Organizational security, on average, lags behind emerging approaches that attackers use. This is because attackers tend to operate with agility and do not need to convince a CIO and CFO of the merits of one approach versus another. In short, the economics make it far cheaper for an attacker to attack than for an organization to defend against these attacks.
One of the latest approaches is geared around APTs, or advanced persistent threats. APTs are no different than any standard attack, with the exception that they are not opportunistic. The attacker incorporates hunter/killer tactics by studying their prey, taking note of the defenses, and biding their time to pounce when the atmosphere and opportunity are right. Quite often the byproduct of an attack is not some tell-tale outage with a ‘gotcha’ defacement, but something much more valuable – a backdoor.
Today it is well accepted that firewalls are no longer considered security tools, but noise management devices. Intrusion prevention systems (IPS) and threat management tools offer protection against known vulnerabilities and some behavior-based threats. However, how does an organization protect menial information from leaking? This same information offers much insight to an attacker, especially those who are using non-opportunistic, APT-driven techniques.
Quite often organizations leak significant data through trusted sources that are not vetted by organizational management in any way. The biggest culprits are search engines in general, and Google in particular.
Any hacker knows that Google is their best friend for information gathering. A hacker can use Google for seemingly benign functions – such as searching for annual reports – that could highlight a new technology agreement, identifying the platform the attacker would need to compromise. They can read an online forum post that can be referenced back to problems facing a particular organization, and maybe even a vulnerability related to a specific technology.
Let’s understand how Google operates. The best way to describe Google is as an information sucking machine. Raw data goes in one end and is processed and delivered to anyone who knows how to look for it. Google's information suck incorporates:
- Identification: identifying unique objects such as individuals, age, sex, name, interests, organizations, industry, employees, relationships, and much, much, more.
- Profiling: Google then builds a profile of each object and its relationships to others
- Tracking: This mechanism feeds constant fresh information to Google, including search queries, emails, phone calls, geo-location tracking, and even the content of your documents.
Google then analyzes this data and presents it either in the form of directly referenceable data or indirect data, such as browsing behavior.
How does Google accomplish this? By offering useful services such Google Search, Calendar, Docs, Voice, Analytics, Gmail, Chrome, Safebrowsing, DNS, Spider, Bookmarks, Wallet, Google+ – you get the idea. The commonality among these services is that they are all free. This is how Google feeds its incredible appetite for data: offering useful services that, by virtue of their use, provide valuable data to Google, which then leverages this data to target the very same people and organizations.
The data can include standard information such as operating system, browser type, screen and server data, as well as public and private IP addresses. But it can also include precise geographic location; phone data, including phone numbers, content of voicemails and possibly content of phone calls; tracking the content of emails, contacts, documents and schedules; lists of every site visited and every link browsed (accessed via Google or not); personal and professional interests; shopping patterns and products of interest; and personal and professional relationship tracking.
All of this is collectively called feeding the Search Engine Monster. It is Google's objective to ID, profile and track all individuals, regardless of their platform, for all usage (outbound traffic) and access (inbound traffic).
So why does Google have this level of insight?
Because individuals and organizations choose to trust it. By virtue of trusting search engines in general, and Google in particular, they allow significant information to be leaked that, in tidbits, may not be substantive. Nevertheless, taken as a whole, this information will help Google get an insider's view into an organization. As such, every site visited, link selected, email sent, or voicemail can contribute to the malicious person's insight, and subsequently offer a greater attack surface – one that would have been far less likely to chart and required significantly greater effort without a Google profile on you and your organization.
How is this possible? There is an entire sector devoted to gaming Google to achieve the desired results – the search engine optimization (SEO) industry. Black hat SEOs go beyond page ranking and placement to collect data on targets and highlight vulnerabilities. Smart black hat SEOs may even be able to target users by behavior. This can be leveraged to achieve specific attack objectives, such as selecting links that more easily deliver malware or backdoor dropper applications.
How can you control the Search Engine Monster? You can start with three straightforward steps:
- Visibility – Understanding the various methods of information leak within an organization. This can be done as an assessment that details search engine resource utilization on organizational systems, including mobile devices.
- Remediation – Identify the services utilized as per the visibility report and determine those that can be blocked outright and alternative services that will not contribute to the Search Engine Monster
- Mitigation – Identify a handful of services considered imperative for the organization and anonymize and obfuscate the traffic so as to render it useless to Google for the purpose of identification, profiling and tracking.
As technology evolves and the nature of attacks leverage greater sophistication through direct targeting, legacy security models render themselves not just ineffective, but a waste of resources. Resources allocated to security philosophies that are in line with the emerging challenges will generate the best results.
In my experience, some people consider the concept of a purpose-made security policy for search engines an advanced function they may not have resources, tools or even the inclination to tackle. This is precisely what makes search engine-based attacks so effective. Perhaps the question organizations need to ask is: How do we adapt? To maintain operational relevance, organizations must adapt their security measures to emerging challenges and forego ineffective legacy approaches to continue operating effectively within resource constraints.
Babak Pasdar, president and CEO of Bat Blue Networks, is a 24-year veteran of the technology industry and is recognized industry-wide as an emerging technology evangelist. He has a proven track record in both identifying early-stage technologies that address emerging client requirements and building successful technology organizations, including Cybernex and IGX Global. Bat Blue is his third successful startup. Pasdar has advised the US Congress on warrantless wiretapping as an expert witness to the Senate Judiciary Committee and the House Sub-Committee on Energy and Commerce.