Defending Against Hacktivist AttacksCarl Herberger of Radware on the New Age of Ideological Threats
Recent DDoS attacks on banks are prime examples of the new age of ideological threats to organizations across all industries. Who are the threat actors, and how can organizations best manage risks?
Carl Herberger, vice president of security solutions at Radware, says hacktivists pose a whole new threat dynamic because they do not necessarily seek to defraud or vandalize an organization or its website. Rather, they seek to make an ideological statement.
"Most modern-day information security programs have not properly measured the risks to their environments, so there are whole new industries that have found themselves not prepared for an attack," Herberger says. "Whereas they did not have much risk for vandalism or opportunistic attacks, or [even] for financially-motivated attacks, today they find themselves victims" of ideological attacks.
In an interview about recent ideological attacks on banks, Herberger discusses:
- The morphing nature of these attacks;
- What we know about the actors;
- Lessons learned about incident response.
As Vice President of Security Solutions at Radware, Herberger is responsible for developing, managing, and increasing the company's security practice. He also serves as the primary corporate spokesperson in the Americas for security-related topics. A frequent guest of Fox Business News, CNN and Bloomberg Broadcast News, along with numerous NYT, WSJ and Washington Post citations, Herberger is considered a foremost expert on the problems and solutions surrounding cyber-attacks.
TOM FIELD: Ideological attacks on banks: What are the new types of attacks that you've been seeing against institutions?
CARL HERBERGER: The attacks on the banks, especially the U.S. commercial banks, have been so heady that they really taught most of the security industry some lessons. In the world of denial-of-service attacks, they have parlayed themselves from what we used to call volume-based attacks - or attacks most people think of when they think of denial-of-service - to very sophisticated, often non-volume-based, attacks. What these perpetrators have been doing is getting around most of the protection sets that we have used and the assumptions of what an attack looks like. They do this through automated tools, which we frequently call bots. They do this through encrypted means. They encrypt their attacks, which really obfuscates most of the attacks to modern day security measures, and they use what they call directed attacks.
Directed attacks use known vulnerabilities to be able to leverage them in a new way. It's sort of taking something old and making it new again. This would be like taking simple malware, a Trojan or maybe a problem that you have with your website and being able to leverage that problem to cause a disruption or outage. There are four basic ways in which they're combining, and they're combining all these attacks at the same time, which has an effect. They're combining what we call multi-vector attacks. They're combining these attacks so that you have to be able to detect all of them at the same time. These attacks have traditionally the volume that we mentioned and the non-volume. The non-volume includes things like directed, things like encrypted, and other attacks that are more focused on bots and automation of the attacks.
Threat Actors' Motivations
FIELD: Let's talk about the actors behind the attacks as well, because my understanding is that the motivations there are shifting.
HERBERGER: This is one of the most interesting pieces of the whole last two years in information security. Having spent a lifetime in information security, I can tell you that, by and large, the motivations haven't changed over the last couple of decades. They were financially motivated, and there are a whole bunch of categories under financial motivation to include competitive motivations, economic espionage motivations and so forth.
But there has been one primary motive we've been working towards, a financial motive, or something that's akin to vandalism, what we call opportunistic motivation. I happen to have a tool, and you happen to have a vulnerability, and you just happen to be in my visibility as I'm perpetrating a tool.
But in the last few years it's been this rise of a brand-new motivation which is being known as an ideological-based attack, or what has become known as hacktivism. This is a notion that I'm attacking you for other than financial motives, for other than vandalistic or opportunistic reasons. I'm attacking you for a purpose, for what you believe or don't believe; for what you say or what you don't say; for what you promote or what you don't promote.
It's an age-old human attack motive that's now still spilled over into techniques and capabilities in the information security or information Internet space. This ideological-based motive has caused a lot of problems in that most modern-day information security programs have not properly measured the risk in their environments. There are whole new industries that have found themselves not prepared for an attack, whereas they didn't have too much risk for vandalism, for opportunistic attacks or financial motive, but today [they] find themselves as perpetrators' victim number one. These are industries like oil and gas. These are industries like government. These are industries where people promote themselves in an ideological way. Think about a non-government organization; these are causal organizations. These companies and organizations have found themselves overnight being attacked.
