The Great Train Robbery of 1963 in Buckinghamshire, U.K., was orchestrated by a gang of 15 robbers that devised and executed a well-laid-out plan over the course of several months. Fast-forward 56 years and we’re still seeing gangs of modern-day robbers orchestrating elaborate plans – only in 2019, these plans leverage the power of technology and computing to carry out remote reconnaissance and data theft, all without the criminal having to leave home.
It’s been difficult to pin down the exact cost of intellectual property (IP) theft over the years, but recent estimates have placed the loss in excess of $225 billion and as high as $600 billion per year. The loss of a company’s IP, commonly the backbone of an organization, can be a business’ death knell, or failing that, a severe hurdle.
After getting into a system, insiders and nation-state attackers alike have a plethora of ways to pull off a heist and exfiltrate sensitive IP, be it source code, schematics or technical design files.
Supply Chain Woes
One of the more commonly exploited vectors used by attackers today is poorly secured third-party supply-chain vendors. Adversaries often take aim at organizations that have unfettered access to a multitude of customers, to get a foothold inside their primary target.
What better way than to steal the keys from one kingdom to access a universe of kingdoms?
To make matters worse, in most scenarios, visibility into these environments as a customer is essentially zero, meaning that at any point an attacker could gain unauthorized access without your knowledge. From there, they just blend right in.
A case I worked on recently involved an IT administration company and an attacker moving laterally through a third-party firewall. After they were in, the attackers leveraged the Windows Sysinternals utility PsExec to authenticate across the environment, using an account with Domain Administrator privileges stolen from the supply-chain vendor.
After identifying the data they were after, the attackers leveraged a file-compression utility, WinRAR, to compress and password-protect the IP; from there, they funneled the information back through the third-party firewall to exfiltrate. This allowed the attackers to avoid installing any malware or using any exfiltration protocols on the target network. The behavior was detectable after baselining the environment for lateral movement over the previous 60–90 days to identify anomalies. Doing so made the behavior stand out immediately.
Gaining a view of your environment’s normal day-to-day activity is crucial when it comes to sniffing out data-theft techniques like this.
Beware the ‘Inside Accomplice’
Another attack vector I’ve observed does involve some physical presence, but the majority of the attack is conducted remotely. These attacks, which can take place at data centers and small site locations, involve employees of IT telecommunication companies assisting adversaries in gaining access to their targets.
Consider the following real-world scenario: Scheduled routine maintenance on the company’s IT equipment takes place, but while on site, the technician performs some additional configuration one of the routers – which opens a backdoor for the attacker to stroll right in. The technique is no different than having an inside accomplice working at a bank, providing the access for carrying out a robbery.
In one actual case of this, the adversaries, once in, installed a well-known remote access Trojan, 9002 RAT, with an extensive list of exfiltration capabilities tying back to the attackers’ command-and-control infrastructure. Stored on each of the endpoints at this particular site was an application that synced trade-secret data to a local database. The backdoor was able to locate this data and tunnel it out over an encrypted protocol.
Detecting this type of behavior can be nearly impossible, but having a degree of visibility into endpoint and employee activity could have helped. Logging remote authentication attempts, alerting on unsigned binary executions and keeping a watchful eye on telecommunication techs surely could have helped this organization mitigate this scenario.
Insiders are always a concern given the level of access they have and their knowledge of where sensitive data is stored, but catching those criminals can be complicated when the insider feigns ignorance.
Consider this other scenario: An insider feeds intelligence to attackers and “accidentally” clicks on phishing links. I’ve seen employees of companies assist nation-state adversaries by simply opening the door for them: I worked on a case where an employee intentionally infected his computer, allowed the adversary to use his machine as a backdoor, then played the victim.
In that incident, the data the adversary was targeting had been stored in a compressed ZIP file on a network share. With logs, we were able to determine that six months prior, that same employee had compressed and stored the data.
Because of a lack of visibility on the organization’s servers, the data was successfully exfiltrated after the adversaries dropped a file with China Chopper code, a webshell capable of exfiltrating information back to a remote command-and-control server.
If your organization receives 300 phishing emails and 10 people click on the link, what happens to those 10 people? Sure, you can enforce some additional security-awareness training, but do you ever ask the question: “Was it intentional?”
Not everyone who clicks on a phishing attachment should be investigated, but it is good to be aware who’s clicking.
Organizations running externally facing web servers should always be on the lookout for suspicious files with odd timestamps on them. Some webshell variants are so small in size that searching by date modified, for files of approximately 73 bytes, could yield a good indicator that something may be afoot.
To stop IP theft – and this is one of the big lessons here – organizations need to make an effort to attain visibility across all of the devices in their network, especially servers.
In about 75 percent of the cases I’ve worked on, exfiltration attempts occur from a server because their required uptime makes them more accessible targets for data theft. Conversely, computers that are shut down at the end of every day aren’t reliable targets.
A majority of the gang members in that Great Train Robbery of 1963 ended up with convictions and in prison after attempting to hide out at a farm. Today’s robberies often end with no conviction, so it’s imperative we protect our assets as best we can and respond immediately to prevent any exfiltration of sensitive information.
(Tim Bandos is vice president of cybersecurity at Digital Guardian.)