By Derek Manky, Global Security Strategist, Fortinet
Long standing fears by government of an attack that will cripple critical infrastructure were realized last December when an advanced persistent threat (APT) launched against the Ukraine government became the first cyber intrusion to bring down a nation’s power grid. Using the BlackEnergy malware, hackers remotely switched breakers to cut power to 225,000 users and inundated customer-service with phone calls to prevent real customers from dialing in.
While high profile cyber attacks against corporations have grabbed headlines in recent years, the past year has seen a significant number of government agencies targeted by hacktivists.
In 2015 alone, the US, Dutch, Irish and Turkish governments all fell prey to DDoS attacks intent on creating havoc and disrupting operations. In January, Thailand saw protestors upset about a government court verdict launch a malicious attack against 300 government websites. In the same month, hackers affiliated with Anonymous also initiated similar attacks against the Saudi Arabian and Nigeria governments.
Web application and DDoS cyber breaches exploiting vulnerabilities in the public sector have become more frequent and pernicious. Global risk consultancy Control Risks, in their annual Riskmap Report for 2016 said one third or 36 per cent of cyber attacks now target the government sector.
DDoS attacks are becoming the weapon of destruction for blackmailers and digital terrorists. DDoS attacks come in different forms: some are intended to crash the system while others flood the system with requests for resources (bandwidth, processor time, disk space etc). Increasingly, application layer 7 attacks are being used with far more sophisticated mechanisms to disable a government’s network and services. Rather than simply flooding a network with traffic or sessions, these attack types avoid traditional network detection mechanisms and target specific applications and services to slowly exhaust resources at the application level.
The scale of attacks has also risen. A decade ago, 50 Gbps attacks were seen once or twice a year. Today, such attacks can happen almost every week. In December 2015, the BBC experienced a 602 Gbps DDoS attack, the highest ever in history[3]. Research analysts Quadrant Knowledge Solutions estimates the global DDoS mitigation market will grow significantly in the next 5 years with a CAGR of 27.6% and cross US$2 billion by 2020.
APTs can come in the form of malware, which can be used to exploit computer systems as in the case of the Ukrainian power grid attack. APTs can also come from delivery systems (eg phishing) and data exfiltration. Hackers create specific spear-phishing emails with seemingly harmless attachments or launch a zero-day exploit, which exposes vulnerability in the software to allow an attacker to execute unintended code or gain control of a target computer. Once the threat is inside the organisation, data can be easily exfiltrated. Passwords, files, databases, email accounts and other vital data can be retrieved. Even after the data theft is completed, an attacker may remain present on the target’s network and observe its data assets.
In Asia, APT attacks are accelerating as regional tensions and territorial disputes between China, India and Southeast Asian countries continue to increase. A threat group known as the APT 30 has in past years been using modular malware to acquire sensitive data from their targets, including classified government networks.
Some of the cyber attacks comprised emails written in the recipient’s native languages containing documents that appeared legal but contained malware. The attackers also create worm-like algorithms, which attach themselves to hardware such as USB thumb drives and hard disks. Once these components get in contact with other systems, the attack spreads[5].
How to protect against DDoS and APT risks?
A comprehensive and multi-layered approach is one of the best ways to bolster defenses against escalating cyber threats.
An effective defense is often founded on building a cohesive and extensible protection framework. This framework is critical as it incorporates current security capabilities, emerging technologies and having a learning mechanism that creates actionable security intelligence from newly detected threats.
Other measures include assessing the network environment and devising a response plan. It is important to secure potential bottlenecks, monitor the network, and ensure they look beyond large attacks and plan countermeasures.
Instead of aiming for the complete removal of all DDoS traffic, the strategy should attempt to maintain services − especially critical services − with minimum disruption. The full plan should include backup and recovery efforts, additional surveillance, and ways to restore service as quickly and efficiently as possible.
A multi-layer strategy for DDoS protection also involves dedicated on-premise solutions designed to defend and mitigate threats from all angles of the network.
To mitigate APT risks, governments need to develop key security features to stop potential malicious applications and malware, and prevent sensitive information from leaving the network. One way to do this is to develop a basic network segregation, which helps to prevent the propagation of an APT inside the network.
And IT administrators must remember that it is not necessary that every employee have access to particular resources that may contain sensitive data. By limiting access whenever possible, the organisation may be able to mitigate many attacks. Implementing two-factor authentication for remote users, or users that require access to sensitive information, will also make it difficult for an attacker to take advantage of lost or stolen credentials.
A strong partnership with a security provider is also essential. The partner can provide up-to-date information and threat intelligence to the IT staff, as well as define an escalation path when an incident is detected. Government agencies should also proactively partner cyber security organizations and solution providers to share threat information, so that collectively, the industry can have a more comprehensive view of the global cyber threat landscape and respond better to attacks.
Lastly, while a comprehensive assessment and plan can be developed, it is crucial to educate government employees on cyber threats. Employees with access to sensitive information have to be specially trained to know how to deal with that data. For example, limiting USB drive access to employees on an as needed and justified basis is a good option to protect a network.
Be they APTs, worm outbreaks, DDoS, botnets, or inbound and outbound attacks, today’s attacks are becoming more sophisticated and intrusive. Governments need to carefully consider their security posture, be proactive and adopt a multi-layed approach to minimise the risks they face.