FIELD: It's been nearly a year now since we started seeing a real swing toward the ideological attacks on banks. As we're approaching that one year, how do you see the attacks morphing?
HERBERGER: It's different. The attacks have been also different themselves based upon the motive. In a financial-oriented attack, what you're hoping to achieve is to gain some sort of personal financial gain, and often you're trying to do this in a way that obfuscates yourself. What you're attempting to do is steal money and get away with it. In an ideological-based attack, what you're trying to do is exert your will, influence and power on another organization so that they succumb to your will. These attacks almost have an opposite requirement. They have to be, as opposed to obfuscated in a financial attack, loud. You have to be known.
To be honest with you, these attacks also have to be pre-announced, which is a very different attribute for an information security professional today. In other words, in a financial attack they're never pre-announced. Their whole goal is to be obfuscated. In an ideological-based attack, what you're attempting to do is file your grievance ahead of time. What you're attempting to do is, even before you attack, exert your will. Just by the threat of an attack, you can suggest change.
There have been many examples of this. For example, the companies that have supported the [Stop Online Privacy Act] in the U.S. initially started getting attacked, which actually caused many companies before they got attacked to change their stance on the SOPA law. These new attacks are loud and they're pre-announced. Essentially, your grievances are filed ahead of time. There's frequently a notion of, "or else." If you don't do this ,we're going to do something. "Or else" frequently means an information security attack, and those attacks then will last a long time, which is also very different than the other kinds of attacks.
You can today, according to Radware, be assured that if you're under an attack it's going to last 20 days, almost three weeks. That's the average duration [of] when a perpetrator has filed a grievance against you and begins a process of attacking you. If they're not effective or if they're just somewhat effective, they will continue for 20 days and they'll exert seven attack vectors on you. These are all very different. Being able to detect the amount of attacks; being able to deal with the publicity of the attacks; being able to deal with the timing or the persistency of the attacks has changed the game immeasurably.
In the U.S. banking sector, their attack is titled Operation Ababil, and it's an ideological-based attack whereas the perpetrators are suggesting that the root of all evil is commerce, and the top 20 U.S. commercial banks represent fundamentally commerce, and they would like them to be down, no longer operational. These attacks started on Sept 18, 2012, and they continue to this day. That represents the largest industrial-sector attack in the U.S., in fact around the world, and the longest information-security attack that has ever been recorded.
Responding to Sustained Attacks
FIELD: That's great context. Let's talk about incident response now. For better or for worse, how have the banks responded to the sustained attack?
HERBERGER: Incident response really has changed to, first of all, the notion of ideological-based attacks being proactive, filing a grievance ahead of you. In other words, the perpetrators with almost no exception will indicate that you're either specifically or more generically going to be the target of an attack. They'll do this by naming you in their grievance, naming you as part of an industry or naming you as a part of an affiliation. Some specific examples are there has been an attack against Sony and, prior to the attack, there was this operation called Operation Sony, which had its grievance. There have been attacks on oil companies, and before that there was more generically an announcement against the company. Its operation they called Petrol, or Operation Oil Sands. There have been operations that, even if you've been affiliated with the industry, you're potentially a target.
As an information security professional, being able to detect and being able to neutralize these attacks really starts with being able to detect that ... essentially there has been a file of grievance against you. This has been a big change for information security professionals. We're used to only detecting a technical attack, but not being able to detect, or essentially have an intelligence or research function to be able to detect, that they actually have been put on notice that they have aggrieved somebody. You can start your information security defense right then and there. There are now new means and new motives to be able to start neutralizing the attack before it materializes as an attack in your environment. This is also very new. This is a notion that perhaps you could begin to sway the grievance; you can begin to have a dialogue with the people who filed the grievances.
In addition, frequently when there's a group that's going to attack you, [it] comes in two forms. One is a volunteer that's soliciting to attack you, or it seems to be more state-sponsored where it's either state or transnational in that there's a group out there that's self-contained and not soliciting independents to attack you. If you have an attack that's more volunteer-based, you will know the tools that are going to be perpetrated against you. In this situation, you can actually detect the tools ahead of time. If you have proper technology in place, you can see in your environment as soon as these tools materialize. It would be like in the old Star Trek days when you're watching the movie. You would be able to see the Klingon fighters show on your screen before they actually start firing upon you. This proactive neutralizing of these tools before they begin the process of actually attacking you is new too. You can proactively begin to sway opinion of the attackers. You can begin to neutralize tools before they start attacking you. As you start getting attacked, you'll have to have a coordinated set of detection and mitigation technologies that are able to handle both responses quickly and handle the sheer size and scope of the attack.
