Scaling an Attack
First Published: X-Force Monthly Magazine

When I meet with an organizations CSO or Head of Security and we talk about the latest threats or the motivations behind a high profile security incident, they are often surprised at the scale of some of the targeted attacks now underway.

They are all used to the endless rain of unsolicited and unwanted Spam messages which constitute 80-90% of all their email traffic, along with the regular deluge of email or web-borne viruses and spyware.

Most are also familiar with the constant “door rattling” of script-kiddies and would-be attackers as they run their port scanner or generic vulnerability scanner and cycle through their organizations Netblock which, for some of their organizations, consumes as much as 5-10% of their Internet bandwidth – assuming that they are actually monitoring their Internet interfaces. 

The threat they are increasingly worried about are attacks that compromise an internal desktop system and propagate internally.  Not so much the classic worm that blindly leaps from one host to another, but custom malware designed to steal customer details or authentication credentials – delivered directly to their employees – and bundled in such a way that they can even fool a paranoid security professional.

These targeted attacks are definitely on the increase for most large organizations – with their success largely governed by the strength of their social engineering message.  Consider a spoofed email that appears to come from the sales director of one country, sent to several hundred email addresses in another region, and outlines a proposed organizational change – details of which are contained within an attached organization chart JPEG file. The JPEG of course uses the latest buffer overflow vulnerability to install a bot-agent on the workstation or laptop.

The name coined for this class of threat is “Spear Phishing”, and the scale of the attacks surprise many professionals.  The attackers themselves are well organized and study their target for some time to maximize their future infiltration. They invest in extensive passive information gathering exercises – carefully trawling websites, newsgroups, instant messenger forums and querying search engines – seeking details about the organizations internal structure, understanding hierarchical management charts, and building a database of employee names and email addresses.

In addition, the Spear Phishers often have access to a talented pool of expert malware developers and will build a custom bot-agent just for the attack – carefully designed not to trigger signature-based anti-virus engines and tested using websites that allow you to submit files which are then scanned by a dozen different AV solutions (and tell you which engine identified the virus).

Their favored delivery method is email, and most targeted attacks start with less than 200 individual emails.  A well researched attack, with an equally well crafted social engineering message, will typically have an infection success rate over 80% (a typical phishing attack is usually successful less than 5% of the time) – thereby initially compromising 150+ internal workstations.

From then on, the nature of the attack is linked to the sophistication of the installed bot-agent.  Some of the newer bots tend to operate stealthily – spending their first few days or weeks in a passive mode, sniffing the network and recording host names, user names and passwords – then waking at a later date to use this captured information and infect the next batch of internal hosts.  With 150 initial “seed” bots, it would not be unexpected to see the botnet reach 5,000 infected hosts at the end of a week – propagating “legitimately” using sniffed user credentials.

Obviously, with such a persuasive infection, the attacker can do a lot damage to the targeted organization.  But the point I have been trying to drum home to the various CSO’s and Heads of Security is the scale of the attack. 

While there has been an annual increase in the number of attackers poking away at the perimeter defenses looking to compromise valuable server hosts, there has been a much larger increase in targeted attacks and an exponential rise spear phishing attacks – mainly because they are so successful. 

A word of advice for those organizations that have yet to invest in their internal defenses – you’re an easy target and you may have already been “got” by an email supposedly from a colleague in another office.

    Copyright 2001-2007 © Gunter Ollmann