Post by, Nick Palmer and Moshe Ben-Simon
When evaluating modern threat actors, cyber security specialists need to ask, who has the time, money, and motive? Where are they directing their efforts? We can generally categorize attackers into two main groups: nation states and organized crime groups.
In today’s world, nation states view offensive and defensive cyber capabilities as essential weapons, and they have leveraged their capabilities successfully, especially when stealth is required. It is believed that nation-state-sponsored advanced persistent threats are more sophisticated, typically with targets related to the national interest. Using Stuxnet as an example, few in the security community have ever encountered more sophisticated zero-day campaigns, particularly among organized criminal groups.
Modern corporations’ security personnel typically view nation-state cyber attacks with little concern. They consider defending against potential attacks by criminal organizations as a much more effective and necessary use of their resources. Indeed, the success rates of organized crime groups using ransomware and other methods continue to escalate, encouraging further investments in new tools by cyber criminals and escalation of attacks. However, although these types of risk/resource decisions may appear to make sense, as we’ll see, it will likely be a much less effective strategy moving forward.
The reason is that the entire archive of hacking tools of one of the most well-resourced state-funded security organizations in the world—the U.S. Central Intelligence Agency—has recently been published on WikiLeaks. Code-named Vault 7, this massive archive is purported to contain all of the CIA’s hacking tools. Vault 7 contains content from a network of former government hackers and contractors, circulated in an unauthorized manner and, ultimately, shared with WikiLeaks, whose recent initial release of Vault 7 includes more than 7000 documents and 943 attachments.
In the short time it took for WikiLeaks to publish the Vault 7 archive, the security landscape for chief security officers and security practitioners worldwide changed forever. WikiLeaks may well publish content such as Vault 7 with transparency and public advocacy in mind, but the ultimate impact on business and industry is potentially devastating.
The capabilities and sophistication of the contents of Vault 7 are beyond anything we’ve ever seen before. The release of Vault 7 will enable criminal organizations to expand their activities dramatically. To put it in context, the first part of the release, “Year Zero,” is already thought to exceed the size of Edward Snowden’s NSA archive. Vault 7 ultimately exposes more than a thousand hacking systems.
The implications for industry are staggering. Vault 7 includes weaponized exploits against common consumer products, including all major mobile phones, smart TVs, and cars. It is thought to contain tools that can bypass the encryption used in media platforms such as WhatsApp. It also contains new tools that target vulnerabilities in systems such as Windows 7, the single most common desktop operating system used by businesses.
One of the exploits, “Weeping Angel,” is believed to transform a Samsung Smart TV into a covert listening device—even when the device appears to be turned off—sending recorded conversations back to a central server. Imagine corporate executives discussing a new strategy or product and being recorded by attackers covertly—using the TV in the meeting room—and used as intelligence to bid on the stock market, or offered for sale to the highest bidder. Another exploit is thought to target in-car control systems, allowing the CIA to perform “virtually undetectable assassinations,” according to WikiLeaks.
Unfortunately, chief information security officers and chief information officers must assume that the threat actors they have faced historically are now as well-equipped as a nation state. Historically, the tools in the Vault 7 archive may not have been used against commercial targets, but that doesn’t mean they won’t be now that they’re available.
Vault 7 capabilities include penetration, infection, remote control, and exfiltration. They include keyloggers, password collectors, webcam capture agents, and data destruction tools, along with means to establish persistence, privilege escalation, anti-virus avoidance, and surveillance. Security experts believe that Vault 7 offers the capability to penetrate networks even without Internet connectivity and that targets previously believed to be secure will need additional controls.
Nation-state threat actors have proved time and again that they can penetrate any system, any network, and any security product. In the short term, while vendors and governments scramble to understand the implications of the new tools, organized crime gets a free ride. Vault 7 provides immediate access to extremely powerful tools and a direct line of sight into the minds of state-sponsored malware authors.
The potential for increased innovation is vast, and not in a good way. The next generation of criminal-authored malware will build on the tools in Vault 7, making it even more difficult to defend against attacks. Criminal syndicates armed with Vault 7 techniques will be able to penetrate networks far more easily than ever before and remain undetected longer, with higher levels of privileges, relentless persistence, and the ability to bypass existing security controls as if they didn’t even exist.
A fundamental change in strategy is required, including the mindset that you will be breached, along with best practices needed to manage the new threats as part of the normal course of business.
Year Zero is a catalyst to a new acceptance within the security community that breaches will occur and that the earliest possible detection of network intruders is the new service level. No matter how quickly and easily attackers can penetrate your network, they still need to move laterally to locate their targets, and they still need to perform reconnaissance.
Deception technology enables detection of early-phase reconnaissance and lateral movement, regardless of attacker tools used. Even if an attacker does have access to CIA-grade tools and techniques, deception technology can still identify them quickly and effectively, minimizing time-to-breach-detection and reducing or eliminating your potential losses when the next attack on your network inevitably occurs.