking

the right questions, understanding attacker’s motives, capabilities, and methods and

knowing where we’re vulnerable, so we have a better chance of protecting ourselves.

To effectively deal with cybercrime, security defence must evolve into a

counterintelligence function that provides us with the requisite knowledge to prevent,

detect and respond to cyberattacks.

Understanding the cyber kill chain and how a zoned security architecture based on

concentric layers of protection can help break a chain of an attack provides a new

approach to security defence. Together with a road map for protection improvements,

these strategies will help you get to your desired future state of information security

while achieving your business goals.

For further cybersecurity counterintelligence reports, see the list of references on page

37.

For more information about how to manage cybersecurity threats, contact Black Swan

Group for a discussion about how the strategies outlined in this paper may help protect

your organisation.

35

9.0 About the Author

KEITH PRICE

DIRECTOR AND PRINCIPAL CONSULTANT, BLACK SWAN GROUP

keith@blackswangroup.com.au +61 438 138 535

Keith specialises in information security and IT risk governance, strategy,

architecture and assurance. During a 30 year career, he’s been at the cutting

edge of technology - avionics, land mobile radio, telecoms & PABX, Novell

networking, the emergence of the Internet, Internet banking, large scale B2B, B2C

and B2E ecommerce systems, and pioneering technologies for network security.

More recently as co-founder of the Black Swan Group security consulting practice,

he’s developed a comprehensive set of security and IT governance, architecture,

and assurance methodologies based on international experience, extensive

research, and recognised standards of practice.

His approach to IT and security is based on a deep technical understanding of

enterprise architecture, solutions development, IT infrastructure, and e-commerce

technologies for B2B, B2C and B2E gateways and converged voice, data and

video networks.

He’s been a leader in the IT security industry having served in director positions

for the Australian Information Security Association (2010-2012) and the ISACA

Sydney Chapter (2007-2009).

Educated in the U.S., he has BBus and MSc degrees. His certifications include

CISSP, CISM, & CGEIT.

36

10.0 About Black Swan Group

Founded in 2010, Black Swan Group has rapidly established itself as a respected

provider of information security and IT risk management services. Our clients

include a number of Australia’s largest corporate, financial, and government

organisations.

Black Swan Group’s exceptionally strong security skills underpin our information

technology, IT operations, risk management and assurance services.

We provide a comprehensive range of information security services to identify and

evaluate IT security risks and design and implement solutions which mitigate

exposures. We support the full project lifecycle - from strategy, architecture,

assessment and assurance through to deployment, operational integration, and

lifecycle management. Our services encompass:

Secure Integration Assurance

Consulting

Architecture and Design

Solutions Integration

Operational Integration

Our core values are integrity, commitment to clients and value delivery. We

provide straight talk and frank advice, unclouded by product sales.

Black Swan Group can work with you to develop effective frameworks and

methodologies for information and technology governance, policy, strategy, risk

management, and assurance.

Having been involved in numerous integration projects around the globe, we

understand technology alone is not the answer. People, process and technology

are essential ingredients for secure and streamlined operations, and we have a

deep understanding of the issues surrounding all three.

We “sweat the small stuff” with meticulous attention to detail to ensure a solution

is both comprehensive and sound. As this paper indicates, one of our key

strengths is our ability to conceptualise extremely complex issues and distil them

into streamlined strategies for protection that work in practice.

With decades of experience around the globe in a wide range of information

technology and risk management functions, we know what works and what

doesn’t.

Black Swan Group

Phone: 1300 558 451

Email: info@blackswangroup.com.au

Website: www.blackswangroup.com.au

37

11.0 References

Major threat and security reports consulted and quoted in this report are listed

below. Direct quotes in this paper from these sources are referenced by source name. Other sources consulted are referenced in footnotes throughout the paper.

1. AKAMAI: State of the Internet Report, Q4 2012

2. ANTI: Anti Phishing Working Group, Phishing Activity Trends Report Q1

2012

3. Arbor: Worldwide Infrastructure Security Report Volume XIII 2012

4. CERT_AU: Cyber Crime & Security Survey Report 2012, CERT Australia

and Centre for Internet Safety, University of Canberra.

5. Check Point: Security Report 2013

6. Cisco: Annual Security Report 2013

7. Deloitte: Technology, Media, and Telecommunications (TMT) Global

Security Study 2013

8. ENISA: Threat Landscape Report, January 2013

9. E&Y: Ernst & Young’s Global Information Security Survey 2012

10. ISACA: E&Y/ISACA, Responding to Targeted Cyberattacks Report 2013

11. Forrester: The State of Data Security and Privacy: 2012 To 2013

12. IBM: X-Force Trend & Risk Report 2012

13. ISO/IEC 15408-1: Information technology, Security techniques,

Evaluation criteria for IT security, Part 1 Introduction and general model

14. Mandiant: APT1 Exposing One of China’s Cyber Espionage Units March

2013

15. Norton: Cybercrime Report 2012

16. NSS_1: NSS Labs Vulnerability Threat Trends 2013

17. NSS_2: NSS Labs Cybercrime Kill Chain vs Defence Effectiveness

November 2012

18. NSS_3: NSS Labs Modelling Exploit Evasions in Layered Security

December 2012

19. O-ESA: Open Enterprise Security Architecture, The Open Group

20. Ponemon: IBM and Ponemon, The Source of Greatest Risk to Sensitive

Data February 2012

21. Prolexic: Quarterly Global DDoS Attack Report, Q1 2013

22. PWC: Key findings from the PWC Global State of Information Security

Survey 2013

23. RSA: The Current State of Cybercrime 2013

24. SBIC: Information Security Share-up, Disruptive Innovations to Test

Security’s Mettle in 2013

25. Secunia: Vulnerability Review 2013

26. Sophos: Security Threat Report 2013

27. Symantec: Internet Security Threat Report, Vol 18 2013

28. Sym_Supp: Symantec Internet Security Threat Report Supplementary

Data Vol 18, 2013

29. Trustwave: Global Security Report 2013

30. Verizon: Data Breach Investigations Report 2013