Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/21/2018
10:30 AM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Manipulation: How Security Pros Can Respond to an Emerging Threat

Industry leaders are scrambling to address the issue, which will take new thinking to overcome.

This year, the US government paid out its largest bug bounty yet — during the government run "Hack the Air Force" program — for a vulnerability in its software. The flaw, if not proactively found, would have allowed hackers to run malicious code on its systems and manipulate data. It's the latest example of an emerging threat that has industry leaders scrambling and requires new thinking from security professionals.

Former national intelligence chief James Clapper warned as early as 2015 that "the next push of the envelope" in cyber warfare was likely to involve data manipulation. Now, financial services companies, healthcare organizations, and other industries in which data integrity is critical to business are running cyber war games to figure out how to prepare for such threats.

Unlike attacks that try to steal data or those that hold it hostage with ransomware, data manipulation attacks can be hard to detect. Hackers can make small changes to information that are easy to miss but can have potentially catastrophic effects down the road.

Two years ago, a hacktivist group with ties to Syria reportedly infiltrated a water utility's control system and changed the levels of chemicals being used to treat water. It's not hard to imagine a similar attack perpetrated against a pharmaceutical company, creating a digital equivalent of the Tylenol scare of the 1970s.

At a time when nation-state hacking is on the rise, data manipulation can also be used to disrupt the economy and undermine confidence in critical national systems. An attack targeting stock market data, for example, could spark chaos for financial markets.

It's hard to gauge how widespread such attacks are, but security professionals should be thinking about measures to guard against this type of incident. To do so, it's helpful to think about the phases that comprise a "typical" breach: penetration, pathway mapping, lateral movement, and destruction or alteration of target data.

One reason that attacks on data integrity are so hard to detect is that attackers don't need to exfiltrate data. That means all the tools and techniques security teams typically rely on to detect files being removed from a network become unhelpful.

The penetration phase, which typically involves compromising a low-value asset within the organization, is extremely hard to prevent for any type of attack. During this phase, malicious attackers weaponize a payload and take advantage of a vulnerability to deliver malware into the target's environment, which includes its data centers, endpoints, clouds, and third-party applications that are authorized to access its systems. Organizations can employ multiple techniques and tools to detect attacks and secure its perimeter and endpoints, such as IDS/IPS systems, perimeter and web-application firewalls, anti-phishing tools, and more. 

In the pathway mapping phase, the malicious payload activates scanning tools to scan and discover the systems in the network that an infected host or device can access. Organizations can detect malicious scanning and mapping tools by turning all their hosts — bare metal, VMs, cloud, load balancers, and switches — into sensors so that the entire computing infrastructure acts as a distributed detection platform. This distributed detection platform will also have the ability to learn normal behavior through a baselining process, and trigger anomalies when connections and traffic flows are against policy or deviate from the baseline. An organization using microsegmentation and anomaly detection techniques will be able to detect and prevent malicious scanning and mapping activities from infected hosts.  

Following the pathway mapping phase, lateral movement occurs where attackers move throughout networks to locate data they want to delete or alter. To secure its environment, organizations should start by building an application dependency map so it can identify the high-value assets and their legitimate connections and dependencies and create its micro-segmentation strategy. Microsegmentation via well-defined whitelisting policies that limit and control connections across and access to systems and applications is an effective enforcement mechanism. Whitelisting should follow the best practice of least privilege not just for user-to-machine traffic, where it is more commonly used, but also for all machine-to-machine traffic, which is growing more critical with the rise of IoT devices. In addition, monitoring and detection of failed attempts also function as high-quality signals of malicious actors attempting to move laterally across the network. 

Since the attacks are hard to detect, being able to identify when data has been modified is also critical, and various data integrity tools help with this. For example, file integrity monitoring tools have the ability to send alerts and run data integrity checks. Once unauthorized changes are detected, organizations need a way to confidently restore data to a legitimate previous state.

Motives for data manipulation attacks vary, but short-term profit is rarely the appeal. Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort. For example, attackers could subtly alter the blueprints of a commercial airliner, which will result in a nonfatal aircraft component failure years in the future. The goal would be to put an airline or an aircraft manufacturer out of business or bring the aviation industry into disrepute. Ultimately, air travel represents one of many pursuits that rely on consumer confidence in the provider in order to be successful, so subtle nefarious changes to data can be ruinous for an entire industry.

Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation-states and terrorist groups are the most likely actors in data manipulation attacks. That's why the military and intelligence services are taking them seriously.

This is still an emerging type of threat, but security professionals should be thinking now about how to respond. New attack types can spread, and when new attack types emerge quickly, it pays to be prepared.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .