Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/21/2018
10:30 AM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Manipulation: How Security Pros Can Respond to an Emerging Threat

Industry leaders are scrambling to address the issue, which will take new thinking to overcome.

This year, the US government paid out its largest bug bounty yet — during the government run "Hack the Air Force" program — for a vulnerability in its software. The flaw, if not proactively found, would have allowed hackers to run malicious code on its systems and manipulate data. It's the latest example of an emerging threat that has industry leaders scrambling and requires new thinking from security professionals.

Former national intelligence chief James Clapper warned as early as 2015 that "the next push of the envelope" in cyber warfare was likely to involve data manipulation. Now, financial services companies, healthcare organizations, and other industries in which data integrity is critical to business are running cyber war games to figure out how to prepare for such threats.

Unlike attacks that try to steal data or those that hold it hostage with ransomware, data manipulation attacks can be hard to detect. Hackers can make small changes to information that are easy to miss but can have potentially catastrophic effects down the road.

Two years ago, a hacktivist group with ties to Syria reportedly infiltrated a water utility's control system and changed the levels of chemicals being used to treat water. It's not hard to imagine a similar attack perpetrated against a pharmaceutical company, creating a digital equivalent of the Tylenol scare of the 1970s.

At a time when nation-state hacking is on the rise, data manipulation can also be used to disrupt the economy and undermine confidence in critical national systems. An attack targeting stock market data, for example, could spark chaos for financial markets.

It's hard to gauge how widespread such attacks are, but security professionals should be thinking about measures to guard against this type of incident. To do so, it's helpful to think about the phases that comprise a "typical" breach: penetration, pathway mapping, lateral movement, and destruction or alteration of target data.

One reason that attacks on data integrity are so hard to detect is that attackers don't need to exfiltrate data. That means all the tools and techniques security teams typically rely on to detect files being removed from a network become unhelpful.

The penetration phase, which typically involves compromising a low-value asset within the organization, is extremely hard to prevent for any type of attack. During this phase, malicious attackers weaponize a payload and take advantage of a vulnerability to deliver malware into the target's environment, which includes its data centers, endpoints, clouds, and third-party applications that are authorized to access its systems. Organizations can employ multiple techniques and tools to detect attacks and secure its perimeter and endpoints, such as IDS/IPS systems, perimeter and web-application firewalls, anti-phishing tools, and more. 

In the pathway mapping phase, the malicious payload activates scanning tools to scan and discover the systems in the network that an infected host or device can access. Organizations can detect malicious scanning and mapping tools by turning all their hosts — bare metal, VMs, cloud, load balancers, and switches — into sensors so that the entire computing infrastructure acts as a distributed detection platform. This distributed detection platform will also have the ability to learn normal behavior through a baselining process, and trigger anomalies when connections and traffic flows are against policy or deviate from the baseline. An organization using microsegmentation and anomaly detection techniques will be able to detect and prevent malicious scanning and mapping activities from infected hosts.  

Following the pathway mapping phase, lateral movement occurs where attackers move throughout networks to locate data they want to delete or alter. To secure its environment, organizations should start by building an application dependency map so it can identify the high-value assets and their legitimate connections and dependencies and create its micro-segmentation strategy. Microsegmentation via well-defined whitelisting policies that limit and control connections across and access to systems and applications is an effective enforcement mechanism. Whitelisting should follow the best practice of least privilege not just for user-to-machine traffic, where it is more commonly used, but also for all machine-to-machine traffic, which is growing more critical with the rise of IoT devices. In addition, monitoring and detection of failed attempts also function as high-quality signals of malicious actors attempting to move laterally across the network. 

Since the attacks are hard to detect, being able to identify when data has been modified is also critical, and various data integrity tools help with this. For example, file integrity monitoring tools have the ability to send alerts and run data integrity checks. Once unauthorized changes are detected, organizations need a way to confidently restore data to a legitimate previous state.

Motives for data manipulation attacks vary, but short-term profit is rarely the appeal. Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort. For example, attackers could subtly alter the blueprints of a commercial airliner, which will result in a nonfatal aircraft component failure years in the future. The goal would be to put an airline or an aircraft manufacturer out of business or bring the aviation industry into disrepute. Ultimately, air travel represents one of many pursuits that rely on consumer confidence in the provider in order to be successful, so subtle nefarious changes to data can be ruinous for an entire industry.

Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation-states and terrorist groups are the most likely actors in data manipulation attacks. That's why the military and intelligence services are taking them seriously.

This is still an emerging type of threat, but security professionals should be thinking now about how to respond. New attack types can spread, and when new attack types emerge quickly, it pays to be prepared.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.