Nation-states and savvy criminal hackers don’t pull uninformed, spur-of-the-moment smash-and-grab jobs on data networks. They reconnoiter and position themselves to slowly implement precise surgical maneuvers to exfiltrate your information treasures. Most of these attackers are capable of ensuring you remain unaware of their movements until it is to their benefit for you to know.
High-profile attacks that leveraged extended dwell time inside the networks of large retail chains such as Target are examples of how hackers farm or manage victim organizations in this manner.
Hackers farm their targets by maintaining a veiled presence in sensitive places in and around government and enterprise networks, revealing their position in a calculated way at an optimal time to achieve some strategic goal, says Danny Rogers, CEO at Terbium Labs.
Even then, hackers maintain as much concealment as they can in order to preserve future hidden access and achieve maximal impact in their longer term goals, Rogers explains. “If they’re doing that job well, how would we ever know they were there?"
With dwell time inside networks extending from months to years, we often don’t know they are there.
Nation-states and advanced criminals and hackers have been effectively farming their targets for some time now, explains Todd Inskeep, Advisory Board Member, RSA Conference. The earliest examples were enabled by Trojan horses and backdoors that they left in a system to return for easy access time and again; it’s almost hacking 101, says Inskeep.
The farming is more sophisticated now with advanced Command and Control (C&C) servers that they use to make system changes remotely, multiple backdoors in multiple systems, bogus accounts they create to sell or reuse, and sensors they leave behind to identify and harvest specific data, says Inskeep.
Command and control servers work by receiving communications from malware-infected systems that call out to the internet via outbound network traffic. This works because most network security is geared to defend against what is coming in, not what is going out. Hackers can spread large numbers of Trojans into different kinds of systems because they can pair these backdoors with many different kinds and pieces of legitimate software from OS and application updates to games. Once hackers have administrative control of a system that can create login credentials, they can create as many as they like. Unless security locates and shuts them all down, the attackers will still have some approved access.
Sensors in this context are not the physical devices that might come to mind. “‘Sensors’ could be code embedded in documents that phone home if they are disturbed, routines similar to cron jobs that run in the background looking for specific activities, or anything that indicates back to the attacker that something has changed,” says Inskeep.
These are the activities of Advanced Persistent Threats (APT) that hang around, watching and waiting for the right time and opportunity; many actors like these will continue to treat their portfolio of assets and well-groomed targets like a crop that only becomes more valuable the longer that they nurture it, says Inskeep.
Examples, evidence, outcomes
Nation-states are playing a long game, says Inskeep, using information from their farming tactics in a strategic manner to nudge events along in their favor. “For example, though we can trace early reports of the now famous DNC hacks back to at least June of this year, we really only received the information much later than that when it could create an impact during the convention,” says Inskeep.
This release of information changed the story of the first couple of days of the Democratic National Convention and changed the DNC’s leadership during a crucial time in the election cycle, Inskeep insists.
As nations and the world become increasingly dependent on the internet as a utility and on its related structures, this type of farming will be the new normal and much more commonplace, posits Inskeep.
Governments and the enterprise should assume that state-level and some other hackers are already in their networks and systems in some stealthy manner. Rather than fully preventing attacks, organizations must manage the risks. “This is in contrast to the old information technology security mindset, which centered on deploying a standard set of defensive technologies and assuming that you are OK until a proverbial fire breaks out,” says Rogers.
Plan and prepare with the understanding that data will always be at risk of theft or sabotage. “In addition to deploying a standard set of defenses, implement plans and technologies that assume that those defenses will fail at some point. Examples include proactive monitoring outside your own network, good breach remediation, incident response planning, and good data breach insurance,” says Rogers.
There are security companies that monitor the dark web for your data to let you know it is circulating on the seedy backstreets of the information highway. Companies such as Massive, MarkMonitor, and Terbium Labs offer these kinds of monitoring services.
In breach remediation, respond immediately, communicate fully, investigate forensically, find all traces and vulnerabilities, and clean, patch, secure, and replace (reimage) whatever you must while following a response plan you have tested with current, valid tabletop exercises.
Though governments and enterprises with a lot to lose will find it difficult to do, all organizations need to establish an individualized, tailored cybersecurity policy, says Inskeep. According to Inskeep, this requires organizations to first answer questions about when to call in the government for help; what levels and agencies of the government to involve; what kinds of help to expect in what kinds of scenarios; how much you can spend on managing the risks, especially those of nation-state attacks as well as of onslaughts from other threat actors. “You have to determine where your boundaries will be and then build the relationships, processes, and capabilities to maintain those,” says Inskeep.
While a few Fortune 100 companies have bigger budgets than some countries, says Inskeep, their allegiance to shareholders and Wall Street will ultimately limit their investment in cyber defenses; besides, companies shouldn’t have to defend themselves from nation-states without some government help.
It takes a community spanning enterprises, industry groups, security companies, governments, and law enforcement, sharing information and uniting in the cause to defend organizations and countries effectively. This is the kind of response we need to mount against these odds.