Advanced threats: the smartest ones are persistent too Advanced Persistent Threats and Custom Trojans New risk: customised malware targeting users While we’ve touched on the growth of APTs and accepted that the risk may be being exaggerated by some security solution vendors, the facts remain: advanced threats like APTs have the capacity to launch and sustain stealthy multi-faceted campaigns that are successful and often undetected. We noted earlier that Verizon’s 2011 DBIR found that nearly two-thirds of malware investigated was customized—the highest ratio Verizon had ever seen. ‘The extent of customization found in a piece of malware,’ the report says, ‘can range from a simple repack of existing malware to avoid AV detection to code written from the ground up for a specific attack. ’
Custom Trojans are fairly easy to produce too, with exploit kits like Eleonora and Phoenix making it easy to create new variants. Security firm M86 reported that customers of a large UK financial institution had lost £675,000 to criminals using a variant of the familiar Zeus Trojan, yet the bank’s security system and customers’ antivirus systems missed it.
Six months before, another Zeus variant had recruited 75,000 systems in 2,500 organisations – including Merck, Juniper Networks and Paramount Pictures – into the infamous Kneber botnet. Kneber avoided detection for quite a while, giving hackers ample time to access corporate and government systems, online banking sites and social networks.
Spear-phishing is another technique which is effective on its own or as part of an APT-style campaign. Verizon found in its 2011 DBIR that ‘criminals increasingly relied on the personal touch with a whopping 78% of cases involving in-person contact.’ Use of personal information gleaned from social networks or in stolen customer data is a key factor in the success of spear-phishing attacks.
New risk: employees
For years we’ve been told for years that disgruntled employees seeking revenge or careless employees losing sensitive data are key security risks, and that the greatest risk is from those with the highest levels of access. Verizon’s findings tell a different story: ‘For the second year in a row’ the 2011 DBIR states, ‘it is regular employees and end-users—not highly trusted ones—who are behind the majority of data compromises. This is a good time to remember that users need not be super users to make off with sensitive and/or valuable data.’
A high profile example is Bradley Manning, the US Private who allegedly leaked 250,000 sensitive Department of Defence documents to WikiLeaks in 2010. Incredibly, despite the massive volume of data involved, the breach wasn’t discovered until the papers were published by WikiLeaks. Manning himself was only identified when he bragged about his exploits online.
On a more mundane level, Dawn Cappelli from Carnegie-Mellon University confirmed that two thirds of insider fraud and theft involved IT sabotage by disgruntled employees, often connected with lay-offs and resignations. The Ponemon Institute found a similar result: nearly 60 per cent of employees who’d lost or left their jobs took confidential information with them, including customer contact lists and other data that could end up in the hands of competitors.
Even so, it’s not whistleblowers or disgruntled employees that top the list of biggest confidential data breaches; it’s careless employees. Some well-known examples include:
I.In 2010 in the UK The Financial Services Authority (FSA) fined Zurich UK £2,275,000 for losing 46,000 customer records including personal identity details, bank account and credit card details.
In 2010 in Australia the account details of 42,000 customers of a major bank were sent to the wrong clients by outsourcer Salmat.