Protecting networks against worms and viruses is a trying task. Protecting against a threat targeted specifically at your network is even tougher. That’s a lesson that several Israeli companies learned earlier this year when they discovered that customized Trojan horse programs had been installed on their system, allowing industrial spies access to their networks.
The head of the Tel Aviv fraud squad told the Haaretz newspaper that the malware was in one case sent via e-mail, and in another was on a disk that purported to be a business proposal. Joe Stewart, senior security researcher for LURHQ, says that’s typical. These attackers “want to target a particular company, and they do it almost universally through social engineering,” Stewart says. “Social engineering works, and it’s very hard to defend against. It’s down to that weak link, which is the person.”
Chuck Orde, senior security consultant with IT advisor Forsythe, knows firsthand how to target a particular company’s network. He’s a penetration tester, meaning he gets paid to try to break network defenses—a task he’s usually able to accomplish.
“The first two or three days of the testing is information gathering,” he says. “We learn the structure and environments, we search newsgroups for administrator names, and try to farm as much information that’s publicly available,” just as an attacker would.
If the social engineering doesn’t work, Orde targets other holes: “Most exploit code I write on a per-customer basis is specifically targeted at that customer.”
It’s tough for companies to defend against targeted attacks like these, Stewart says. But not impossible. Part of the solution is to make sure the company has multiple layers of protection, including firewalls that are configured to block any outbound traffic that’s not explicitly allowed. Such a strategy will help to prevent Trojans that may have gotten into the network from sending files to the hacker through unusual ports.
Stewart says antivirus software is unlikely to be of much use in detecting these types of attacks. He notes that when he looked at the code from one of the Trojans used in the Israel attacks, it had been compiled almost a full year before it was discovered—meaning that for nearly a year there were no signatures that could have detected it. He adds that malware often acts too subtly to be detected by behavior-based antivirus programs.
Once malware is successfully installed on any one computer in a target company’s network, the first thing it will do is try to spread across the network to other computers. A common way for this to happen is to use a brute-force attack on passwords. Hard-to-break passwords might prevent it from spreading from workstation to workstation. Therefore, Stewart says, companies should enforce a strong-password policy, even if it means workers are forced to post their passwords on their monitors.
This may seem to fly in the face of conventional wisdom, “but the thing we’re trying to get across to people is that worms can’t read sticky notes,” he says. “Then you’re only talking about who has physical access to a machine, and realistically, if somebody has physical access to your machine, it doesn’t matter what your password is.”
Stewart also suggests that organizations with sensitive intellectual property (IP) segregate the workstations with that information by putting them on their own network. This dedicated network should then be monitored more stringently than the rest of the network to ensure that this sensitive data isn’t being transferred to a third party.
“You can recover from a mass mailer or a Blaster,” he says, “but losing your company’s IP can be devastating, so you have to weigh the risk. And the risk has become greater in the last six months.”
A briefing from the U.K.’s National Infrastructure Security Co-Ordination Centre on targeted Trojans gives more background on the problem. @ Get it at SM Online.