“Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers-who appeared to be working in China-penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents,” according to a Wall Street Journal report.
The bitter precedent
In a world where business managers take all precautions to shield workstations, servers and other critical parts of the infrastructure, the weakest link still remains the employees. Blended e-mail threats and social networking are only two of the largest channels of compromise, as high profile attacks against industry giants such as RSA, Lockheed Martin, Nasdaq, Google, Adobe, Juniper and many others have demonstrated.
Large corporations have always been the main point of interest for cyber-criminals, as their intellectual property can be easily sold or traded on underground markets, or can be used for blackmailing the victim corporation. Between 2009 and 2011, quite a number of companies reported that they had fallen victim to APTs, but, while most of these threats are discovered during internal auditing procedures, it took Nortel roughly 10 years to detect – plenty of time for cyber-criminals to complete their mission.
How did it happen?
The attack against Nortel comes as no surprise from the technical standpoint. While most corporate business and IT managers today take the necessary provisions for shielding their network against attacks from the outside, the business manager of the year 2000 had little to no idea about what could happen. Even if they did, they had no means of protection, as security companies were just taking off. In this case, even the simplest threat such as a blended e-mail attack (the conventional spam message, as we know it today), or the classical phishing e-mail, could have worked, laying the ground for a simple yet efficient keylogger on the machine of an unwary employee.
The current threat level
Today’s advanced persistent threats are much more sophisticated and the means of planting them on the infrastructure of an organization have increased exponentially. “Lost” USB drives or CD-ROMs labeled as “Exec Incomes 2011” found by employees in the elevator and quickly mounted on the work PC, carefully laid out spear-phishing messages or zero-day exploits against the browser or against a third-party browser plugin are just some of the favorite ways in which cyber-criminals penetrate the organization’s defense mechanisms. If we add vulnerabilities in desktop applications, social media threats and rogue mobile devices able to syphon traffic and reroute it to an attacker, we might get the whole picture.
As usual, the human factor plays a key role in subverting a large network. As Kevin Mitnick, the living legend of cyber-crime, once said, “if you can convince the user that pigs can fly, they’ll rush by the window to see them.” And there are a lot of resources to ensure that your social engineered attack gets credibility, context and background, the three key ingredients.
While this phenomenon exists since the invention of language and the success rate is considerably high, there is also a major drawback that prevented large scale use of this technique. To become proficient in all three important aspects related to social engineering, a considerable amount of research is required and in most of the cases it can only be done by using peopleware. This approach proved very inefficient so far, as the resources involved surpassed the return on investment by far.
However, with the evolution of social networks, the growing smartphone market share and continuous interest in natural language processing techniques, automating social engineering is not science fiction anymore. All the required information is out there on the web, already organized and indexed. Besides social networks, we also have sites like 123people.com, pipl.com, spokeo.comand so on, that offer information about individuals.
With the appropriate tools and the necessary firepower, an attacker can easily convert information from social media or data from your mobile device into complex targeted attacks, and all this with minimal cost. And as we’ve seen in last year’s hacks, some attacks can be so believable that the victims will even ignore their security solutions and in some cases even disable them.
How to prevent this from happening to you
Advanced persistent threats are multi-faceted attacks that require a wide range of preventive measures. Contact points between the corporate network and the rest of the Internet need special attention, with particular focus on the web gateway, email server and cloud infrastructure. Proactive defense mechanisms should also be set in place on client computers and file servers to detect and block suspicious activity caused by emerging malware, as today’s advanced threats mostly rely on zero-day exploits and polymorphism. Knowing your network is also a bonus: keep activity logs and look for irregular traffic patterns even if they have as source a popular destination, as some bots can syphon your data to Google groups or even post your passwords on Twitter accounts.
Last but not least, educate your employees. Teach them to spot a scam and enforce strong policies regarding the use of social networks or third-party websites.