Share

Related Stories

Top 5 Stories

News

As Cybercriminals Change Tactics, Threat Intel Evolves

28 January 2014

New tactics in hacktivism, cyber-espionage and APTs have contributed to a rapidly evolving cyber-landscape that has pushed approaches to threat intelligence into new realms, with more holistic strategies.

CISOs and CSOs are now acting as not only technology leaders, but business leaders as well, protecting networks and computer systems along with the long-term business interests that rely on those systems.

Assessing the trends, Verisign has offered an advance peek at several topics that will be discussed in its 2014 iDefense report. For one, after years of researchers talking about it, organizations are beginning to realize that traditional mechanisms to defend an organization are no longer enough.

“Security organizations have matured their cyber-intelligence functions and now take holistic, forward-looking views of the threat environment by combining strategic intelligence (e.g., security disruptors to long-term business objectives) with tactical intelligence (e.g., indicators of compromise) and operational intelligence (e.g., intelligence on actors, tools, tactics, techniques and intent),” the company said in a blog post. “The increasing appreciation for cyber-threat intelligence in 2014 has ramifications for both the consumers of that intelligence, as well as the producers of that intelligence (i.e., security vendors), including effectively sorting through available intelligence data to identify the most salient intel, and validation and implementation of that intelligence, to name a few.”

A few notable trends are guiding these new approaches. Verisign identified hacktivism as a notable, ongoing concern. Organizations, however, are benefitting from hacktivist region-specificity in Central and South America, South and South East Asia, and the solidification of MENA hacktivist groups/rally-issues. Western European and the US-based hacktivists have meanwhile maintained the characteristics that analysts have observed since 2011.

“Regionalization has driven an increase in region, group and language-specific hacktivist tools and tool-sets as well,” the firm noted. “Furthermore, it has facilitated the ability of the cybersecurity intelligence community to track hacktivist actors based on geolocation, a task that was far more difficult back when an amorphous ‘Anonymous’ was among the only visible groups in the space.”

Also, an increase in the use of hacktivist-style attacks and operations in the context of state-directed, geopolitically oriented activity occurred in 2013. From a macro-level perspective, Verisign said the trend is really a token of nation-states’ cyber capabilities expanding to now comprise a fully developed set of tactics, techniques and procedures (TTPs).

As a result, the volume of public reports associated with advanced persistent threat (APT) activity increased dramatically. And, iDefense observed changes in tactics and improved operational security demonstrated by attackers.

For instance, Verisign noted an uptick in the use of off-the-shelf remote administration tools (RATs) like PoisonIvy to carry out cyber-espionage. These actors have traditionally created their own malware and tools to establish a foothold within a network and exfiltrate sensitive data. With their extremely low distribution, these tools are difficult for anti-virus vendors to detect. But, criminals can more cost-effectively carry out their efforts using standard kits, which also leave behind fewer breadcrumbs from which to track them.

“The motivation for this change may be to evade attribution, as the tools are widely available, but the advantage comes with increased likelihood of detection by antivirus tools,” Verisign noted.

Meanwhile, the exploit kit frontier is evolving as well. In October 2013, the author of the Blackhole exploit toolkit was arrested in Russia. Multiple exploit kits have risen in popularity since that time and some actors have fallen back on simpler distribution methods, including simply attaching malware to e-mails and relying on excellent social engineering.

“Blackhole was the most widely-used exploit toolkit and with its author out of the picture, criminals looking to distribute malware needed to find a new tool,” said Verisign. “In 2014, we may see the rise of a new ‘king’ of exploit kits, but for now nothing has truly replaced Blackhole.”

At the same time, more opportunities for those exploit kits are about to come to the fore. Microsoft is ending support for Windows XP in 2014, and iDefense expects to see increased exploits that will make the many computers worldwide still running XP easy targets for any and all new cyber-attacks. However, exploitation of Java vulnerabilities will get more difficult as Oracle works on Java security updates and browser vendors lock down Java in the browser, it noted.

One big crime vector going forward is expected to be attacks against PoS and ATM systems – a prediction that comes against a backdrop of high-profile retail attacks against Target and others.

“While these systems may seem secure, they often run on top of commodity operating systems and are susceptible to malware attacks,” the firm explained. “Criminal forums have been buzzing with actors looking for malware and tools to target these systems, while malware like the Ploutus Trojan has displayed increasingly sophisticated mechanisms for stealing from ATMs.”

All of that criminal activity needs to be supported from a currency perspective, of course; but May of 2013 saw the electronic currency-of-choice for many cybercriminals, Liberty Reserve, taken off the market by the US government.

“While multiple alternative currencies are common in underground markets, Bitcoin has gained significant traction despite its wildly fluctuating exchange rate,” said Verisign.

But, the crime-friendly heyday for Bitcoin may be coming to a close. “Simultaneously, the crypto-currency has started gaining acceptance as a currency for legitimate activities, with startups like BitPay and Coinbase making it easier for businesses to accept Bitcoins for goods and services,” Verisign noted. “These developments will likely lead to a regulatory challenge for governments looking to prevent abuse.”

This article is featured in:
Data Loss  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security

 

Comments

Mark Kedgley New Net Technologies says:

13 February 2014
Finally it seems organisations are beginning to realise that traditional mechanisms to defend are not sufficient against cybercriminals with constantly changing threat tactics. However in this evolving threat landscape many organisations are not utilising the best protection to prevent cyber-attacks.

The 2014 iDefense report highlights that there now are a variety of threats that organisations must consider in order to fully safeguard the organisation including; hacktivism, remote administration tools (RATs) and Advanced Persistent Threats (APTs).

Organisations need to safeguard their data and their IP against organisations with phenomenal reach and expertise, as well as a willingness to play the waiting game. The threat is stealthy and targeted. It is time for all organisations to prepare for perimeter breaches as though they are inevitable, and focus instead on ensuring the protection of the internal data.

The breach at Target is the latest high-profile reminder that the rise in cybercrime is relentless and can be catastrophically effective.

In order to fully safeguard against APTs, protecting the perimeter and relying on users to detect breaches, will be nowhere near enough. System hardening measures – the elimination of commonly exploited vulnerabilities – has never been more important. Even then, the assumption must be that a breach may yet occur, and the contingency detection provided by File Integrity Monitoring (FIM) is essential.

FIM is proven to radically reduce the risk of security breaches; it raises an alert related to any change in underlying, core file systems – whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised past the AV defences. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.

The detection offered by FIM has never been more critical. For those organisations using FIM, it is time to determine whether the current deployment is a friend or foe. For those who are yet to embrace FIM stop assuming it is too complex and expensive: times have changed. Not only is FIM approachable and attainable – but it has also never been more important.

Mark Kedgley, CTO, New Net Technologies

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×