Lessons In Ghosts Of Breaches Past

During the past several months, targeted attacks have taken aim at U.S. technology companies, government contractors, and federal agencies. While details of these attacks can be hard to come by, an analysis of the more public compromises -- such as the recent RSA breach and the older GhostNet exploit -- could offer some tips for today's enterprises.

In a letter released this week, security firm RSA, a subsidiary of enterprise technology giant EMC, confirmed that a targeted e-mail carrying a Trojan horse allowed attackers to steal valuable security data. The data has already been used to breach the systems of a supplier to defense contractor Lockheed Martin in an attack that ultimately failed, the company says.

Details of such attacks are scarce. Yet a look back at one of the first well-analyzed attacks attributed to persistent attackers -- GhostNet -- could hold lessons for companies, experts say.

In 2009, Citizen Lab at the University of Toronto and the SecDev Group, a security firm, released an in-depth analysis of GhostNet, a botnet used for espionage that encompassed nearly 1,300 compromised systems, of which about one-third were considered "high value." Organizations affected by the attack included embassies, international organizations, news media, and nongovernmental organizations, according to the report.

"This is the way that the RSA attack worked and the Ghostnet attack worked -- you get a beachhead on the network, and from that beachhead ... the attackers are going to find the key server to get logins and network privileges," says Anup Ghosh, founder and chief scientist of Invincea.

While victims have taken to calling the attacks on their firms "sophisticated," many of the techniques are similar to those that helped establish GhostNet and, for the most part, were run-of-the-mill.

"Ultimately, we don't know who is behind GhostNet," Nart Villenue, a researcher and one of the authors of the GhostNet report, said at the time. "What is interesting for us is the fact that it actually existed -- that attackers using these unsophisticated methods were able to do this type of damage to organizations all over the world."

In fact, RSA has already suggested a connection between the techniques used to establish GhostNet and the attack on its own company. In a post describing its own attack, the company stated that the malware came in via an email message to a small group of RSA employees. When the attached Excel spread sheet was opened, it exploited a vulnerability in Adobe Flash and installed a remote administration tool, wrote Uri Rivner, the head of new technologies at RSA's consumer identity protection group.

"In our case, the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around," Rivner wrote. "Similar techniques were reported in many past APTs, including GhostNet."

Dealing with such attacks requires rearchitecting networks to prevent compromised machines from allowing attackers to spread through the network, Invincea's Ghosh says.

"None of these [companies'] networks are architected in a way that assumes the employees have compromised machines," Ghosh says.

In speaking with customers, Ghosh increasingly hears CSOs discussing the problem in terms of firefighting: creating fire breaks within the network so they are not always worried about putting them out before they spread. Keeping different business groups separated from one another on the network helps, he says. In addition, applications that have access to the Internet should be run in their own virtual machines to prevent compromise.

"Everything is reactive right now," Ghosh says. "Once the damage is done, once data is stolen, you cannot undo that damage. What the private sector [and] government sector needs to do is rebuild our strategy and go back to engineering."

To keep compromised machines from accessing sensitive data, companies need to go back to least-privilege concepts and role-based authentication, says Ken Ammon, chief strategy officer, Xceedium, a company that sells technology for doing just that.

"The security boundary stuff is becoming weaker and weaker as a single point of defense," Ammon says. "You have to be able to treat each connection as a specific utility or capability. I would like to strip out every capability of a desktop, except what employees need to do their job."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.