Incident Response Changing
FIELD: How do these tools and this approach change how institutions should practice incident response going forward against these ideological attacks?
HERBERGER: The old paradigms were I would wait for an attack to attack me. I would find that attack, neutralize that attack, and then I would cause retribution for the attacker. The old paradigm was financially motivated attacks, and it really had a focus on the fact that I would wait until there was an attack to happen, and if the attack had any assumption that it would be sophisticated, but there would be a single vector, maybe two vectors, that was used.
There's also an assumption that the attack would not last for that long, so you had the benefit of being able to do tremendous amounts of forensics, a tremendous amount of essentially after-action analysis. Going forward, that changes, and that has changed already, so that you have to think not in terms of the old paradigms but in terms of the new paradigms, that the attacks are going to be large in scope and in scale, and that they're going to be persistent, so you're not going to have the benefit of being able to do forensics with nothing else going on. In fact, they're going to be obfuscated, so you're not going to have an ability to determine exactly who was doing this to you because of the advanced abilities to encrypt and to spoof sources and content.
Another piece that's changing dramatically is there really are not regulations around this today. There are very few countries in the world that actually have regulations against DDoS. DDoS to one is application testing to another. One person might view it as a cyber-attack, and another person might suggest that it was a malfunctioning application. There are not really strong laws and there are not really strong adjudications that have occurred in the past in this area.
[In] most western countries there are some kinds of laws that are being used to bring people to justice. But mostly the rest of the world has absolutely silent laws to this. As we go forward, one of the paradigms in our heads as information security professionals is that we'll be able to actually adjudicate or bring perpetrators to justice. In this situation, it's just not the case. In many cases, the perpetrators may even be state-actors or transnational threats. Let's call them affiliations with groups that are terroristic, mob-like or cartel-like.
The third piece of it is that, even if you have strong laws, or you get to the point where you might be able to have good visibility to who did this, actually bringing those perpetrators to justice ... will be very, very difficult. The whole paradigm of the regulatory nature of things has changed. This leaves the information security professional with the position of having to basically just defend themselves, having to put their own resources to be able to deal with the situation if they can't rely on too many other entities outside of their own resources.
FIELD: As you look ahead to the following months and next year, what lessons would you say we have learned from these ideological attacks and what can we expect to see going forward?
HERBERGER: The ideological-based attacks have taught us, even the biggest companies, that there are assumptions in their risk profile, and their deployed security tools haven't been enough. It's clear that the ideological-based attacks have disrupted some of the world's most handsome security programs and some of the most resourced security programs. They have taught us all lessons of how to properly adjust to this new risk profile.
In addition, as we move forward, there are ominous signs in terms of what we can expect as these attacks materialize themselves in the future. One is we're on the dawn of a massive change in critical infrastructure. Our critical infrastructure is changing in that we're outsourcing most and much of the way in which we get business done. It's no longer an information security professional's technical capabilities to be able to lock down their environment. Their environment will be extended beyond their technical controls.
The second is the mobile and BYOD problem - bring-your-own-device. The mobile device explosion, which will be unmanaged, will also assist these attackers as they will be able to leverage more and more devices to be able to perpetrate attacks. This mobile problem is not just tablets and phones, but in the future will be cars; it will be wearable mobile devices, kind of like the Google glasses and other devices that are being rolled out right now. Also, it could be any IT-enabled device. It can be a refrigerator, treadmill or a washing machine that could be leveraged in an attack going forward, which is pretty ominous.
Then there's another major trend, a transformative and disruptive trend on the networking side of the house. It's what's being called software-defined networking, which is a fancy way of saying virtualizing the control of the network devices. This trend is really gaining a tremendous amount of following. This trend is an open trend. It's a trend to be able to essentially write applications to networking devices in an open way, which is using a protocol called OpenFlow. This open trend on networking devices, although very, very attractive for networking features and traffic features, will be actually a foe to security. It will represent another major vector that could be violated in the future.