News

Emerging threats include kinetic attack, offensive forensics: RSA 2013

Brandan Blevins, Assistant Site Editor

SAN FRANCISCO -- "Cyber is one domain to rule them all."

Requires Free Membership to View

OpenEMR, from a security perspective, is a disaster. … We had to harden OpenEMR or it was trivial [to hack it].

Ed Skoudis,
CEO, Counter Hack

CEO of Counter Hack and SANS instructor Ed Skoudis may have been playful with his Lord of the Rings reference during his 2013 RSA Conference presentation, but the attack techniques that he and Johannes Ullrich, chief research officer at the SANS Internet Storm Center, discussed are anything but a joking matter.

During a joint presentation last week, the duo detailed how everything from industrial control systems to SCADA equipment to big financial institutions is vulnerable to society-shaking attacks.

Skoudis, in particular, discussed the effects of kinetic attacks being carried out in cyberspace. He pointed to recent attacks, including Stuxnet, Flame and Shamoon, to show that nation-states and criminal organizations are increasingly looking at hacking via cyberattacks as a way to break physical systems that are vital to the way society functions. Such reported attacks from recent years included everything from a hacked water system in Illinois to millions of dollars in alleged fraud being committed via smart meters.

Skoudis expressed concern that the general public still dismisses the risk that these types of kinetic attacks can have on their daily lives.

Skoudis was also the brainchild behind NetWars CyberCity, a SANS operation meant to serve as a training ground for cyberwarriors. A six-by-eight-foot miniature city, CyberCity features a SCADA-controlled power grid, traffic system, trains, a military base and more, all of which can be hacked and defended in cyberspace similar to a real city. Skoudis joked that the CyberCity coffee shop Wi-Fi network has proved to be an invaluable resource to those launching attacks.

When asked by an audience member whether any significant vulnerabilities were found in the CyberCity hospital, Skoudis offered a stark reminder of the insecure state of the nation's health care infrastructure.

"OpenEMR, from a security perspective, is a disaster," he said of the open source electronic medical records application. "We had to harden OpenEMR or it was trivial [to hack it]."

As part of his discussion on kinetic attacks, Skoudis also warned of a related threat: misattribution. Attackers, whether they are nation-state actors or run-of-the-mill cybercriminals, are increasingly trying to hide their trails by purposefully inserting code that mimics other attackers.

With so much news surrounding Chinese cyberespionage, a Russian hacker, as an example, may decide to drop some Mandarin into the code notes. Or sophisticated malicious hackers may purposefully insert what may be considered rudimentary mistakes into their malcode just so forensics experts won't think to attribute an attack to them.

In terms of enterprise threats, Skoudis discussed what he considers to be the rise of offensive forensics. It used to be that attackers would steal large quantities of data because they didn't know what was valuable. Now, Skoudis said, attackers are able to target the exact data they want through the use of forensics tools, with the added benefit that it reduces the noise in the network so they're less likely to be noticed.

"Offensive forensics is taking forensics techniques, analyzing in-depth file systems and memory and combing through it, looking for the needle in the haystack," he said. "It's forensics, but you're using it to pull something back."

Ullrich focused in on distributed denial-of-service (DDoS) attacks that have targeted large financial institutions over the last 12 months. Attack speeds are now exceeding 40 Gbps, yet attackers only need 2,000 or so servers for these attacks to be effective. If the goal of an attacker is simply to cause financial pain, a DDoS attack is a cost-effective way to accomplish that goal.

"The attack itself is amazingly simple and doesn't require a lot of resources," Ullrich said. In fact, he said a talented attacker with little in the way of resources could likely take down the nation's largest banks.

Ullrich also pointed to the area of encryption and its failure in securing sensitive data. Whenever a big breach incident makes headlines, he said, it seems that hackers find cracking the hashes to be a trivial matter. According to Ullrich, this is because the major hash algorithms in use today, ironically, weren't designed with security as their first priority.

"These hashing algorithms are designed for the wrong purpose; they are designed to be efficient," he said. "The least-efficient algorithm is the one I want to use."

The ultimate point driven home by Skoudis and Ullrich was that defending industrial control systems and financial institutions should be an absolute priority, though the track record of the security industry doesn't provide much comfort for those concerned about these matters.

"We have to do better in securing the critical infrastructure over the next 10 years than we did securing the Internet stuff in the last 10 years," Skoudis said.

View all of our RSA 2013 Conference coverage.