As Cybercriminals Change Tactics, Threat Intel Evolves

Criminals can more cost-effectively carry out their efforts using standard kits, which also leave behind fewer breadcrumbs from which to track them
Criminals can more cost-effectively carry out their efforts using standard kits, which also leave behind fewer breadcrumbs from which to track them

CISOs and CSOs are now acting as not only technology leaders, but business leaders as well, protecting networks and computer systems along with the long-term business interests that rely on those systems.

Assessing the trends, Verisign has offered an advance peek at several topics that will be discussed in its 2014 iDefense report. For one, after years of researchers talking about it, organizations are beginning to realize that traditional mechanisms to defend an organization are no longer enough.

“Security organizations have matured their cyber-intelligence functions and now take holistic, forward-looking views of the threat environment by combining strategic intelligence (e.g., security disruptors to long-term business objectives) with tactical intelligence (e.g., indicators of compromise) and operational intelligence (e.g., intelligence on actors, tools, tactics, techniques and intent),” the company said in a blog post. “The increasing appreciation for cyber-threat intelligence in 2014 has ramifications for both the consumers of that intelligence, as well as the producers of that intelligence (i.e., security vendors), including effectively sorting through available intelligence data to identify the most salient intel, and validation and implementation of that intelligence, to name a few.”

A few notable trends are guiding these new approaches. Verisign identified hacktivism as a notable, ongoing concern. Organizations, however, are benefitting from hacktivist region-specificity in Central and South America, South and South East Asia, and the solidification of MENA hacktivist groups/rally-issues. Western European and the US-based hacktivists have meanwhile maintained the characteristics that analysts have observed since 2011.

“Regionalization has driven an increase in region, group and language-specific hacktivist tools and tool-sets as well,” the firm noted. “Furthermore, it has facilitated the ability of the cybersecurity intelligence community to track hacktivist actors based on geolocation, a task that was far more difficult back when an amorphous ‘Anonymous’ was among the only visible groups in the space.”

Also, an increase in the use of hacktivist-style attacks and operations in the context of state-directed, geopolitically oriented activity occurred in 2013. From a macro-level perspective, Verisign said the trend is really a token of nation-states’ cyber capabilities expanding to now comprise a fully developed set of tactics, techniques and procedures (TTPs).

As a result, the volume of public reports associated with advanced persistent threat (APT) activity increased dramatically. And, iDefense observed changes in tactics and improved operational security demonstrated by attackers.

For instance, Verisign noted an uptick in the use of off-the-shelf remote administration tools (RATs) like PoisonIvy to carry out cyber-espionage. These actors have traditionally created their own malware and tools to establish a foothold within a network and exfiltrate sensitive data. With their extremely low distribution, these tools are difficult for anti-virus vendors to detect. But, criminals can more cost-effectively carry out their efforts using standard kits, which also leave behind fewer breadcrumbs from which to track them.

“The motivation for this change may be to evade attribution, as the tools are widely available, but the advantage comes with increased likelihood of detection by antivirus tools,” Verisign noted.

Meanwhile, the exploit kit frontier is evolving as well. In October 2013, the author of the Blackhole exploit toolkit was arrested in Russia. Multiple exploit kits have risen in popularity since that time and some actors have fallen back on simpler distribution methods, including simply attaching malware to e-mails and relying on excellent social engineering.

“Blackhole was the most widely-used exploit toolkit and with its author out of the picture, criminals looking to distribute malware needed to find a new tool,” said Verisign. “In 2014, we may see the rise of a new ‘king’ of exploit kits, but for now nothing has truly replaced Blackhole.”

At the same time, more opportunities for those exploit kits are about to come to the fore. Microsoft is ending support for Windows XP in 2014, and iDefense expects to see increased exploits that will make the many computers worldwide still running XP easy targets for any and all new cyber-attacks. However, exploitation of Java vulnerabilities will get more difficult as Oracle works on Java security updates and browser vendors lock down Java in the browser, it noted.

One big crime vector going forward is expected to be attacks against PoS and ATM systems – a prediction that comes against a backdrop of high-profile retail attacks against Target and others.

“While these systems may seem secure, they often run on top of commodity operating systems and are susceptible to malware attacks,” the firm explained. “Criminal forums have been buzzing with actors looking for malware and tools to target these systems, while malware like the Ploutus Trojan has displayed increasingly sophisticated mechanisms for stealing from ATMs.”

All of that criminal activity needs to be supported from a currency perspective, of course; but May of 2013 saw the electronic currency-of-choice for many cybercriminals, Liberty Reserve, taken off the market by the US government.

“While multiple alternative currencies are common in underground markets, Bitcoin has gained significant traction despite its wildly fluctuating exchange rate,” said Verisign.

But, the crime-friendly heyday for Bitcoin may be coming to a close. “Simultaneously, the crypto-currency has started gaining acceptance as a currency for legitimate activities, with startups like BitPay and Coinbase making it easier for businesses to accept Bitcoins for goods and services,” Verisign noted. “These developments will likely lead to a regulatory challenge for governments looking to prevent abuse.”

What’s Hot on Infosecurity Magazine?