Targeted Attacks Make Remote Adversaries Malicious Insiders

“Wow, your tool would be great against malicious insiders!”

This is a common conclusion made by those introduced to the Triumfant solution.  That is because instead of looking for applications or malicious executables, we detect malicious activity through change, whether a threat actor working programmatically creates the change or a malicious insider directly makes the change.

The term “malicious insider” has been gnawing at me since I delivered a short presentation for the Intelligence and National Security Alliance Innovators Showcase last week.  My new slides had several screen shots from the Poison Ivy Remote Administration Tool (RAT) that we use in demos of the Triumfant product.  It was interesting to see the reaction to those screen shots as people grasped in a very graphical way what it meant to “own” a machine.  I realized that perhaps while people have intellectually grasped what a RAT can do, they might not have fully appreciated the term “own” until they actually saw one in action. (More on RAT tools in the previous post)

Today’s attacks are not smash and grab operations – they methodically evade network and endpoint protections to establish a long-term and comprehensive presence on the machine.  These are carefully crafted incursions onto target networks that rely on persistence and stealth.

In short, they turn the outsider into an insider.  This of course is not news to those in infosec, but to the people we serve, this is an idea they are still wrapping their head around these sophisticated targeted attacks.

Once a RAT is in place, the hacker has the same access as if they were looking over the shoulder of the machine’s user.  The user literally guides them through the applications and systems on the network, providing them user IDs and passwords along the way.  This allows the hacker to spread their influence to other places in the network until they are able to access their targets.   Time is on their side, as every statistic says that they will have at least a month and on average six months to identify and exfiltrate the intellectual property or sensitive data they seek.

Attacks rarely start at the machine that holds the targeted information.  Hackers now patiently gain access to the network where they can, and then stealthily move about until they find what they need.  And new Advanced Persistent Threats like Duqu illustrate that hackers are now using sophisticated attacks to gather all manner of information to then plan their payoff attack.  As I said in the previous post, these attacks put the adversary in your boardroom, laboratories, production lines, and CFO’s office.

If six months and virtually unlimited access does not qualify the hacker as an insider, I do not know what does. Recruiting physical insiders is a long and costly process and smacks of too much Mission Impossible.  And even well placed insiders may have trouble moving outside of their areas of responsibility.  Why go through all of that risk and effort when an outsider can easily become an insider.  If the operation is discovered, the outsider simply moves to the next target.

There is another aspect to being an insider: once you are inside, all of the security measures designed to keep you an outsider are now irrelevant.  All of the carefully crafted shields an organization has in place are all pointing outward and are not equipped or designed to catch the work of an insider.  Once these shields are evaded they are no threat to the insider.  Statistics from the 2011 Verizon Business Data Breach Investigations Report say that less than 6% of data breaches are discovered by the organization’s IT shop.  That sound’s like a pretty wide gap that requires some new thinking to me.

The answer to the original question is yes, Triumfant rocks against malicious insiders.  All types.

I Smell a RAT – Breaking Into Your House to Prove a Point About Breaches

I am going to break into your house.  This is obviously a hypothetical, so there is no need to report me to the local authorities. But stay with me.

As I said, I am going to break into your house.  I can get in one of two ways.  I could use simple psychology to entice you to essentially opening the door and letting me in (social engineering) or I could use some basic information gathered about you to let me know where you are vulnerable and force my way in (hacking).  I say force, but I am a pro and in spite of your protections, if I want in I will get in and the amount of force used will be minimal.

Either way, I will break into your house undetected.

The funny thing is that once I am in, all of the money you have spent on technology to keep me out will be useless.  Not one of those technologies will be able to detect that I have evaded those technologies and am now inside.  Since I am now inside, I could turn them all off, but why bother? They are no longer of consequence to me.  The thought of that makes me chuckle as I take steps to further obfuscate my presence from the inside.

If this scenario unsettles you, I am afraid it gets worse.  Because once I am inside and have had sufficient time to cover my tracks, I am, for all intents and purposes, undetectable.  That gives me full access to your home and I will now live with you for as long as I choose.  What you see, I will see, and eventually I will know where everything in you home is, including your secret stuff.  Access to all of your accounts? Well, I was looking over your shoulder every time you logged into an account, so I have all of your IDs and passwords. When you are not home I will even have time to rummage around the house at will.  Remember that valuable thing you thought you lost? I found it.

