Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/21/2018
10:30 AM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Manipulation: How Security Pros Can Respond to an Emerging Threat

Industry leaders are scrambling to address the issue, which will take new thinking to overcome.

This year, the US government paid out its largest bug bounty yet — during the government run "Hack the Air Force" program — for a vulnerability in its software. The flaw, if not proactively found, would have allowed hackers to run malicious code on its systems and manipulate data. It's the latest example of an emerging threat that has industry leaders scrambling and requires new thinking from security professionals.

Former national intelligence chief James Clapper warned as early as 2015 that "the next push of the envelope" in cyber warfare was likely to involve data manipulation. Now, financial services companies, healthcare organizations, and other industries in which data integrity is critical to business are running cyber war games to figure out how to prepare for such threats.

Unlike attacks that try to steal data or those that hold it hostage with ransomware, data manipulation attacks can be hard to detect. Hackers can make small changes to information that are easy to miss but can have potentially catastrophic effects down the road.

Two years ago, a hacktivist group with ties to Syria reportedly infiltrated a water utility's control system and changed the levels of chemicals being used to treat water. It's not hard to imagine a similar attack perpetrated against a pharmaceutical company, creating a digital equivalent of the Tylenol scare of the 1970s.

At a time when nation-state hacking is on the rise, data manipulation can also be used to disrupt the economy and undermine confidence in critical national systems. An attack targeting stock market data, for example, could spark chaos for financial markets.

It's hard to gauge how widespread such attacks are, but security professionals should be thinking about measures to guard against this type of incident. To do so, it's helpful to think about the phases that comprise a "typical" breach: penetration, pathway mapping, lateral movement, and destruction or alteration of target data.

One reason that attacks on data integrity are so hard to detect is that attackers don't need to exfiltrate data. That means all the tools and techniques security teams typically rely on to detect files being removed from a network become unhelpful.

The penetration phase, which typically involves compromising a low-value asset within the organization, is extremely hard to prevent for any type of attack. During this phase, malicious attackers weaponize a payload and take advantage of a vulnerability to deliver malware into the target's environment, which includes its data centers, endpoints, clouds, and third-party applications that are authorized to access its systems. Organizations can employ multiple techniques and tools to detect attacks and secure its perimeter and endpoints, such as IDS/IPS systems, perimeter and web-application firewalls, anti-phishing tools, and more. 

In the pathway mapping phase, the malicious payload activates scanning tools to scan and discover the systems in the network that an infected host or device can access. Organizations can detect malicious scanning and mapping tools by turning all their hosts — bare metal, VMs, cloud, load balancers, and switches — into sensors so that the entire computing infrastructure acts as a distributed detection platform. This distributed detection platform will also have the ability to learn normal behavior through a baselining process, and trigger anomalies when connections and traffic flows are against policy or deviate from the baseline. An organization using microsegmentation and anomaly detection techniques will be able to detect and prevent malicious scanning and mapping activities from infected hosts.  

Following the pathway mapping phase, lateral movement occurs where attackers move throughout networks to locate data they want to delete or alter. To secure its environment, organizations should start by building an application dependency map so it can identify the high-value assets and their legitimate connections and dependencies and create its micro-segmentation strategy. Microsegmentation via well-defined whitelisting policies that limit and control connections across and access to systems and applications is an effective enforcement mechanism. Whitelisting should follow the best practice of least privilege not just for user-to-machine traffic, where it is more commonly used, but also for all machine-to-machine traffic, which is growing more critical with the rise of IoT devices. In addition, monitoring and detection of failed attempts also function as high-quality signals of malicious actors attempting to move laterally across the network. 

Since the attacks are hard to detect, being able to identify when data has been modified is also critical, and various data integrity tools help with this. For example, file integrity monitoring tools have the ability to send alerts and run data integrity checks. Once unauthorized changes are detected, organizations need a way to confidently restore data to a legitimate previous state.

Motives for data manipulation attacks vary, but short-term profit is rarely the appeal. Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort. For example, attackers could subtly alter the blueprints of a commercial airliner, which will result in a nonfatal aircraft component failure years in the future. The goal would be to put an airline or an aircraft manufacturer out of business or bring the aviation industry into disrepute. Ultimately, air travel represents one of many pursuits that rely on consumer confidence in the provider in order to be successful, so subtle nefarious changes to data can be ruinous for an entire industry.

Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation-states and terrorist groups are the most likely actors in data manipulation attacks. That's why the military and intelligence services are taking them seriously.

This is still an emerging type of threat, but security professionals should be thinking now about how to respond. New attack types can spread, and when new attack types emerge quickly, it pays to be prepared.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17789
PUBLISHED: 2019-09-20
Prospecta Master Data Online (MDO) allows CSRF.
CVE-2019-11280
PUBLISHED: 2019-09-20
Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.18, 2.4.x prior to 2.4.14, 2.5.x prior to 2.5.10, and 2.6.x prior to 2.6.5, contains an invitations microservice which allows users to invite others to their organizations. A remote authenticated user can gain ...
CVE-2019-11326
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product is protected by a login. A guest is allowed to login. Once logged in as a guest, an attacker can browse a URL to read the password of the administrative user. The same pro...
CVE-2019-11327
PUBLISHED: 2019-09-20
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
CVE-2019-14814
PUBLISHED: 2019-09-20
There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.