For businesses and governments, Stuxnet has acted as somewhat of a wake-up call, illustrating the fact that cyber warfare capabilities are being actively pursued, developed and deployed, says Rik Ferguson, Trend Micro's solutions architect.
He will speak at the upcoming ITWeb Security Summit held between 10 and 12 May at the Sandton Convention Centre.
Stuxnet is the name given to a piece of malicious code, which was targeted at specific industrial installations with the aim of physically sabotaging installed equipment.
Ferguson says Stuxnet is not the work of a criminal gang, but more likely a nation state activity with specific objectives to sabotage organisations. He adds that Stuxnet represents the first time that malicious code had crossed over from the confines of espionage and information theft for profit to sabotage.
This will have far-reaching physical consequences with the potential to affect populations or nation states, he reckons.
He urges adequate defences be investigated.
“Whoever was responsible for writing the code needed access to highly-specialised hardware and in-depth technical knowledge of some very niche technologies in order to write and test their creation. There is no obvious criminal motive in terms of making money on this attack.”
Zero-day exploits
Ferguson indicates there is enough money to be made through more traditional cyber criminal pursuits such as information theft, ransomware, scareware and their derivatives.
He says Stuxnet offered criminals a couple of important helpers. Malicious Web pages were created, designed to appear on the first page of results when people search for information about Stuxnet.
“This is a very common tactic; where criminals use newsworthy events or online trends to spread their malicious code, and Stuxnet represented 'just another opportunity'.”
In addition, Stuxnet also used four zero-day vulnerabilities to infect the target system. A zero-day attack is a computer threat that tries to exploit application vulnerabilities that are unknown to the software developer. It uses a security hole to carry out an attack.
“As soon as the code became public knowledge, these vulnerabilities were picked up and reused by criminals in order to spread their own more traditional malware.
“Stuxnet also used stolen digital certificates to sign the malicious code, in order to sneak it past code-signing enforcement on the target systems. This technique has also already been adopted by cyber criminals to mask their malware.”
Smart tactics
Ferguson claims examples of targeted attacks include Titan Rain, Gh0stnet, Aurora and the recent Night Dragon attacks.
“As nation states and international corporations become aware of the capabilities out there in this field, we predict an ongoing rise in the frequency and volume of these attacks, mostly for the purposes of information theft and espionage, industrial or otherwise.”
Ferguson points out; if an attacker is skilled and determined enough, chances are they will be able to penetrate most corporate defences through a combination of sophisticated toolkits and effective social engineering.
He advises enterprises to increase the frequency and effectiveness of their internal information security training, including examples of social engineering attacks.
Enterprises should be building layered defences that look for threats at the exposure, vulnerability, content and behaviour layers, he says.
In addition, Ferguson suggests enterprises should monitor network traffic to look for anomalous behaviour.
“Even in the event that all proactive security protection has failed, enterprises need to be alert to the fact that a machine is behaving in an unexpected manner and be able to quickly quarantine that device without harming any potential forensic evidence that may be available.”
Share