After a while, I do not even have to watch, because you decided that all of that stuff about not using the same User ID and password for your accounts was just a bunch of scare tactics.  Anyway, even if you got the slightest bit suspicious and changed anything, I am right there and will actually watch you change your password in real-time.

If I am found, odds say it will not be by you.  You would never find me on your own.  A business partner might notice something odd, or law enforcement may get a lead on my whereabouts, but you only have a one in sixteen chance of finding me.  Even if I am found out, my average stay is about six months.  Not much more to see here anyway.

And good luck getting rid of me.  Did you think I spent all of my time eating bon-bons on the couch watching Dr. Phil? Nope. I created a little thing I like to call persistence.  There are little bits of me inside the house so if you do sweep me out I can sweep right back in.  Like those little ants that come back under your sink.  I have also used your house to control other houses I have also occupied.  After all, yours was not the first.

I write this because when we do demos, we use Poison Ivy, a generally available Remote Administration Tool (RAT) to build a RAT Trojan and take over a machine.  I am surprised to learn that this is often the first time many people see exactly what it means when a hacker owns a system.  That the hacker can see the screen, capture everything that was typed, access every application and file.  People hear about RAT tools, but in my experience, they only have an academic understanding of what it means.  Showing them firsthand gives them a very jarring emotional understanding.  If you would like to see more, we have a short (5 minute) demo video that shows exactly that.

When (not if, kids) I access your system, bypass your defenses, and install a RAT on that machine, I am by definition now a malicious insider, a topic I will expand further on my next post. I am not after Grandma’s jewels, I am after the Crown Jewels.  I am after your intellectual property and your most sensitive data.  I am looking to steal things that can set your company back financially and strategically. I am not on your couch – I am in your boardroom and in your labs and on your production line and I am watching every keystroke your CFO makes.

And I am a malicious insider with staying power.  A recent statistic published in the Trustwave 2012 Global Security Report said that on average a breach lasts 173.5 days before being discovered.  Furthermore, studies show that organizations are not equipped to discover such breaches on their own.  The 2011 Verizon Business Breach Investigation Report states that breaches are discovered by the breached organization only 6% of the time.

I would tell you to wake up and smell the coffee but you are out of coffee and you should pick up a gallon of milk while you are out.  And those new curtains? Please.  I would also tell you to lock the door on the way out, but somehow that would be a bit too ironic.

The Evidence is Overwhelming: Organizations are not Prepared for the Inevitable Breach

84 and 173.5.

These are two significant statistics I picked up from the “Trustwave 2012 Global Security Report”.  I downloaded the report yesterday to review the analysis and the salient numbers from the study.  If you read this blog, you know I quote liberally from the Verizon Business “2011 Data Breach Investigations Report”.  I felt it prudent to see if the Trustwave report aligned with the VBDBIR and my frequent calls to wake up and smell the coffee about breaches.

The short answer is that they do and it does.  84 represents the percentage of breaches that were discovered by someone other than the breached organization.  This aligns with the VBDBIR number of 86%.  I noted that the 84% is actually up from the 2011 Trustwave Report number of 80%.

The numbers on self-detection are of interest to me for two reasons.  One, they scream that organizations are quite ill-equipped to detect a breach and the problem is getting worse.  They dump money in pursuit of the perfect shield, but are essentially unable to know when those shields fail.  And frankly, if I have to convince you that your shields are failing, you may be in the wrong profession.

Second, they underscore that when an organization gets breached, knowledge of the breach is not being contained within the organizational walls.  If a third party finds it, the secret is out.  Organizations cannot ignore the reputational risk that comes from a breach. And there is a coming storm of breach notification legislation that will make the problem even harder to ignore.

The real thunderbolt comes from the 173.5.  Because 173.5 is the average number of days between the initial infiltration and discovery for those attacks discovered by third parties.  173.5 represents the average amount of time that the adversary has free access to the systems and confidential information of the attacked organization.  The report notes that for companies with active discovery initiatives, this number goes down to 43 days.  Better, but no less unacceptable.

I will say it again (and again, and again).  Organizations are going to be breached.  Organizations are not equipped to detect breaches, and once a breach is detected, organizations are not equipped and prepared to respond.  Stop trying to build the perfect shield, step back, and address your exposure to breaches now.  Embrace the fact that you will be breached, and build a rapid detection and response capability.

