Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date. According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated. Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage. This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

Miller and Valasek Show the Real-World Impact Hackers Can Have

Charlie Miller and Chris Valasek at Black Hat USA 2015Photo: Black Hat USA 2015

LAS VEGAS—At Black Hat 2015, Charlie Miller and Chris Valasek gave one of the most highly anticipated and best-attended presentations, even far beyond the elite infosecurity experts gathered here this week. The already notable duo of hackers made international headlines two weeks ago when they demonstrated more than a year’s worth of work figuring out how to hack into and remotely control unaltered cars—and used Wired reporter Andy Greenberg as their test driver.

Greenberg’s article and video of the test paint a compelling portrait of just what Miller and Valasek’s hack means in practice. “As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission,” Greenberg wrote. “Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed down to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

From a couch in Miller’s basement 10 miles away, they were able to seize control of the Jeep, and their methods could be applied to any car operating the same technology: Uconnect, an internet-connected computer feature in hundreds of thousands of cars that controls the entertainment and navigation systems, enables phone calls and, with a subscription purchase, offers a Wi-Fi hotspot. The hackers’ exploit can also be used for surveillance, using the Jeep’s GPS to track location to measure speed, and even drops pins on a map at regular intervals to trace its route. And, because of the system’s cellular connection, this can be done on any car from anywhere with access to the same cellular network (Sprint) as long as hackers know the car’s IP address.

In the wake of the Wired article, Sprint has blocked the kind of phone to car traffic and car to car traffic that facilitates remote hacking. What’s more, Fiat Chrysler announced the recall of 1.4 million cars and trucks that could be vulnerable to hacking—more than three times as many as the pair originally estimated may be at risk. Miller and Valasek approached the company with their findings as early as 2014, and said the automaker was responsive to their report. Unauthorized remote access was blocked with a network-level improvement, the company announced shortly after Greenberg’s article went to print. In addition to the recall to update software in the infotainment system, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.

And lest anyone still question the impact hackers can have on a business’s bottom line, as they were only too happy to point out, here’s a look at Chrysler’s stock from a week before to a week after the Wired story:

chrysler stock

Part of their aim was to increase consumer awareness and provoke greater scrutiny of technology they are being told is safe. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller told Wired. “This might be the kind of software bug most likely to kill someone.” Their research has already effected concrete change beyond the cars recalled. Partially spurred by the team’s earlier demonstrations in the arena, Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation on July 21 that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy. The bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements, Bloomberg reported. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car,” Markey said in a statement to Wired. “Drivers shouldn’t have to choose between being connected and being protected…We need clear rules of the road that protect cars from hackers and American families from data trackers.”

Miller and Valasek have done a lot more than present a frightening demonstration of just how vulnerable so many cars are, and it involves everyone here at Black Hat. In their presentation, Valasek opened with a blunt public service announcement: Please stop saying anything is “unhackable,” because you are wrong and you are just going to look silly. Proving that took more than a year of meticulous work, much of which could not be easily reproduced and applied any time soon, but they did prove it, and in doing so, they prompted the first formal safety campaign in response to a cybersecurity threat. That may be the biggest impact, he told the audience: “Hackers did something, fiscal change happened and it wasn’t in infosec—it was in the real world.”