Whereas early social engineering efforts convinced someone to provide a password or other information via a convincing phone call or conversation, today’s social engineering efforts are fare more nefarious, as evidenced in great detail within the recently published report: Shadows in the Cloud: Investigating Espionage 2.0.
The report is packed with details on how attackers were able to compromise nearly 1300 computers in 103 countries. Evidence leads the researchers to believe that users were convinced to click a URL or download a document, a presentation or a PDF file by a message from (supposed) friends or acquaintances. In reality, they were the attackers spoofing their friend’s email. Once compromised, the attackers used a variety of web 2.0 applications and tools (Twitter, Yahoo! Mail, Google Groups, and numerous blog sites) as their command and control infrastructure.
Think about that for a moment. Sheer genius really. So how would a security administrator stop these attacks. Short answer, they can’t—not easily anyways. As a security vendor, I would love to say We Can Stop That Traffic, but I would be lying. So would any other vendor. Here’s why I am willing to say this.
- The compromised machines were actual users who had inadvertently downloaded some malware. With the increasing amounts of personal information in the public domain, targeted users face an uphill battle against a group of dedicated criminals. Even the smartest and most vigilant user who thinks thrice before clicking can eventually be convinced to click on something from a friend or acquaintance which can, in the background download the necessary malware to connect to the command and control infrastructure. Sure we can continue to stress user education but this will only go so far.
- In some cases, the attacks took advantage of old vulnerabilities in MS office applications that, I would speculate, could have been avoided through persistent patching.
- The applications (Twitter, Yahoo! Mail, etc) used as the C&C infrastructure are found commonly in every organization, as outlined in our twice yearly reports. So even if an organization had our appliance in their network, any of the C&C traffic will look like Twitter, Yahoo! Mail or blog traffic (assuming it is allowed).
So should we shut the doors and surrender. No.
At a minimum, organizations need to be vigilant (more so than ever) in their continued user education efforts. They need to be persistent in their patching efforts. And they need to be more intelligent in their efforts to monitor and control what types of applications are allowed on the network and what types of files and data are allowed to be transferred. It is in this last area that we can help organizations. By first setting specific policies on the usage of applications – both business and personal. And as part of that policy, control the file transfer functions as well as the files and data that can be transferred.