Need to see something beyond statistics? Just today an article on the Wall Street Journal Online noted that Nortel had been breached without detection for over ten years.  The article discusses SEC breach notification guidelines and the impact on acquiring companies, the potential impact of the breach on Nortel equipment, and implies that the breaches may have contributed to the ultimate decline of the company.

The lesson is simple really.  The Trustwave report and the Nortel story show (again) that while you are busily trying to build that perfect shield, you may already have an adversary working undetected on your systems with relative impunity.

The Emotional Barriers to Embracing the Presumption of Breach Doctrine

Every day, another breach.  For every breach story we read, what would you guess is the number of known breaches that do net get reported? 1? 5? 100?  Then there is the big unknown.  The “you don’t know what you don’t know”.  How many breaches are there that will go undiscovered for yet another day?  I have used the following numbers from the  Verizon Business 2011 Data Breach Investigations Report (published May 2011) times: 60% of breaches go undiscovered for a month or more and 84% are discovered by someone outside of the organization.

I witness a very interesting response to the inescapable reality of today’s IT security environment every day from a somewhat unique position.  How Triumfant works and what it does requires organizations to make the fundamental recognition that attacks are getting past their shields and therefore they are getting breached.  In the overwhelming face of the available evidence this would seem to be an easy and completely defensible position for any organization to take.  Yet I consistently see a resistance that seems to be rooted in emotion rather than reason.

As Commodus put it in Gladiator: “It vexes me. I’m terribly vexed.”  So much so I have thought long and hard about the emotional side of this problem and have come to what I think are interesting and valid conclusions.

First is the inability to let go of the notion of full protection against attack and embrace the “Presumption of Breach” doctrine.  It is far more comforting to have 100% faith that your shields will protect your systems without fail and without regard to the attack or attacker. Everyone wants to be protected, and is far more comfortable thinking about prevention versus detection.  When you have spent 20+ years building walls and feeling protected (albeit a false comfort) behind those walls, a conversation about breaches rocks that world profoundly.  Another paradox is that the more organizations are in denial, the less likely they are to have detection capability, which means they won’t know they have been breached, which only feeds their denial.

The IT security market feeds on the myth of the 100% shield and continually sells the next layer to organizations with the promise that this time, THIS TIME, we have the answer.

If an organization faces the uncomfortable reality that they have been breached, then there is an emotional backlash: “How could this be?  My IT security team assured me we were protected!  My vendor partner also assured me we were protected! Who is to blame?”  The problem also cuts across personal boundaries to the heart of the reputation and job security of key people in the organization, because assuming that the organization has been breached creates the misconception that someone has to be at fault.

Let’s address these backlash issues directly.

This is not the fault of the CSO/CISO or the IT Security team, nor have these people failed the organization.  They are up against a motivated, organized, and relentless adversary who benefits from the advantage that offense always has on defense.  A motivated, well-funded and patient adversary that wants to target a specific network for a specific organization is really hard to stop.  The roster of recently breached organizations is a who’s who of the most sophisticated and disciplined security practitioners on the planet.  If they were breached, why would your organization be different or exempt?  Doing the prudent thing and putting a solution in place to detect breaches and provide a rapid response is not an admission of failure by IT security.

This is not the fault of the shield software in place.  At least not completely. There is no 100% shield and in spite of vendor claims there is no silver bullet.  If you bought a shield product believing to be 100% effective, then the fault is yours.  Embracing the cold hard fact that every shield can be evaded is the first step toward progress.  This logic also applies to the notion that getting breached does not imply that the person who bought the shields failed.

This is not the fault of IT management.  Pushing through a new tool that detects successful breaches may raise all manner of questions to the executive level and the board who likely received assurances that the necessary shields were in place.  Breaches now bring reputational risk that could negatively affect consumer trust and even business valuation.  Getting breached is a business risk as well as a security risk, and executive management and the board must be educated accordingly.

This is not going to happen to our organization.  Hope is not a strategy.  Neither is denial.  There are two types of organizations: those who know they have been breached and those who don’t yet know.  The Advanced Persistent Threat is not just a problem for the DoD or the NSA.  The recent Duqu attack is yet another wake-up call that organizations can no longer gnore.

