The Art of Breach Detection
Join my latest session online which is brought to you by TechTarget and BrightTalk . Registration is free and below are the details:
Hackers will never stop their attack attempts, and organizations must be aware they could be breached any second! So, tune into this presentation to discover:
• How to best prepare against those attacks?
• What tools to leverage?
• How can your security team detect even the latest, more sophisticated foes and, most importantly, how can you respond to their attacks?
Date: May 19
For Breach Detection related blog posts click here
The history of data breaches – 1984 till today
Attacks on computers, as we see today, may have evolved in terms of the techniques and sophistication of the attack itself, but one thing that has not changed is the reason for the breaches—data. Data has always been the center of attraction for all the hackers, both past and present.
1984 – The TRW data breach
Looking into the past for data breaches, one cannot miss the incident that was one of the most critical at the time, in 1984, which exposed personal and financial information of about 90 million users. TRW (today known as Experian), at the time, was hosting one of the largest databases of confidential records of about 90 million users and their credit history.
TRW was responsible for providing information on users’ credit history, employment details, banking and loan details, and, most importantly, social security numbers. These were transmitted over a telephone line to their many subscribers, who were mostly banks and department stores in remote locations. The following screenshot shows some online news coverage that this incident received:
Quite interestingly, the access to these databases was not so secured, and the subscribers could log in to the TRW database as needed to query the required information about a user. These details were confidential in nature, and only to be accessed by the bank officials or the department store operators. Even though the data accessed was read-only and no one could change any data, one could still expose it and misuse it, which is exactly what happened.
The password and the manual on how to operate the TRW system and access the database was leaked from a department store in one location, and, once the adversaries got hold of the login and access information, they posted it in bulletin boards, (something equivalent of today’s social media). Now, not only did the attackers have the login information, but also a whole profile of those who were connected and had access to the bulletin board.
Surprisingly, the incident was not detected by TRW officials for many months (it’s not clear how long). The breach was reported to TRW by an external party. As per the investigation reports at the time, it was believed that the database was accessed via the store line, and TRW had no clue about how many times it had been accessed.
Experts said during that time that a proper monitoring and detection could have flagged this activity (note that this is true even in today’s environment). Investigators at that time also suggested that, if TRW had implemented a system to call back the telephone number via which access was requested, and verified before the information was transmitted (today we can compare this with our two-factor authentication), and rotated the user password frequently in conjunction with a few other methods, the attack could have been averted.
The points that we need to focus on in this incident of 1984, and compare with today’s attack scenarios, are that the attack vectors, methods, and the mitigation that could have averted this, are quite unchanged. Firstly, one is that the attacker used some sort of social engineering to get hold of login credentials, which is still a very common method today.
Secondly, they had full and complete information about the TRW systems by getting access to the manual, which might have helped them stay undetected for a very long time. Thirdly, they targeted user data not to damage or tarnish the company. It’s the same as today, attackers get silent access to the systems with various methods, and try to stay undetected as long as possible, and make use of the stolen data.
1990s – Beginning of computer viruses and worms
At the beginning of the last decade of the 20th century, the world witnessed the start of a new challenging problem—computer viruses and worms. This changed the course of computer security in the years to come. In 1989, Robert Morris created a program to measure the size of the internet by counting the number of connected devices. He developed a program that would self-propagate using a vulnerability (we discussed this at the beginning of this chapter). But this incident did not get fixed or barred there, and there was more to come.
The early 90s saw the rise of another virus, which was dubbed the “Michelangelo virus“, designed to attack DOS systems at the time and modify the boot sector of the disk to stay put. This virus infected any media that was attached to it, such as hard disks or floppy disks, during that time. The Michelangelo virus was designed to stay dormant all the time, except for a particular date, 6 March, which is when it would come alive and act. (It was this date because, the researchers believed, it is the birthday of the famous Renaissance artist Michelangelo, but it’s a mere coincidence.)
It was during these years that we saw the rise of antivirus companies too. Viruses and worms gave birth to a whole new industry, which became mainstream business in the computer security industry in the forthcoming years. The last decade of the 20th century continued to witness more viruses and worms, which moved into the new millennium with increased sophistication.
The years 2000-2010
This was the decade which saw the rise of computer attack sophistication and was much more targeted towards its motive and mission.
In early 2000s, the world was devastated with a new form of virus and the way it spread. The virus was dubbed the “ILOVEYOU” virus, which infected millions of computers, and caused the email systems across the world to collapse. The virus started spreading by email attachment with a VBScript code. Anyone who opened that file executed the VBScript.
The VBScript was designed to download another payload, which then created various persistence methods by including entries in a registry, and the malware started itself whenever the system was rebooted. This executable also installed other malware to steal passwords, and, at a later stage, sent all the captured password from the system to the attacker via email.
Another subroutine in the malware that helped it to spread across the world was designed in such a way that, the moment the malware was executed, it captured all the email addresses in the mail client address book and sent a copy of itself as an attachment with the subject like ILOVEYOU from the user’s address. All the unsuspecting users, thinking it came from a known source, did the same mistake and tried to open the attachment, repeating the whole process. In the days that followed, there were many other variants of this similar modus operandi.
This decade also saw the rise of worms, viruses, and attacks by exploitation of software, OS, and other system vulnerabilities. One of the famous was the SQL Slammer worm that eventually became the fastest spreading worm of that time; it was active for many years, causing massive internet disruption. This worm exploited a vulnerability in the Microsoft SQL Server.
