Introduction
On the 9th June 2015, Kaspersky announced to the world that
they had been a victim of a cyber attack that targeted their own corporate
network. If an organisation like
Kaspersky can become a victim of a cyber attack of this magnitude, all
organisations can potentially become victims.
Data is the lifeblood of any organisation and the loss of critical data
could mean the demise of that organisation.
Analysis
Kaspersky, a Moscow-based security company, disclosed
details of a cyber attack that they had been victim of. After its discovery, Kaspersky launched an
extensive investigation, gathering the facts and sharing the findings with the
world. The attack was dubbed Duqu 2.0,
due to its similarity to an attack known as Duqu which was first spotted in 2011. The use of Duqu and Duqu 2.0 is attributed to
nation-state sponsored attacks, in this case trying to discover intellectual
property, such as research into advanced persistent threats (APTs).
Cyber Kill Chain
The comprehensive nature of the attack meant it was highly
likely to succeed. Lockheed-Martin’s Cyber
Kill Chain breaks down a cyber attack into seven steps. Some attacks may only use some of these steps,
while others will repeat them when attacking multiple systems prior to
attacking the intended target. The Duqu
2.0 attack not only followed the kill chain, but there were also elements
repeated to make the attack more covert.
Reconnaissance/Weaponisation/Delivery
/Exploitation
It is believed that an employee in one of the APAC offices
was a target of a spear-phishing email, with a lure and redirect to a malicious
dropper file that exploited a specific unpatched zero day vulnerability. The attack was thorough, ensuring emails and
browser history were cleared of all traces of the compromise. Kaspersky confirm the machine was fully
patched leading to the assumption of a zero day exploitation.
Installation/Weaponisation/Delivery/Exploitation/Installation
Once on the network, the attacker was able to escalate unprivileged
credentials to that of the Windows domain administrator using another zero day
vulnerability. The attacker was then able to explore the network by moving
laterally and deciding which machines to compromise. Microsoft Windows Installer Packages were
used to deploy Duqu 2.0 into the network.
The attack software runs in memory, where most modern production servers
have high uptimes and are rarely power cycled.
Had the machine been power cycled, it would have quickly been
re-infected.
Command and
Control/Action on Objectives
Once the desired information was found by the attacker, the
data was exfiltrated out of the network.
Kaspersky have reported that non-critical information was taken as part
of the attack.
Prevention
By analysing the sequence of the attack, a number of mitigating
controls could be used to prevent the Duqu 2.0 and similar attacks. Many of these elements may have been caught
in isolation, but the prevention of the attack would need a more integrated
approach to security. The end goal for
the attacker is to steal data.
Spear-phishing
The entry point to the network was to specifically target an
individual or small group of people.
This highlights the need for user education at every level and every
department of an organisation. In
conjunction with education, an email security gateway with sandboxing technology
may have prevented Duqu 2.0 from entering the network.
Web Access
An exploit kit would have been introduced to the network to
check for unpatched and zero day vulnerabilities. This was delivered through the web vector as
a malicious link or a compromised site with a malicious file. The presence of this could have been detected
with a web security gateway, ideally with a sandboxing solution to check the
functionality of the file.
Zero Day vulnerabilities
The patching of operating systems, browsers, third party
software and plug-in is highly recommended, although this will not prevent zero
day vulnerabilities from being exploited.
The removal of non-essential software from a computer will help reduce
the surface area of attack, and the use of host based firewalls and host
intrusion protection system can help.
Administrative
Credentials
The administrative credentials within the network were
compromised, which allowed the lateral movement within the network. This is a shortcoming of using static
passwords for a period of time before being cycled; giving a window of exposure
if the password is compromised. A
privileged access management solution, would cycle the administrative
credentials after each use and video record each session. This would give a greater level of security to
the credentials and traceability on what each administrative session had
executed.
Lateral Movement
Many networks are segmented using VLANs, which offer limited
security. Micro-segmentation would provide
protection to the servers or groups of servers, with security controls to
prevent the East-West movement within a network. When coupled with a security analytics
engine, this would give context to the abnormal traffic within the network.
Resident in memory
As Duqu 2.0 resides in memory, there are a number of
mitigations that could have prevented this.
The simple act of rebooting the server would have cleared the
application from memory, although this can be difficult to routinely perform on
critical production servers.
Whitelisting application control solutions would have stopped the MSI
from executing into memory by simply preventing the unknown application from
running.
Data Exfiltration
A gateway data loss prevention solution would have seen the
data leaving the network. It is
especially important that the solution is able to analyse the data being drip
fed out, piecing together many smaller exfiltrations to gain visibility of the
overall loss and give context to the data leaving.
The Future
The Duqu 2.0 attack follows the seven stage cyber kill
chain. Preventing the attack at any one of those steps would have ultimately stopped
data loss. Kaspersky caught the attack
before critical data loss had occurred. As
attacks such as these are published it raises the profile for both vendors and
attackers. These techniques could still
be used against any organisation, with the ultimate goal of stealing data.
To prevent these attacks, security vendors will need to take
a more holistic view of security working with other vendors to specialise in
the areas they don’t. We see this
collaborative working with technical partnerships by vendors, and with OEM
agreements in the supply point solutions.
Alternatively security vendors need to take a more comprehensive
approach tackling all the stages of the kill chain with integrated solutions.
The solutions need to become less reactive to the known and
more proactive to the unknown. There
needs to be more focus on how security solutions deal with anomalies, where
prevention and remediation is far more important than notification. With a security staff shortage and the gap
growing year on year, the vendors have the supply security intelligence in
their solutions. The future for these solutions is not to supply data logs and
notifications, but to provide context and proactive remediation through intelligent
analytics.
In the short term, ensure endpoint security solutions are
running the latest versions, with the latest updates and the recommended
features are enable. There needs to be a
focus on running supported operating systems, with the latest patches, and to
ensure that third party software and plugs-ins are updated as well. Any web and email security solutions need to
be updated and the security policies regularly reviewed. The final piece is user education, which
should be ongoing process, where the learning is engaging, flexible and
relevant.
As these attacks become more mainstream where vertical and
size no longer matter, look to future solutions that are able to tackle all
stages of the kill chain, providing intelligence and context; and ultimately
prevent the organisation’s data from entering the wrong hands.