Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
PJ Kirner
PJ Kirner
Connect Directly
E-Mail vvv

Data Manipulation: How Security Pros Can Respond to an Emerging Threat

Industry leaders are scrambling to address the issue, which will take new thinking to overcome.

This year, the US government paid out its largest bug bounty yet — during the government run "Hack the Air Force" program — for a vulnerability in its software. The flaw, if not proactively found, would have allowed hackers to run malicious code on its systems and manipulate data. It's the latest example of an emerging threat that has industry leaders scrambling and requires new thinking from security professionals.

Former national intelligence chief James Clapper warned as early as 2015 that "the next push of the envelope" in cyber warfare was likely to involve data manipulation. Now, financial services companies, healthcare organizations, and other industries in which data integrity is critical to business are running cyber war games to figure out how to prepare for such threats.

Unlike attacks that try to steal data or those that hold it hostage with ransomware, data manipulation attacks can be hard to detect. Hackers can make small changes to information that are easy to miss but can have potentially catastrophic effects down the road.

Two years ago, a hacktivist group with ties to Syria reportedly infiltrated a water utility's control system and changed the levels of chemicals being used to treat water. It's not hard to imagine a similar attack perpetrated against a pharmaceutical company, creating a digital equivalent of the Tylenol scare of the 1970s.

At a time when nation-state hacking is on the rise, data manipulation can also be used to disrupt the economy and undermine confidence in critical national systems. An attack targeting stock market data, for example, could spark chaos for financial markets.

It's hard to gauge how widespread such attacks are, but security professionals should be thinking about measures to guard against this type of incident. To do so, it's helpful to think about the phases that comprise a "typical" breach: penetration, pathway mapping, lateral movement, and destruction or alteration of target data.

One reason that attacks on data integrity are so hard to detect is that attackers don't need to exfiltrate data. That means all the tools and techniques security teams typically rely on to detect files being removed from a network become unhelpful.

The penetration phase, which typically involves compromising a low-value asset within the organization, is extremely hard to prevent for any type of attack. During this phase, malicious attackers weaponize a payload and take advantage of a vulnerability to deliver malware into the target's environment, which includes its data centers, endpoints, clouds, and third-party applications that are authorized to access its systems. Organizations can employ multiple techniques and tools to detect attacks and secure its perimeter and endpoints, such as IDS/IPS systems, perimeter and web-application firewalls, anti-phishing tools, and more. 

In the pathway mapping phase, the malicious payload activates scanning tools to scan and discover the systems in the network that an infected host or device can access. Organizations can detect malicious scanning and mapping tools by turning all their hosts — bare metal, VMs, cloud, load balancers, and switches — into sensors so that the entire computing infrastructure acts as a distributed detection platform. This distributed detection platform will also have the ability to learn normal behavior through a baselining process, and trigger anomalies when connections and traffic flows are against policy or deviate from the baseline. An organization using microsegmentation and anomaly detection techniques will be able to detect and prevent malicious scanning and mapping activities from infected hosts.  

Following the pathway mapping phase, lateral movement occurs where attackers move throughout networks to locate data they want to delete or alter. To secure its environment, organizations should start by building an application dependency map so it can identify the high-value assets and their legitimate connections and dependencies and create its micro-segmentation strategy. Microsegmentation via well-defined whitelisting policies that limit and control connections across and access to systems and applications is an effective enforcement mechanism. Whitelisting should follow the best practice of least privilege not just for user-to-machine traffic, where it is more commonly used, but also for all machine-to-machine traffic, which is growing more critical with the rise of IoT devices. In addition, monitoring and detection of failed attempts also function as high-quality signals of malicious actors attempting to move laterally across the network. 

Since the attacks are hard to detect, being able to identify when data has been modified is also critical, and various data integrity tools help with this. For example, file integrity monitoring tools have the ability to send alerts and run data integrity checks. Once unauthorized changes are detected, organizations need a way to confidently restore data to a legitimate previous state.

Motives for data manipulation attacks vary, but short-term profit is rarely the appeal. Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort. For example, attackers could subtly alter the blueprints of a commercial airliner, which will result in a nonfatal aircraft component failure years in the future. The goal would be to put an airline or an aircraft manufacturer out of business or bring the aviation industry into disrepute. Ultimately, air travel represents one of many pursuits that rely on consumer confidence in the provider in order to be successful, so subtle nefarious changes to data can be ruinous for an entire industry.

Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation-states and terrorist groups are the most likely actors in data manipulation attacks. That's why the military and intelligence services are taking them seriously.

This is still an emerging type of threat, but security professionals should be thinking now about how to respond. New attack types can spread, and when new attack types emerge quickly, it pays to be prepared.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...