With the new year upon us, the bad guys continue to improve their computer attacks, refining their outdated techniques and introducing new twists. Let's look at some of the trends that will likely dominate the information security threat landscape in 2008:
Increasing effectiveness and complexity of large-scale botnet management
Right now, there are multiple active botnets that each contain more than 1 million infected machines. Medium-scale collections (100,000 to a million infected machines) and small-scale ones (less than 100,000) are even more numerous.
Attackers can use annoying but relatively benign schemes -- like pop-up ads, spam and search bar installations -- to harvest money via such an infrastructure. More insidious attacks include pump-and-dump stock scams, denial-of-service floods, phishing schemes and form-scrapers that gather bank account numbers and passwords from browsers.
With large-scale distribution of a botnet's infected computers, these bad guys are encountering the same infrastructure problems that large enterprises have -- distributed remote management en masse is not easy. However, the attackers are a crafty lot, and they are developing robust peer-to-peer communications and control mechanisms to avoid single points of failure in their botnets.
More event-driven, targeted email containing malware
In early 2007, the Storm Trojan infected hundreds of thousands of machines by simply duping email recipients into reading an attachment that contained the malware. The message's subject line exploited concerns about a string of floods in Europe. The malware's authors continued throughout the rest of the year, modulating their headlines with the latest news stories. As a result, more than 1 million systems became part of the Storm botnet.
Look for more of the same in 2008. Numerous email worms will be spread with bogus -- and sometimes even real -- news stories about the upcoming U.S. primary and general election campaigns, or perhaps other gripping headlines, such as war and unrest in the Middle East.
Information security practitioners should educate users to be extra diligent when reading email and viewing attachments, even from users that they know. When sharing email, users should include the text of news stories pasted in the message, instead of forwarding links or sending attachments. It's also important to redouble efforts for effective email antispam and antimalware deployments.
Leaked high-profile stories of executives nailed by spear-phishing attacks
Civilian and military organisations have reported a significant number of targeted phishing incidents. The attacks use specially crafted email messages to trick a target organization's users into visiting a site that looks friendly, but will actually attack any browser that surfs there. Some targeted attacks also include infectious email attachments.
In these so-called "spear-phishing" attacks, the bad guys trick humans into installing a Trojan horse backdoor in the target environment. With malware planted on a victim machine, the attacker has a software sentinel inside the target organisation, which can be used to control that system, take over others and exfiltrate sensitive information.
Some of the attackers look for low-hanging fruit, just any old user who they can trick into providing access inside a particular organisation. Craftier attackers have set their sites on more important targets: corporate officers and higher-up military personnel.
In 2008, we may see some leaked information about targeted, high-profile individuals who fell victim to such attacks. Incident handlers working on the case may inadvertently reveal more information than they should. Leaks could also be intentional, too, due to possible vendettas or legal requirements for breach disclosure. Make sure that your internal incident-handling team has a clear set of non-disclosure agreements, along with documented plans and policies for dealing with the press.
Increasing cyber-attack activity attributed to nation-states, not organized crime groups:
Spear-phishing has occurred against major U.S. and European enterprises, and many allegations have cited China as one of the attacks' major sources. Chinese officials have countered by saying that similar attacks are waged against their country as well.
In the spring of 2007, a barrage of packet floods hit the highly wired, eastern European country of Estonia, taking down much of its electronic government and banking sites. Some observers claim that the flood was directed by the Russian government for political reasons, but the Russian government denies this and blames Russian nationalists.
This year, look for more suspicions of government involvement in cyberattacks. The continuing packet floods, cyber espionage, and infiltration of military and commercial networks will receive more press scrutiny than ever. We are now in the midst of a shift that will not supplant cybercrime, but augment it, as nation states increasingly use computer attacks to further their interests.
Decrease in disclosure rate of credit card compromise -- not because of fewer breaches
If an enterprise suffers a breach that exposes personally identifiable information (PII) to an attacker, state notification laws may require an organisation to alert citizens whose data was compromised. For a computer attack to be considered a breach, however, the data actually has to be exposed to the attacker. With an increasing number of enterprises using desktop and laptop encryption tools, there is a chance that attackers cannot actually view the data that they receive from a hacked system or stolen laptop.
But some desktop and laptop encryption tools aren't very good. Microsoft's Encrypting File System, for example, leaves clear-text copies of data shortly after it is encrypted. Some tools (including Microsoft's EFS) only use an operating system password to protect file encryption keys, instead of a separate and carefully guarded password just for the cryptographic function or even an authentication token or smart card. If attackers can crack a user's operating system password, they can then decrypt files with EFS and similar tools.
If an organisation suffers a breach, management must discern whether there was a reasonable chance that data was exposed. Even if the data is encrypted with a weak encryption product, management will likely respond that the sensitive information wasn't compromised.
In 2008, we may see less disclosure, but not fewer breaches. Such a trend will unfortunately hide the magnitude of real security problems. Enterprise security personnel should make sure that they use strong laptop crypto products. They should also verify and review the disclosure decision-making process with management and legal personnel.
This new year will likely spell busy times for information security professionals, as attackers continue to ramp up their abilities. Keeping up with the bad guys won't be easy, but it is vital that we understand their latest tactics and work diligently to thwart them. Don't get discouraged. Instead, remind yourself about how exciting these times are, and how we are fighting the good fight.
About the author: This was first published in January 2008
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in January 2008