This worm was so agile that it spread over close to 100,000 hosts (maybe even more; the exact count is not available) over the first hour of its infection. It used a buffer overflow bug in the SQL Server and Desktop Engine (MSDE) products. This worm generated random IP addresses and then tried to communicate to those IPs over a destination port UDP/1434 (SQL port).
Once it found the host, it exploited the vulnerable SQL server or the MSDE, and sent a copy of itself to the same host, thereby infecting the host. Once this new host was infected, it repeated the same process. Even though the patch to this bug was made available by Microsoft six months before the attack was launched, most of the systems over the internet were not patched. This indicates how important it is to keep the systems updated with the latest patches.
In November 2008, we witnessed yet another massive attack by another worm, which targeted Windows machines (ranging from Win 2000 to Win 7). This worm eventually impacted 10-15 million servers worldwide in over 190 countries, as a rough estimate. The worm impacted governments, military bases and fleets, corporate and home users, and, in fact, practically everyone in its path. Between November 2008 and April 2009, there were five variants that were found, Conficker A, B, C, D, and E.
This worm not only created a massive infection around the globe, but it also created one of the biggest botnets of the era. Maybe the motive behind the worm was to create a large botnet to do more serious attacks, but nothing was made conclusive regarding the actual motive to generate an attack of this scale. This worm also used many new techniques that had never been used before this time.
This included methods to block disinfection, infections of USB and other removable devices to spread further, along with a few other propagation methods, including files shares, and admins shares. The most innovative was the method to “call home” to the botnet controller via a communication framework based on random domain generation algorithms, later famously known as DGA algorithms, and these became the norm for other malware infections and botnet commands and control infrastructure.
This method allowed the worm to generate hundreds and thousands of random domain names every day by a pre-determined algorithm and seed value (usually the date and time).The same algorithm was used proactively by the attacker to register one, or a few, of the domains from the random list for each day. This domain name was used by the malware on the particular day for command and control activities.
By the end of the decade, the industry was taken by surprise with the discovery of a major espionage activity by using a carefully and meticulously created malware, named Stuxnet. This was specially targeted towards a nuclear plant in Iran, with a single purpose of creating disruption in their nuclear programs. To a major extent, this attempt was successful in damaging the nuclear plan in target. This malware brought up some serious issues and concerns within the security fraternity regarding the safety of operational technologies controlling industrial systems, such as SCADA systems, and other similar ones.
In the days to come, the attack sophistication will not only increase but will also be highly targeted, as we have seen in the case of the Bangladesh bank heist where approximately $81 million was siphoned out of the bank in an extremely well-coordinated and planned activity.
The years 2010-202…
Incident Response in the Age of Cloud
Cybersecurity – Attack and Defense Strategies
How security helps to build trust
With the rise of technologies, most corporations and business houses are moving towards adapting newer and newer technologies to be in the race to keep their businesses ahead of the competition, and enhancing customer experience. With this also comes the potential risk of cybersecurity.
Customers trust corporations and business houses with their data. Making sure that the data is secure is the sole responsibility of the corporations, governments, and businesses. If the data is breached, then the business loses trust from the customer and ultimately loses business and brand value.
It is extremely important for customer-facing businesses to maintain trust and progress towards digitization to ensure smooth business operations. As in today’s scenarios of mobile first approach, and IoT approach, connectivity is paramount to stay in business and give customers a richer experience. The only binding factor is trust. And trust can only be achieved by making sure that the data is secured, avoiding breach situations, and, if there is a breach, then recovering as quickly as possible from a breach situation without causing much impact to customers and their data. In other words: to minimize the impact.
Companies must build security into their products and services from the beginning. This will decrease the risk of compromise or any breach, thereby strengthening the trust factor. As no business today can run alone, they have to partner with third parties. It is the responsibility of both the company and the third party to ensure the safety and security of consumer data and intellectual properties. So, as the enhancement of technologies are important for businesses to become profitable and sustain growth, building a security-first culture is also paramount to maintain consumer trust.
Malware Incident Response
TechTarget’s problem-solving content has risen to the top of enterprise tech buyers’ Google searches. Today it spans more than 10,000 specific topics. Our readers’ content consumption patterns provide the raw material for unique insights into their business needs. And because they find value in what we publish, they give us permission to share the data with our vendor clients.
Through two decades of optimization, we’ve learned how to grow buyer interest and influence purchase decisions. We’ve got fingers on the pulse of over 200 target markets, and since we have first-hand knowledge about tech marketing and sales, we can provide the best available guidance for practitioners around the globe.
TechTarget helps more than 2,500 tech companies achieve sustainable pipeline impact.
Tech vendors partner with TechTarget to better compete in specific tech markets. Our solutions combine the buyer visibility you desire with the execution speed you need—at scale.
- Over 29 million registered technology buyers researching needs and solutions
- Original, independent content continuously nurturing more than 150 technology-specific web communities
- High-impact advertising, demand generation and sales acceleration programs
- Turnkey sales and marketing solutions with global support and advice from offices in Boston, London, Munich, Paris, San Francisco, Singapore and Sydney
We continuously test, learn, teach and improve. We empower each other with our ideas and experience. We work hard and support each other to be our best selves, to make an impact and to grow. We are intellectually curious and listen to each other in a blame-free, ego-free environment where it is OK to be wrong. We challenge ourselves constantly.
Talk with experts
We believe that this experience is enhanced through a dialog between speakers and the audience.
Learn from the best
At BrightTALK, we believe people learn the most when they hear directly from those who know the subject best.
Learn from the best
At BrightTALK, we believe people learn the most when they hear directly from those who know the subject best.
For more free events click here