This year, the US government paid out its largest bug bounty yet — during the government run "Hack the Air Force" program — for a vulnerability in its software. The flaw, if not proactively found, would have allowed hackers to run malicious code on its systems and manipulate data. It's the latest example of an emerging threat that has industry leaders scrambling and requires new thinking from security professionals.
Former national intelligence chief James Clapper warned as early as 2015 that "the next push of the envelope" in cyber warfare was likely to involve data manipulation. Now, financial services companies, healthcare organizations, and other industries in which data integrity is critical to business are running cyber war games to figure out how to prepare for such threats.
Unlike attacks that try to steal data or those that hold it hostage with ransomware, data manipulation attacks can be hard to detect. Hackers can make small changes to information that are easy to miss but can have potentially catastrophic effects down the road.
Two years ago, a hacktivist group with ties to Syria reportedly infiltrated a water utility's control system and changed the levels of chemicals being used to treat water. It's not hard to imagine a similar attack perpetrated against a pharmaceutical company, creating a digital equivalent of the Tylenol scare of the 1970s.
At a time when nation-state hacking is on the rise, data manipulation can also be used to disrupt the economy and undermine confidence in critical national systems. An attack targeting stock market data, for example, could spark chaos for financial markets.
It's hard to gauge how widespread such attacks are, but security professionals should be thinking about measures to guard against this type of incident. To do so, it's helpful to think about the phases that comprise a "typical" breach: penetration, pathway mapping, lateral movement, and destruction or alteration of target data.
One reason that attacks on data integrity are so hard to detect is that attackers don't need to exfiltrate data. That means all the tools and techniques security teams typically rely on to detect files being removed from a network become unhelpful.
The penetration phase, which typically involves compromising a low-value asset within the organization, is extremely hard to prevent for any type of attack. During this phase, malicious attackers weaponize a payload and take advantage of a vulnerability to deliver malware into the target's environment, which includes its data centers, endpoints, clouds, and third-party applications that are authorized to access its systems. Organizations can employ multiple techniques and tools to detect attacks and secure its perimeter and endpoints, such as IDS/IPS systems, perimeter and web-application firewalls, anti-phishing tools, and more.
In the pathway mapping phase, the malicious payload activates scanning tools to scan and discover the systems in the network that an infected host or device can access. Organizations can detect malicious scanning and mapping tools by turning all their hosts — bare metal, VMs, cloud, load balancers, and switches — into sensors so that the entire computing infrastructure acts as a distributed detection platform. This distributed detection platform will also have the ability to learn normal behavior through a baselining process, and trigger anomalies when connections and traffic flows are against policy or deviate from the baseline. An organization using microsegmentation and anomaly detection techniques will be able to detect and prevent malicious scanning and mapping activities from infected hosts.
Following the pathway mapping phase, lateral movement occurs where attackers move throughout networks to locate data they want to delete or alter. To secure its environment, organizations should start by building an application dependency map so it can identify the high-value assets and their legitimate connections and dependencies and create its micro-segmentation strategy. Microsegmentation via well-defined whitelisting policies that limit and control connections across and access to systems and applications is an effective enforcement mechanism. Whitelisting should follow the best practice of least privilege not just for user-to-machine traffic, where it is more commonly used, but also for all machine-to-machine traffic, which is growing more critical with the rise of IoT devices. In addition, monitoring and detection of failed attempts also function as high-quality signals of malicious actors attempting to move laterally across the network.
Since the attacks are hard to detect, being able to identify when data has been modified is also critical, and various data integrity tools help with this. For example, file integrity monitoring tools have the ability to send alerts and run data integrity checks. Once unauthorized changes are detected, organizations need a way to confidently restore data to a legitimate previous state.
Motives for data manipulation attacks vary, but short-term profit is rarely the appeal. Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort. For example, attackers could subtly alter the blueprints of a commercial airliner, which will result in a nonfatal aircraft component failure years in the future. The goal would be to put an airline or an aircraft manufacturer out of business or bring the aviation industry into disrepute. Ultimately, air travel represents one of many pursuits that rely on consumer confidence in the provider in order to be successful, so subtle nefarious changes to data can be ruinous for an entire industry.
Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation-states and terrorist groups are the most likely actors in data manipulation attacks. That's why the military and intelligence services are taking them seriously.
This is still an emerging type of threat, but security professionals should be thinking now about how to respond. New attack types can spread, and when new attack types emerge quickly, it pays to be prepared.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.