US Department of Defense war against dynamic cyber threats
John Hilvert | Las Vegas
“Stop responding!” Barry Lyons, the Senior Cyber Architect - Northrop Grumman, Information Systems Sector, heard someone in his operations centre, shout.
Lyons’ company was being attacked by “three different attack vectors” at the same time. One appeared to be a sophisticated denial of service attack. But two others were edging along testing other vulnerabilities at the time.
Speaking at an early “deep dive” session on US Department of Defense system vulnerabilities at Focus 14 in Las Vegas in late October, Lyons revealed one of his recent war stories.
As the attack was going on, it was very clever and well orchestrated, he said.
Then one of his senior analysts in the back of the room, stood up. At the top of his lungs shouted, “Stop responding! Stop responding! Stop now!”
Why would he do that? Lyons wondered.
As the tension went up an extra notch, Lyons realised there was a fourth attacker, checking all their TTPs (tactics, techniques and procedures).
“They were watching us. They were noting, how fast and what measures we were using to respond to their attack. Very clever.”
He should have anticipated that. He normally checks adversary measures such as tracking responses as well.
The weakest link in the defence was the human link.
Sometimes the complexity of the attack can defy such awareness as was the recent example in Operation Snowman.
US Marine Corps’ Captain Robert Johnston and team leader for Defense’s National Cyber Protection Team revealed how the DoD had sought to avert the iconic Operation Snowman attack which occurred on 17 February 2014 – a US holiday, reflecting the sophisticated timing of the attack DoD was experiencing.
It was called Snowman as it was timed by an adversary to take advantage of a sudden snowstorm on the east coast near Washington DC.
It exploited its targeted website, as a waterhole attack drive-by-attack via an Internet Explorer browser (versions 9 & 10) zero day vulnerability on the non-DoD website for US Veterans of Foreign Wars (VFW) website – “No one does more for veterans”.
As well as retirees, active military personnel use the VFW website.
Going by the date of the compilation of the code, a mere three days before, it was no coincidence that much of the US Capitol had shut down that Thursday amid a severe winter storm.
The wily attackers compromised the VFW website, by adding a hidden iframe to the site’s HTML code. This loaded the attacker’s page in the background. When the malicious code – which was encrypted - loaded in the browser, it ran a Flash object that orchestrated the remainder of the exploit.
Most IT security staff had their hands already full with roads and many emergency services were close to grid lock at the time. Issues such as clearing the snow from their driveways than a targeted phishing attack at the time would have been uppermost in their minds. It was only noticed a couple of days later by specialist malware spotters, FireEye.
Even today, no one has been able to explain how the adversary (thought to be of Russian or Chinese origin) could attach its malware drop to coincide with the extreme weather conditions.
The attack went on to be used by other unrelated adversaries for at least another week or more as its code was later exposed and Microsoft took about a fortnight to issue a patch to fix it.
Johnston observed the attack incorporated stealth-like aspects. For example, it was designed to cease if it perceived Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which protects against certain vulnerabilities.
“If it saw EMET installed, it gave up,” Lyons explained.
Though a so-called static defence, avoid-EMET feature signalled a strengthening anti-evasion nature of the next generation of malware facing Defense operations.
Though essential, less helpful was the static anti-virus tracking which could not readily unencrypt the payload and it appeared to elude the other perimeter defence standby, the firewall’s deep packet inspection check for malware at the time, Johnston said.
“Often simple encryption is all it takes to defeat an intruder detection system (IDS),” Lyons told the audience. “At times they have been coded and fragmented or double encrypted or all three. Good luck IDS. You are never going to break that.”
Even if the IDS tried to break even one layer of encryption, the likelihood was the network would slow to a stand-still.
So what does it take?
The rise of vulnerability due to multiple attacks, encryption, fragmentation and anti-evasion techniques have reached a point where they routinely avoid or sidestep static and many discrete defences.
The strategy of checklists, scoring based on signatures and keeping patches, held up well up to about 2005, according to Intel Security’s VP President for Professional Services Tom Lerach.
“We are on a cusp of a paradigm shift,” Lerach said. “Static defences are still relevant but they do not even begin to cover the problem.”
The attacks are designed to collect intelligence about Defense’s responses as much as its “crown jewels” now.
Moreover false positives make it tough to introduce heuristic approaches or amber light responses on a network.
As well, Intel Security has found from its own research that up a third of so-called next generation firewalls may have their security features turned off to assure a decent network throughput.
The velocity of the attacks that DoD confronted during its most recent quarter now approaches 240 new threats every minute or almost four every second (see stats below).
“You need to take your host-based indicators, your network-based indicators and your external indicators and link them all together in some kind of binary logic, so that the adversary in order to penetrate your network,” CAPT Johnston argues.
Johnston believes a framework developed by Lockheed-Martin, known as the Cyber Kill Chain is essential to determining intelligence to protect the agency and to “hunt with threat intelligence”.
Some indicators are still helpful. The attacker can’t change its IP address or reallocate its domain name as part of dynamic domain name system (DNS). He can’t easily repack the malware he installed on the system.
That intelligence derives new tools that are coming onto such as network intelligence for anomaly-based detection, open source intelligence (from McAfee, FireEye or Crowd Strike), signals intelligence and threat response data (intelligence from your incident response).
“As the adversary changes, your threat intelligence that you are garnering is changing with that adversary and you’re tracking his manoeuvre,” Johnston said.
Taking that intelligence and putting it all the ways down to the end point, and linking those indicators right across the entire kill chain, across the entire defence in depth, that’s called an integrated defensive model.
One example is Intel Security's Data Exchange Layer (DXL) and Threat Intelligence Exchange (TIE), which the company launched this year. While it enables integration and sourcing with other specialist companies, it will compete with rival products such as Cisco.
For now, Intel Security has a lead on the others in having a usable solution though.
Equally important in this integration is automating a collaborative approach to network security. For example an attack on non-Defense agency may prove to be relevant and until recently there have been no standards for automating this collaboration.
In the US, the Department of Homeland Security is urging a Whole-of-Government embrace of machine threat languages such as STYX and TAXII.
“There are two types of organisations around. One type knows their systems were compromised. The other does not know their systems were compromised,” Intel Security’s Asia Pacific VP Mike Sentonas, claims.
Disclosure: John Hilvert attended Focus 14 in Las Vegas as a guest of Intel Security.