Posted by Art Dahnert on December 5, 2016
As this year draws to a close, we can look back on 2016 and see what challenges the security industry has had to overcome. Jumping on this bandwagon a bit early, I hope to draw attention to some of the more difficult challenges our industry will face in the coming year. In order to do that, I’ll point out the most newsworthy breaches of 2016.
The attack on Dyn, Inc. DNS service made the news this year because of the sheer number of resources brought to bear against a single target. This was the largest ever DDoS attack to date. A DDoS (Distributed Denial of Service) attack uses many individual computers to request files or services from a single server. It takes place on such a scale that it overwhelms the victim’s ability to respond, effectively knocking it offline. The reason this is so impressive is that it reached data traffic levels exceeding anything measured before. In this case, exceeding 1.2 terabits per second. The size of this attack resulted in a large number of Dyn’s clients going offline for a period of time, including Twitter, Spotify, and GitHub. The novel thing about this attack is its composition of a botnet of IoT (Internet of Things) devices.
In November, the San Francisco Municipal Transit Authority (SFMTA) was penetrated by an attacker who infected over 900 computers with ransomware. Ransomware is malware that encrypts various files on a computer. It then requires a decryption key to unlock them. This key is usually only provided after the victim has transferred the ransom using Bitcoin. As a result of the breach, the public was able to ride for free until the mess was resolved. Additionally, the ransom wasn’t paid because backups were available. The entry point of this attack was an Oracle server vulnerable to the year-old “unserialize exploit.”
Interestingly, one of the biggest security incidents in 2016 didn’t actually happen in 2016—it happened a couple of years ago. The Yahoo breach, exposing 500 million email accounts, is the largest ever. The actual vulnerability that resulted in the breach hasn’t been disclosed as of yet. Keep in mind, a data breach of this size is unprecedented, which is probably why Yahoo is reluctant to release the details.
Early this summer there was an attack on the DNC (Democratic National Committee). The number of stolen emails isn’t close to the millions of accounts exposed in the Yahoo breach. However, the nature of this attack is what makes it a very important breach to include. The attack was carried out by Russian hackers in an attempt to influence the 2016 presidential election. This is cyber espionage at its highest level.
What do these attacks have in common? Nothing really groundbreaking or earth-shattering. The techniques that attackers used have been around for a long time. What has changed is the scale and the aggressive nature of the attacks.
The number of email accounts stolen from a single company, Yahoo, is more than have been stolen in a single previous year. In the past, DDoS attacks could knock a website off the Internet for a short amount of time. But to take down a huge swath of well-known, well-resourced companies for half a day? That had never been done before.
Attackers have been automating the search for older un-patched vulnerabilities for years. With the sheer size of the Internet, coupled with the ease of deploying ready-made exploit kits, it’s easier than ever to monetize any attack campaign. The attack on SFMTA demonstrates that fully-automated AppSec weapon systems are on the horizon. Whether that system is used for monetary gain or for some other nefarious goal, it’s now not only easily imaginable—it’s possible.
As we can see from the biggest breaches of 2016, software is under attack from multiple angles. Security professionals have been pointing out these problems for years. For example, hardcoded passwords should never occur. Ever. They will be abused. This was part of the problem with the IoT botnet that took down Dyn’s service. The Mirai botnet software used hardcoded passwords to access thousands of IoT devices.
It’s also extremely important to keep software up to date. The unserialized exploit on the SFMTA was over a year old. It had also been patched by Oracle. Penetration testing and software library audits may have helped identify this problem before its exploitation. Software cannot be deployed and then forgotten. It must be maintained and kept up to date with the latest patches and security fixes.
The Yahoo breach illustrates that when a breach does occur, the company needs to properly disclose what has happened. There should be proper policies regarding the handling of the incident, as well as how it’s reported to the media and regulatory bodies. After all, it isn’t possible to stuff the genie back in the bottle. The stolen data will show up on some dark Web market for sale. It will then most certainly be reported to the media. By that time, the opportunity to get out in front of the situation is lost.
In the case of the DNC hack, there are some sophisticated adversaries using advanced techniques to commit espionage against the government. By understanding the types of attacks that are happening in the wild, it is possible to apply them to your environment via Red Teaming exercises.
A Red Team engagement is like a pen test for your network and physical security. It includes social engineering tasks (e.g., phishing) with a specific goal or target in mind. These are the same approaches used by nation-state actors to gain access to corporate and government networks. As such, performing them on your company’s resources gives you an understanding of potential weaknesses in your defenses.
These aren’t the only breaches that occurred in 2016, but they are very representative of what will go on in 2017. We’ll see more breaches, and we’ll see them on a larger scale—either with more accounts or larger data sizes. Not only will email accounts be stolen and monetized, but the very documents on corporate networks will be held for ransom and for larger payouts. Hacking for political secrets will also happen more frequently as we move into a new government. Attackers are becoming more experienced and bolder because of it.
Take the time to learn how the breaches of the past year can be applied to your specific environment. This will help you gain an edge in securing the data you manage in the next year.