Network Security Is In The Details

Article originally published in Today's CIO

By Ian Whiting (CEO, Titania)

About the Author

Ian has been working with leading global organisations and government agencies to help improve computer security for more than a decade. He has previously been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve.

THERE ARE A GREAT DEAL OF SECURITY LESSONS HIDDEN in the plots and sub-plots of Star Wars – data security, hackers-for-hire, user error etc. However, what better suits the information security industry other than the striking moment that saw the Death Star exploding into glittery stardust? A chain of vulnerabilities and risk mismanagement ultimately lead to the unthinkable, the destruction of the Empires’ superweapon due to an exhaust vent vulnerability.

There is a case to be made that network security lies in the detail, especially with the rise of the advanced persistent threat and the development of cyberespionage worldwide. Criminals acting in the virtual space have long renounced the generic approach and have instead adopted a highly targeted crime deployment. Security measures must come to reflect this shift. For this, Star Wars shows us how attention to detail can be equally applied to your organisation for a more efficient defence of the network.

Advanced persistent threat: operation “Death Star”

The Death Star was an impressive military and political superweapon designed to annihilate entire planets. Yet in spite of its mightiness, the Death Stars’ defence was surprisingly vulnerable to attacks – one small weakness led to a devastating end result. An assessment of its vulnerabilities was long overdue and it may have been a chance to re-write Star Wars history.

 1. Network reconnaissance

Rebel spies led by Princess Leia manage to get possession of the Death Star’s plans, but their ship falls to the Imperial forces. Leia alone cannot analyse the information she retrieved. Instead she finds a way of transmitting the data back to her father’s home planet of Alderaan for further investigation, by storing the plans in the memory of R2-D2.

At this stage, Leia is captured by the Empire. For the time being, the Empire is unaware of Leia’s mission purpose. The princess insists they are there on a diplomatic mission.

Malware with backdoor capacities can infiltrate a network and remain undetected for years, while leaking information. For example SEDNIT infectors in operation Pawn Storm contained mainly backdoors designed to steal system information and send it to remote C&C servers.

Another example is the highly modular Snake (aka Uroburos) operation which indicates that the rootkit had gone undiscovered for at least 3 years, with a great ability to hibernate for a number of days, which made it untraceable even to professional eyes.

2. Outsourcing – “Hacking-as-a-Service”

Leia’s stolen plans reach the hands of Luke and Obi-Wan Kenobi who decide they must follow Leia’s instructions and reach Alderaan. Luke and Obi-Wan need extra assistance so they contract the services of mercenary Han Solo, who can transport them on his ship, the Millennium Falcon.

A coordinated cyberattack can involve multiple actors taking part, to accomplish various roles along the way. The underground forums of criminal activity are rife with hackers of various skills and knowledge that offer their services. Off-the-shelf tools are also popular either on a one-off basis or as a contractual service, including updating and maintenance work. The Silver Spaniel uncovered in 2014, shows a relatively simplistic campaign which did not build any software, but outsourced commodity tools available on hacking forums instead. The attack required little technical skill, yet it provided scam artists with a prosperous business.

Death Star - Shutterstock

3. Response SIEM – quarantine and counter-attack

The Millennium Falcon has to re-route, in order to reach the rebel base Yavin 4, as Alderaan was destroyed by Grand Moff Tarkin in a demonstration of the Death Stars’ capabilities. However, the Millennium Falcon gets captured by the Star’s tractor beam and brought into its hangar bay. When escaping, the ship manages to evade the Death Star, but at this point it carries a tracking device which enables Tarkin and Darth Vader to monitor them all the way back to Yavin 4.

Network defence approaches focused on threat identification and event management (SIEM) would at this stage identify a breach and trigger security alerts. An alert system would provide the CISO with the choice of further monitoring or ignoring the threat. We see that the Tarkin and Vader choose to monitor the Falcon and track it back to base. Yet, without a comprehensive risk management view of the Death Star’s vulnerabilities, they ignore the possibility that the rebels would “dare” target the core of the Star and fail to secure the ports.

4. The attack vector

The Falcon finally reaches its destination and they hand the plans over for analysis. The examination reveals a vulnerability in the exhaust port that connects to the station’s main reactor. Once the weakness was identified, an attack mission is set up and Luke joins the assault squadron.

In 2014, The Mask (El Careto) was revealed as one of the “elite” APTs. Its deployment against carefully selected targets included monitoring infrastructure, shutting down operations, avoiding detection by wiping instead of deletion of log files and others. Its purpose was cyberespionage, but the attack vector was a combination of social engineering and rare exploits for Java, Chrome, Firefox and other browsers.

Campaigns like The Mask show us that the wide range of tools and the extensive pre-planning work conducted before setting up the attack vector remain the most unpredictable part of the threat. Security and risk managers are often unaware of the “open ports” and struggle to discern between critical and minor threats.

An auditing process with clear flags for threat level is the only way to ensure that malicious actors do not achieve a more efficient assessment of your network than you.

 5. Exploit

After a number of battles, Luke assisted by the Force and under Obi-Wan’s spiritual advice is able to fire proton torpedoes into a small thermal exhaust port along the Death Star’s equatorial trench. This leads to the memorable image of the Death-Star exploding into space.

The BlackPOS family that ultimately led to the breach imposed on Target is a good example to the destructive effects that an undetected vulnerability can have to the security of a network, and finally to the reputation of an organisation. It is now known that the BlackPOS campaign operated through 3 different strains of malware, all following a similar behaviour: infiltration, memory scraping and exfiltration.

Target did have a security team in place to monitor its systems around the clock. Hackers managed to avoid detection while setting up their malware, but when they proceeded to the final stage – uploading the exfiltration malware – alerts went off in Target’s security department and then…nothing happened. The alarm was triggered early enough, before any data got leaked, yet the security operations centre chose to ignore it at that stage. The reasoning has never been disclosed.

 As we see earlier in the film, despite being aware of the thermal exhaust port, the Empire decidedly had not taken steps in securing it. The reasoning can be inferred from their conversations: too insignificant and too dangerous for the rebels to target it.

There is an important point to make here that regardless of a networks security system and even quarantine or counter-attack measures, there is also a great need for a healthy auditing practice, in order to identify your weaknesses before attackers get chance to exploit them. The final facilitator that led Princess Leia and then Luke Skywalker to succeed in their mission was the Empire having failed to design a correct risk management framework.

The accounts of many breaches provide sobering lessons in how organisations can have wide ranging “big picture, big budget” defences but leave vulnerabilities in everyday housekeeping. With the Death Star it was an exhaust vent, with your organisation it might be an out of date firewall, or a default password that had not been reviewed during your last pen-test. Monitoring the details can make the difference between a secure empire and an embarrassing and very public explosion.

 The words of General Dodonna, upon analysing the smuggled plans, can be the words of any hacker assessing the entry points of your network: “Well, the Empire doesn’t consider a small one-man fighter to be any threat, or they’d have a tighter defence.”