Responding to a Foreign Data Hacker: How to Stop the Bleeding
Bears and dukes sound kind of cute, unless you consider them in light of recent state-sponsored cyberattacks. Learn how these hacks occurred and what your organization can do to protect itself from foreign and domestic hackers.
Fancy Bear. Cozy Bear. The Dukes. The Guardians of Peace. If these sound like the names of data hacker organizations dreamed up by some spy fiction author, think again. While there's no doubt that the events surrounding these names could well be written into a best-selling spy novel, they are not actually the work of fiction.
The first three monikers are alleged to have been foreign government-sponsored data hacker groups responsible for releasing emails regarding political campaigns.
The Guardians of Peace were believed to be behind a damaging, extensive hack of a major motion picture studio in late 2014. As Time reports, many American officials believed this group's attack had been sponsored by North Korea, perhaps in response to the planned release of a controversial movie about North Korean leader Kim Jong Un.
How do such accounts of potential state-sponsored hacks differ from those carried out by independent foreign or domestic agents? More importantly, what lessons can be learned from these incidents to help protect against the next big hack attack?
Foreign or Domestic: Is There Really a Difference?
State-sponsored hackers tend to have deeper, ongoing financial resources to carry out their campaigns. As a result, such campaigns can often infiltrate organizations' vulnerable IT systems for long periods. During that time, various "back doors" may be installed by the hackers in an effort to extend their reach within a network, all while avoiding major detection.
Unfortunately, state-sponsored cybercrime is a form of digital warfare that is not going away. In a 2015 F-Secure speech, Mikko Hypponen, chief research officer of Finland-based F-Secure Corporation, even called it an "online arms race."
Motives aside, the methods used by foreign or domestic actors to infiltrate systems are not so different. The practice of spear phishing played a significant role in recent political hacks. When users responded to messages disguised as official Google emails, they were tricked into revealing their login details.
As IBM reports, a form of wiper malware was used in the case of the motion picture studio. This type of malware is able to copy any data it finds on a network; it can also be used to "wipe" all data from any disk drive it targets.
Copying and holding an organization's data hostage is not a unique concept. After all, ransomware requires a monetary ransom to release the impacted data. But the use of any of these types of destructive malware attacks reveals the need for organizations to focus their security efforts in two areas: containment and protection.
Containment: Slowing the Army at the Gates
In the days before everyone was interconnected, organizations considered it sufficient to maintain hardened firewalls to protect their perimeters. Today, anyone involved in IT security knows that a firewall is no longer good enough. Employee education can go a long way toward preventing users from responding to suspicious-looking emails, but it can't fully prevent any breach from occurring.
In his speech, Hypponen summarizes this reality as follows, "If you have enough workstations and servers, you cannot protect them all at all times. Every single Fortune 500 company has a breach in their network right now."
While organizations can't prevent every potential hack, several actions can help you to contain a breach or "slow" it from spreading and causing further damage. One method: Focus on multiple layers of a network's defenses, especially the application layer, as G. Mark Hardy suggests in a SANS Institute whitepaper. According to Hardy, the application layer (Layer 7) is the subject of most attacks. Therefore, you should make an extra effort to secure the application layer and resolve specific application-level vulnerabilities.
Containment: Part Two
In order to avoid a Wiper attack, David McMillen, senior threat researcher at IBM, recommends that you keep critical IP isolated in hardened networks accessible only via privileged connections. The second part of this recommendation also speaks to the common pathway used by many hackers: the potential hijacking of administrative privileges.
In a SANS Institute case study, better control of the use of administrative privileges was one of many critical security controls that author Gabriel Sanchez believed could have minimized the impact of the movie studio hack.
Pairing Containment With Data Protection and Disaster Recovery
In Sanchez's list of the top 20 critical controls, he also mentions the need for robust data recovery. This includes frequent, automatic data backup and fast system recovery processes that allow you to recover a clean set of the impacted data as well as the associated application software and underlying operating system. The ability to restore your data to prior versions before the hack is also important.
This advice extends to physically securing or encrypting stored backups, especially during network transport or with remote or cloud-based backups. This echoes McMillen, who stresses the importance of using "off site data backups for critical information." In light of the potential damage of wiper malware, McMillen also recommends that organizations "implement an emergency business continuity/disaster recovery plan and test [it] at regularly scheduled intervals."
Both foreign and domestic hacks remain unpredictable. Are you ready to respond to a data hacker who sets his or her sights on your business?