Cyber Shakedowns by Matt Robertson

Over the last month, some fairly high-profile cyber shakedowns have occurred, such as: Domino’s Pizza, recurring incidents with CryptoLocker, and notably the attack on Code Spaces on June 17. The recent outbreak of this type of criminal activity is unfortunate, and what happened with Code Spaces is quite alarming. 

 

For those unfamiliar with the event at Code Spaces, on Tuesday, June 17, 2014, they began to experience an orchestrated DDoS attack, which is a fairly normal occurrence apparently. They were then contacted by an anonymous criminal who appeared to have access to their Amazon EC2 control panel and was demanding a large fee to stop the DDoS attack. When attempts were made to change their passwords and revoke the criminal’s access to their EC2 control panel, the criminal began deleting critical operational data elements. By the time Code Spaces staff had regained access, the resulting loss of data had resulted in Code Spaces’ inability to continue to operate. 

The events at Code Spaces reminded me of the movie Dirty Harry where a criminal sniper attempted to extort money from the city of San Francisco in exchange for not shooting its citizens. Code Spaces suffered the virtual equivalent of this – a criminal broke into their building, perched himself on top of their most valuable assets and demanded that they pay him to leave. Unfortunately, when Code Spaces attempted to thwart the criminal, he or she set fire to the building so to speak (or exploded a bomb, whichever you prefer). Continuing the analogy, the DDoS attack was the equivalent of the criminal staging some public demonstration outside the building during this action, making it difficult to coordinate a response to his (or her) activities. One could also liken this type of activity to protection racketeering.

 At this moment I can only speculate about how the criminal managed to gain access to Code Spaces’ Amazon EC2 control panel, but one thing is evident – this was a very targeted attack, geared towards criminal extortion of monies from Code Spaces.  Perhaps this was an attack that took months of planning, including the slow infiltration of Code Spaces – spear phishing employees, gaining remote access, recovering passwords and using legitimate credentials to access EC2. Or perhaps this was an attack of convenience – the criminal had been building a botnet and infected a Code Spaces employee inadvertently (i.e. Code Spaces was not initially targeted). Then perhaps through the day-to-day activities of the bot, the criminal recovered the username and password for Code Spaces’ EC2 account, and at this moment chose to leverage the data in performing what I am referring to as a Cyber Shakedown.  

 It is unfortunate that the resulting outcome of this shakedown is that Code Spaces will be unable to operate. What we have witnessed here is a direct, targeted cyber attack that has completely destroyed a previously functional company. A once operational business and employer will cease to operate, people have lost their livelihood, and their customers will suffer from lost services and perhaps may also be unable to recover. 

 Without complete details it’s hard to say whether this set of unfortunate events could have been prevented. For example:

  • When did the initial infiltration occur?
  • Could it have been discovered?
  • Was there a way to detect this attack earlier, reducing the mean time to know (MTTK) and preventing it from being discovered at zero hour?

 Earlier I likened this event to the sniper in Dirty Harry. However, there is one primary differentiation: visibility and identification of the precursors to an attack are available to an organization before it is too late and the attack is in its final hours. Organizations must be ready and take steps to protect themselves against these types of targeted attacks to avoid suffering irreparable harm like victims such as Code Spaces. 

 In the cyber world, there is much more onus on the organization to protect itself. It is necessary to start thinking beyond the traditional security perimeter and start monitoring what happens on the network interior to reduce that mean time to know before it is too late (see the below figure). Reducing the MTTK requires active monitoring of the network and computing infrastructure and the detection of anomalies and suspicious activity to identify the precursors of an attack before the attacker is able to begin his/her shakedown.

 

 Developing an early warning system really starts with visibility – visibility into all host-to-host communication in order to understand who and what is on your network. That visibility into who and what is on your network is critical for being able to take an indicator of compromise (IoC) and attribute it to a network-connected device – a process referred to as threat attribution. 

 As a security visibility and intelligence tool, the Lancope StealthWatch System is specifically designed to not only detect suspicious and anomalous activity, but to also accelerate the threat attribution process and reduce the MTTK between the time the initial infiltration occurs and when the shakedown begins.

 For more information about using the StealthWatch System to mitigate CryptoLocker, go to: http://www.lancope.com/blog/mitigating-cryptolocker/

 For more information about using the StealthWatch System to process IoCs, go to:  http://www.lancope.com/blog/processing-iocs-in-the-stealthwatch-system/