In 2013, the Red October Attack was discovered by Kaspersky which was successful since 2007. It was a malware attack which targeted government officials, Embassies and Diplomatic Agencies, Universities and Research Firms, Commercial Organisations,Nuclear Energy Labs, Oil and Gas Companies, Aerospace Institutions and Military organisations. In this post we will discuss various detection and mitigation techniques which could be used to avoid attacks like Red October.
The government agencies and other high-level organisations/professionals must have a detection and mitigation techniques strategy plan in place. This will help them to reduce the response time and unplanned costs. The systematic strategy plan will also protect the organisation’s reputation in the wake of any cyber-attack. There are various detection and mitigation strategies available, following are the few significant strategies used by NASA which could have prevented ROCRA attack:
Update and Upgrade Software Immediately
All the software must be updated regularly. Whenever any software has vulnerabilities, the hacker exploits it. In response the developers launch a patch to cater for vulnerability. But hackers are fast in studying the patch and creating a new exploit. Therefore, automating the process is imperative to prevent hackers from creating new exploits. The updates must be authentic, usually they are signed and delivered over secured links to maintain the integrity of content. This mitigation strategy is detective and preventive in nature. It is difficult for client to keep upgrading and updating software immediately after a release of known vulnerabilities and their patches. It is time consuming process, but the security and safety outweigh the comfort and thus the client must keep the software always updated.
Defend Privileges and Accounts
To maintain seamless operations, privileges must be assigned based on risk exposure. The organisation must implement Privileged Access Management (PAM) to automate the credential management and fine-grained access control. The procedures to reset the credentials must be created and implemented securely. Hackers usually target administrator credentials to access high-value assets and to move freely with in the network, therefore privileged accounts and services must be controlled and managed properly. This mitigation strategy is detective and preventive in nature. It is not at all a time consuming and difficult process; the client will only need to setup the Privileged Access Management (PAM) once and it also provides safety and security to client’s machine.
Enforce Signed Software Execution Policies
The modern operating systems ensure that only signed software execution policies for scripts, executables, device drivers, and system firmware can run on the system. To avoid attacks like ROCRA, where a module self-installs on target’s system, it is imperative that such modern operating system is used. The OS must maintain the list of trustedcertificates to detect and prevent the installation of illegitimate executables. The client’s system integrity can only be ensured when used in conjunction with a secure boot capability. Moreover, application Whitelisting must be used with signed software execution policies to ensure greater control. This mitigation strategy is preventive and detective. This technique is not time consuming and difficult. It increases the system performance, speed and security by stopping the installation and running of unwanted executables.
Actively Manage Systems and Configurations
The client must take inventory of all the hardware and software regularly and remove the new, unwanted, unneeded or suspicious hardware and software from the network. The client should also manage devices, applications, operating systems, and security configurations regularly. This is a prevention and detection mitigation strategy. This technique is a bit time consuming on regular basis but not difficult at all. To ensure the safety and security, the client will need to spent time and resources while detecting suspicious hardware and software in the network.
Continuously Hunt for Network Intrusions
The administrator responsibility is to proactively detect, contain, and remove any malicious presence within the network. In other words, if client finds a new server or connection which is suspicious, then it must be removed from the network immediately. To find malicious and autonomous behaviour in the network, administrator usually uses Passive detection mechanisms, such as logs, Security Information and Event Management (SIEM) products, Endpoint Detection and Response (EDR) solutions. To prevent any breaches in the security, ethical hacking should be performed to improve the incident response procedures. This mitigation strategy is detective, responsive and responsible for recovery. This method will require the client to spend time regularly to continuously hunt for network intrusion which will ensure the safety of network. This task may be costly as using various detection tools is expensive, but this task is not difficult at all.
Leverage Modern Hardware Security Features
It is imperative that a client uses security features such as hardware virtualisation, Unified Extensible Firmware Interface (UEFI) Secure Boot and Trusted Platform Module (TPM). If a modern OS is used on outdated hardware, then it can reduce ability to protect the system, user credentials and critical data from hackers. Therefore, all the older devices must be refreshed regularly. The modern hardware comes with various features which can increase the integrity of the boot process and provide system attestation. Such hardware can also support features for high-risk application containment. This mitigation strategy is identification and preventive in nature. It is expensive and difficult for client to refresh he older devices regularly but at the same time it is imperative to do so to provide network safety and security.
Segregate Networks Using Application-Aware Defences
All the critical networks and services must be segregated using application-aware network defences to block unnecessary traffic and restrict content. The sophisticated, application-aware defensive mechanisms is imperative for modern network defences because hackers hide malicious actions and remove data over common protocols. This is a detection and protection mitigation strategy. This restriction may impact the entertainment services in the network like in hospitals video services/traffic are prohibited on networks. Moreover, it is not difficult and time consuming as the client will only have to setup the restrictions once and may need to revise them later if necessary.
Transition to Multi-Factor Authentication
All the high-level administrators and professionals must be given elevated privileges and remote access over high value assets. To supplement passwords and PINS, physical token-based authentication systems must be used. To prevent attacks like ROCRA, it is imperative that all the important systems have multi-factor authentication. The ROCRA attack purpose was just to steal data and not interrupt services or operations of clients. Therefore, to stop such attack, increasing the confidentiality will not affect the availability of data at all. The client will be able to access data after going through multi-factor authentication. This mitigation strategy is identification and preventive in nature. This strategy is not difficult and time consuming and will only need a setup to be done once. Although it can be expensive to install and employ software and hardware which can provide multi-factor authentication.
Exercise a System Recovery Plan
Every organisation must have a disaster recovery strategy, which must include a system recovery plan to ensure the restoration of data. In the wake of cyber-attack, the plan must protect critical data, configurations, and logs to provide continuity of operations. All the files should be encrypted, and the back-up must be stored offsite or offline. This back up must provide complete recovery and reorganisation of systems and devices. The recovery plan must be update regularly depending on the changing network environment and equipment. This technique is responsible for identification, response and recovery. The plan and execution of this strategy can be expensive as the client might need to pay for cloud services to back up the encrypted data. The planning is time consuming, but it is necessary to ensure safety of all the critical data.
Following are various incidents and the simple prevention techniques which could have saved a lot of people from ROCRA attack:
IT Officer of any organisation
|1||Email Phishing||The client should never open any email from unknown sender. They should never download attachments from emails which are from untrustworthy sender.||Security officer should teach the client user to not open an email from unknown and untrusted sender.|
|2||Vulnerabilities||The client should not install any software with known vulnerabilities in their system.||IT officer should only install that software which have no vulnerabilities in the client system/company systems.|
|3||Malware Installation||The client should not allow any module installation which looks suspicious.||IT officer should make sure that no module is installed without IT administrator authentication on the system.|
|4||Data Communication with C&C server||The client should keep an eye on traffic being sent or received by the system and should report to IT officer, if any suspicious traffic is spotted.||The IT officer should keep looking for the new server connections and should stop the connection as soon as malicious server is spotted.|
|5||Stealing Information/personal files||The client should keep their important files encrypted on their system.||IT officer should ensure that no one can send/transfer important files or data without client’s proper password authentication.|