Reverse Deception: Organized Cyber Threat Counter-Exploitation (19 page)

This family of threat had been on the rise in 2010 and occurred well into 2011. The most compelling concept about this type of APT is that it was mostly an opportunistic-based threat that empowered uncounted cyber criminals to operate for years until it was shut down.

The following are some of the observables of this threat.

New Generation of Botnets and Operators

Over the past decade, one of the most persistent and advanced threats that has evolved is known as the
botnet
. Botnets are criminally distributed networks ranging in size from a few hundred bot victims to more than 16 million hosts infected globally.

The underlying issue of botnets is their operators, who are operating in thousands of groups around the world using millions of victim systems around the world. Botnets have the ability to generate large amounts of illegal revenue for the developers, primary botnet controllers (masters), and the masters’ secondary/subordinate operators.

Fifteen years ago, a bot was a simple agent that ran in an Internet Relay Chat (IRC) channel and performed automated tasks for the master or operator of that IRC channel. These bots could perform numerous tasks, ranging from the simple to the complicated, but they weren’t initially widely used for malicious purposes. Once the Internet solidified and became akin to the old Wild West, where researchers and explorers of new technology could create new variants of digital life, it also became a breeding ground for criminals. Those who once needed to walk into a bank or store with a gun could now, without fear of apprehension, make off with even more money.

The simple ability to remotely control hundreds to millions of computers distributed around the world from a central location, control panel, or control point is similar to cloud computing, but its operating goals are significantly different. The earlier inspirations of botnets were for the common computer enthusiast to generate a greater ego among the online counterculture. Today, botnets are still sometimes used for this purpose, but more frequently, they are employed for more nefarious goals. Botnets are created, operated, and maintained by a wide range of cyber criminals and professional cyber criminals.

Botnets can perform almost any task an attacker sitting behind the computer can do (from within the confines of the computer), including simple keystroke logging, taking screenshots, stealing data, and performing even more immoral acts, such as using a victim’s computer to record audio and video via a microphone or webcam. How many of you would like to have your personal or professional life secretly recorded and sold to the highest bidder? For the foreseeable future, botnets are the most widely used vehicle for espionage compared to worms and Trojans.

The following are some of the observables of the botnet threat.

Operation Payback

The Operation Payback series of events is related to the WikiLeaks event in the fourth quarter of 2010. Julian Assange was placed in jail over the disclosure of thousands of sensitive US State Department diplomatic cables (internal messages) between numerous US diplomats abroad and the US State Department. After Assange was incarcerated, hundreds of anonymous individuals and groups protested his mistreatment by performing DDOS attacks against international organizations that bowed to world governments and discontinued supporting his organization. Corporations such as PayPal, Visa, MasterCard, Interpol, and many others were knocked offline or service was interrupted for periods of time ranging from minutes to hours. There were also direct web application attacks and SQL injection attacks to gain access into other desired targets.

We also need to take into consideration the cause and effect of the group behind the operation, known to the world as Anonymous. The cause was mostly due to discontent with the positions of various organizations and the government, and the effect was typically a DDOS-based attack, which would knock the target offline for a period of time desired by the operators.

This method of attack would be considered a PT and not sophisticated based on the tools used. The operators behind these DDOS attacks were not using any advanced tools, but tools that were publicly available, in addition to one tool that had an embedded backdoor. This allowed one of the key orchestrators of Operation Payback to remotely connect to participants unknowingly and use their PC, by running a DDOS tool based on Low-Orbit Ion Cannon (LOIC), and use the tool’s capabilities without the participants’ knowledge. This series of DDOS attacks went on for months; in early 2011, these attacks were still continuing, but not on the same scale as in late 2010.

The overall goal in describing this series of events as a PT is to establish that not only do professional and state-sponsored hackers cause incidents via PTs or APTs, but so do ordinary individuals with a cause (
hacktivists
). They can even cause disruption or denial of service to international enterprise networks.

Since this group is “Anonymous,” an opt-in group of politically and morally motivated individuals is working as the collective HIVE, as they have coined it (shouts out to CommanderX, BB, SparkyBlaze, p0ke, Anonpanda, Optical, EP_0xE1, and many others for all of their input and guidance in order to properly discuss the International Hacktivist group called “Anonymous”). Throughout 2011, this hacktivist group targeted numerous organizations that have spoken out against them or organizations they support or believe in. Several of this group’s actions, albeit illegal, were meant to support groups who would have otherwise not had the help they needed. One example is the DDOS attacks against world governments who were unfairly treating their citizens (such as during the 2011 Middle East and North African uprisings and revolts).

The following are some of the observables of Operation Payback.

Conclusion

Numerous methods and techniques are being developed every day to infiltrate networks and exfiltrate sensitive information. According to the Department of Homeland Security and the Internet Crime Complaint Center (IC3), the following numbers of cyber crimes were reported each year by the public and private sectors.

This is why implementing active countermeasures against specific persistent and advanced threats is imperative. Your threats will have the upper hand and the capability to move faster, easier, and slicker than your security team unless you use the proper tools and have the right knowledge of your network to defend against them. One of the wisest men in history once said:

Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack
.

—Sun Tzu,
The Art of War

To us, this means that you are the owner of your enterprise (literally). You control the very wires that threats and adversaries use to move about your network. You, as a defender, have the home field advantage, so why not use it? By law, as the owner of an enterprise or critical network, your responsibility is to implement security techniques that will disrupt, deny, degrade, destroy, and deceive threats and adversaries into revealing more of themselves. For this purpose, you need to understand that this generation of cyber warfare is capable and being actively used. There are government, corporate, and criminal groups with the resources to identify vulnerabilities in proprietary software you use in order to develop exploits against it.

This brings us to other threats to our SCADA systems across the world. Nuclear, electrical, water, sewage, traffic light, and many other systems use operating systems that are running on IP-based networks for remote administration and central management of many locations. This might scare you a little, but in my travels, we’ve been able to learn that there are PLC systems still running on a Windows 98 platform—yes, you read it right: Windows 98 and Windows 2000 versions of Microsoft running critical infrastructure around the United States… Your local power plant could possibly be running Windows 95 for some reactor and you don’t know it, yet our prices continue to increase (a rant for another book). The issues behind still running these very antiquated versions of Windows is that they are no longer supported, have open vulnerabilities that were never fixed, and are much more unstable and insecure than newer versions of the Microsoft operating system. The primary reason these old operating system platforms are still in use is due to the complexity of PLC and HMI systems stuck running huge turbines or cooling systems. If the cost of performing this outweighs the cost of security, some systems are just the way they are (you know who you are).

Throughout this book, you will read about deception and disinformation as a tool. Remember what the adversary knows and what you want them to know can be the same thing or it may not be. The choice is yours. We offer the words of an Irish philosopher:

All that is necessary for evil to triumph is for good men to do nothing
.

—Edmund Burke

As you continue reading through this book, you will see many examples of persistent and advanced threats. Each one varies in depth, scope, and objectives, but overall can be countered by learning how to interact with adversaries and threats in real time and being able to affect their perception of your network and current state. It all relies on what lengths you, as a security professional, are allowed to go and what is appropriate for that threat.