June 12, 2015 | Security and Risk | John Worrall
Discussions about the breach and infiltration of Kaspersky’s network continue to reinforce the emergence of dangerous attack patterns that are leaving no one out of attackers’ sights – not even a security company.
As we know, attribution of an attack is a difficult part of deconstructing a breach – we can see the signatures in malware, see what networks the attackers used to support the attack, but ultimately, we’re almost never 100 percent sure of attribution.
Ultimately, the question of “who” is less important than the “how.”
The motivation for the attack on Kaspersky appears to be pure espionage activity. According to sources, the malware used to execute the attack was an updated version of Duqu, which features code directly derived from Stuxnet, and was allegedly used to spy on Iran’s trade relationships and efforts to develop nuclear material.
It’s hard to think about espionage activities without harkening back to the Cold War and the push and pull of global intelligence agencies as they tried to gain information on rivals, enemies and friends.
This form of espionage was characterized by nations developing ‘assets’ within the structures they wanted to infiltrate. Assets were typically people of some influence – or with access to those of influence – within the organization being spied on. Developing assets on the ground is critical to a successful espionage campaign.
The same is true when it comes to cyber espionage campaigns. In this world, the privileged account or credential is the most valuable intelligence asset that attackers can use.
Privileged accounts provide complete, anonymous access to, and control of, all parts of IT infrastructure, industrial control systems and critical business data. They exist throughout every businesses. There isn’t one part of the enterprise that isn’t managed by privileged or administrative accounts.
This is why they’re the ultimate intelligence asset for cyber espionage campaigns. Once attackers turn the privileged account into an asset, they can anonymously surveil a company’s security posture, and explore their systems for valuable data and information — often for months at a time.
With this access, attackers can remain virtually undetected, free to exfiltrate information as part of an espionage campaign like this that could allow access to product plans to enable ‘short cuts’ for future attacks, implanting malware as part of a financially motivated attack, or simply destroying a company’s ability to do business, as was done to Sony Pictures.
Stopping Advanced Attacks – Stop Lateral Movement
The Kaspersky attack is another lesson in just how critical it is for attackers to be able to move laterally across the network into different machines and devices. The fact that the attackers used multiple zero day exploits (expensive currency in the hacker world) to facilitate this movement is a sign of how critical it was to the overall attack.
Exploiting privileged accounts is required for lateral movement – by locking down these accounts, and being able to isolate the attack and prevent the escalation of these powerful credentials, organizations can keep attackers confined to the initial footprint of the breach point.
An attacker may or may not be able to find useful information if they’re confined to one employee’s machine, device or single application. This won’t be true if they’re able to steal, exploit and elevate privileges and move about the network freely, accessing databases and information stores.
This is why CyberArk believes that proactive security starts by assuming the attackers will find a way in, and preventing them from moving around the network once they do.
Stay tuned for Part 2 of this post as we take a deeper look at the Kaspersky attack including exploring the zero day connection – including the Kerberos vulnerability – and provide advice to organizations based on what we’ve learned from this and other recent breaches.