SANS warns of new areas for cyber attack
SANS Institute raises awareness of new cyber security risks to organisations
SANS Institute has warned of the dangers of emerging areas of cyberattack which are creating new risks to organisations.
The independent cybersecurity training and certification provider highlighted the dangers of five new areas where hackers are looking to exploit new systems and solutions.
At the recent RSA Conference in San Francisco, SANS Institute experts discussed the new threats, including the risk of data leakage from repositories and cloud storage; de-anonymization and correlation of data sets to extract usable information; attackers monetizing compromised systems using cryptocoin miners; flaws in hardware and the risk of assuming hardware is flawless; and attacks that aim to disrupt industrial control systems and utilities instead of seeking profit.
Ed Skoudis, a top hacker exploits expert, SANS Faculty Fellow and lead for the SANS Penetration Testing Curriculum, talked about the data leakage threats facing us from the increased use of repositories and cloud storage: "Software today is built in a very different way than it was 10 or even 5 years ago, with vast online code repositories for collaboration and cloud data storage hosting mission-critical applications. However, attackers are increasingly targeting these kinds of repositories and cloud storage infrastructures, looking for passwords, crypto keys, access tokens, and terabytes of sensitive data."
He continued: "Defenders need to focus on data inventories, appointing a data curator for their organization and educating system architects and developers about how to secure data assets in the cloud. Additionally, the big cloud companies have each launched an AI service to help classify and defend data in their infrastructures. And finally, a variety of free tools are available that can help prevent and detect leakage of secrets through code repositories."
Skoudis went on to talk about the threat of Big Data Analytics and how attackers are using data from several sources to de-anonymise users.
"In the past, we battled attackers who were trying to get access to our machines to steal data for criminal use. Now the battle is shifting from hacking machines to hacking data - gathering data from disparate sources and fusing it together to de-anonymise users, find business weaknesses and opportunities, or otherwise undermine an organisation's mission. We still need to prevent attackers from gaining shell on targets to steal data. However, defenders also need to start analysing risks associated with how their seemingly innocuous data can be combined with data from other sources to introduce business risk, all while carefully considering the privacy implications of their data and its potential to tarnish a brand or invite regulatory scrutiny."
Johannes Ullrich, Dean of Research, SANS Institute and Director of SANS Internet Storm Center discussed the increasing use of cryptocurrency mining software by attackers.
"Last year, we talked about how ransomware was used to sell data back to its owner and crypto-currencies were the tool of choice to pay the ransom. More recently, we have found that attackers are no longer bothering with data. Due to the flood of stolen data offered for sale, the value of most commonly stolen data like credit card numbers of PII has dropped significantly. Attackers are instead installing crypto coin miners. These attacks are more stealthy and less likely to be discovered and attackers can earn tens of thousands of dollars a month from crypto coin miners. Defenders therefore need to learn to detect these coin miners and to identify the vulnerabilities that have been exploited in order to install them," he said.
Ullrich then went on to say that software developers often assume that hardware is flawless and that this is a dangerous assumption: "Hardware is no less complex then software and mistakes have been made in developing hardware just as they are made by software developers. Patching hardware is a lot more difficult and often not possible without replacing entire systems or suffering significant performance penalties. Developers therefore need to learn to create software without relying on hardware to mitigate any security issues. Similar to the way in which software uses encryption on untrusted networks, software needs to authenticate and encrypt data within the system. Some emerging homomorphic encryption algorithms may allow developers to operate on encrypted data without having to decrypt it first."
Finally, Head of R&D, SANS Institute, and top UK cyber threat expert, James Lyne, discussed the growing trend in malware and attacks that aren't profit centred as we have largely seen in the past, but instead are focused on disrupting Industrial Control Systems (ICS) and utilities.
Lyne said: "Day to day the grand majority of malicious code has undeniably been focused on fraud and profit. Yet, with the relentless deployment of technology in our societies, the opportunity for political or even military influence only grows. And rare publicly visible attacks like Triton/TriSYS show the capability and intent of those who seek to compromise some of the highest risk components of industrial environments, i.e. the safety systems which have historically prevented critical security and safety meltdowns.
"ICS systems are relatively immature and easy to exploit in comparison to the mainstream computing world. Many ICS systems lack the mitigations of modern operating systems and applications. The reliance on obscurity or isolation (both increasingly untrue) do not position them well to withstand a heightened focus on them, and we need to address this as an industry. More worrying is that attackers have demonstrated they have the inclination and resources to diversify their attacks, targeting the sensors that are used to provide data to the industrial controllers themselves. The next few years are likely to see some painful lessons being learned as this attack domain grows, since the mitigations are inconsistent and quite embryonic."