Uncomfortable realities are, well, uncomfortable.  But they are reality nonetheless.  Organizations need to embrace the reality of the moment, get past the emotional objections and associated finger pointed, and face the challenges that this new reality brings.  You will get breached.  Attacks will evade or get past you shields.  You must have a tool in place to perform rapid detection and response to those breaches.

Embracing the “Presumption of Breach” Doctrine With Rapid Detection and Response

I came across a term last week in a very good article about the virus attack on the USAF Drone command systems (“Dronegate: the First Casualty is our CyberSecurity Paradigm” by  The term was simply “Presumption of Breach”, and for me it really summarized the doctrine that organizations and government agencies must adopt in the face of todays IT security environment.  The doctrine is simple: You must assume you have been breached, have tools in place to detect those breaches that evade your shields, and have a plan to respond when such breaches are detected.  I call that Rapid Detection and Response.

The first step in the process – assuming you have been breached – sounds simple, but for many organizations it is the hardest party of adopting the “Presumption of Breach” doctrine.  It is far more comforting to have 100% faith that your shields will protect your systems without fail and without regard to the attack or attacker.  The emotional component of admitting that you cannot fully protect your IT systems is an interesting topic and one that I plan to expand in a later post.

In spite of the emotional resistance to assuming that you have been breached, all evidence points to it being the cold hard truth.  Many believe organizations now fall into two categories: those who know they have been breached and those who don’t.  Even if you have not been breached, every statistic and simple reason says you will be.

Once you give yourself over to the “presumption of breach” you will need a tool to help you quickly identify when you are breached.  Here is where I must make the disclaimer that Triumfant is such a tool, so I will have a bias toward the Triumfant approach and capabilities.  Now that my bias is fully exposed I can also say that I have not yet encountered another tool better equipped for rapid detection and response.

Why a separate tool and not some extension of your shield solutions? First, if your shields could have detected the attack they would have prevented the attack. Put another way, the attack happened because it evaded your defenses, so your defenses are obviously not able to perform the detection.  Second, it is always good to have checks and balances by not relying completely on one tool or vendor.  Think about it – how motivated is a shield vendor to provide you a tool that tells you when those shields did not do their job.

The detection tool must work rapidly and be comprehensive in its discovery and analysis of the attack.  Rapid detection enables the organization to contain the damage caused by a long-term infiltration.  The Verizon Business 2011 Data Breach Investigations Report (published May 2011) noted that 60% of the breaches studied in the report went undiscovered for over a month or more.

Comprehensive analysis is necessary to provide the breadth of actionable data needed to respond to the attack.  The recent virus attack on the systems associated with the USAF drone fleet illustrated the problem when attempts to kill the virus were unsuccessful for two weeks or more.  Today’s malware is designed to persist – to survive.  If you just kill the malicious executable, chances are there is a persistence mechanism that will simply resurrect the malware in another place in the machine.  Detection software that does not detect the attack and all of the associated change/damage to the machine will hamper your response and leave the organization at risk.  The same is true for solutions that used pre-written, generic remediations – a one-size-fits-all approach will undoubtedly leave dangerous artifacts.

(Triumfant uses change detection coupled to patented analytics to identify attacks and correlate all of the changes to the victim machine associated with the attack.  This provides a complete picture of the primary and associated collateral damage, and allows Triumfant to build a remediation specific to the attack that repairs all of the damage to the machine.  This includes persistence mechanisms)

Lastly you have to have a plan to respond to these breaches.  Your rapid detection and response tool should have the ability to learn about the attack and use that knowledge to look for other infiltrations throughout your network.  You should have processes in place to correlate the attack data to firewall logs and other security data (perhaps via a SIEM tool) to help identify the source of the attack and ways to block it at the shield level.  You also need to establish reporting channels to make the appropriate people aware of the breach in the event that it becomes public or cause an interruption in services to stakeholders or customers.  In other words, do the opposite of how Sony handled their PS3 breaches.

Putting the “Presumption of Breach” doctrine into practice is not an admission of failure or some IT security nihilism.  It is a sound and pragmatic recognition of the environment in which we operate.  It also means that your organization faces the inevitable prepared with a plan to minimize the impact of any attacks that gets past your shields.