Hacking 2003: The new agenda

Zone Labs CEO Gregor Freund says hackers are shifting their focus from committing acts of cybervandalism toward carrying out more targeted attacks. Can they be stopped?

5 min read
Bank robbers rarely choose a target at random when planning a heist. They usually have intimate knowledge of their target, scope it out and plan the attack. We see a similar approach now being used on the Internet.

But the goal for hackers is changing. Five or six years ago, most were mere vandals, attacking vulnerable targets with an experimental, shotgun approach. Malicious hackers concentrated their efforts on destructive viruses and swiftly spreading worms that crawled haphazardly across the Internet, infecting individuals and corporations indiscriminately. The only real payoff these hackers received was a perverse pride--bragging rights and the ability to regale others with the scope of their destruction.

Other hackers were more pure in their motives; they probed defenses to increase their knowledge, publicized vulnerabilities to encourage stronger security, and even fought for social justice using "hacktivism."

While I can't condone any of these behaviors, today we're seeing a far more dangerous hacker attack--the targeted attack. Targeted attacks are carried out by highly skilled hackers motivated by financial gain and armed with the expertise to do serious damage.

They brandish a sophisticated array of tools against very specific targets, shifting the game from haphazard Internet tinkering to pinpointed assaults with the potential for major damage. And this trend is snowballing: Both the number of targeted attacks and the financial ramifications of these attacks are increasing.

Every year the Computer Security Institute and the Federal Bureau of Investigation survey a group of approximately 500 U.S. companies about financial losses due to security breaches. The 2002 data shows an increase in reported financial losses of 21 percent, or $455.8 million. That figure is especially noteworthy when compared to 1997's reported losses of a mere $100 million.

A statistic from Riptech, a provider of security services, illustrates this expanding problem; targeted attacks against its customer base last year reached 40 percent, far above the expected 15 percent.

The bottom line? We are seeing an increase in the number of targeted attacks resulting in escalating financial losses for corporations and serious security compromises for government organizations.

Both the number of targeted attacks and the financial ramifications of these attacks are increasing.
If those statistics don't seem impressive, consider this: Those numbers are based upon reported attacks. Many organizations will not report damages suffered from attacks, or even the fact that they've been attacked.

To clearly grasp the potential effect of targeted attacks, consider the damage done by the Code Red and Nimda worms of 2001, when estimates of corporate losses topped more than $3 billion in lost productivity. But lost productivity is the proverbial tip of the iceberg when it comes to these exploits.

As damaging as Code Red and Nimda were, the harm that they inflicted came mostly from the network traffic slowdowns that they caused--and from the amount of time that it took to "disinfect" computers. Imagine, though, an automated threat that combines the unprecedented infectiousness of Nimda with a malicious "payload" that erased hard drives or searched for likely confidential files.

Such exploits could yield top-secret national intelligence, valuable intellectual property or sensitive customer information. A chief information officer at a major defense contractor recently shared her fears: It's not the next Code Red or Nimda that worries her; it's the thought of someone using the elements of Code Red or Nimda to craft a specific, targeted attack on her enterprise networks that keeps her awake at night.

The problem is that hackers have already moved beyond basic tools like viruses and port scanners to more sophisticated techniques that use such tools more in concert with each other. We've all heard about the type of Trojan horse that can open "back doors" to a network, often remotely. These mechanisms, called RATs for Remote Access Trojans, monitor traffic, intercept passwords and establish secret communication channels for the hacker to use at will in order to pluck sensitive information and deliver it back to "hacker HQ."

A major software manufacturer has already become a victim of this type of attack. The intruders (yes, there were more than one) had three months of unfettered access to the company's "trustworthy" network before the incursion was even noticed. Did they steal source code, or--even worse--did they secretly modify it?

And, of course, there's a new twist. Rather than using a Trojan horse that operates as a separate, standalone application--which may be discovered--hackers now employ "malware" that subverts your other, trusted applications.

Your security technology may not be able to let you know that you've been the victim of a targeted attack.
They use your copy of Outlook or Internet Explorer to send the hacker your corporate secrets--and even to make sure that the "tag-along" transmissions are encrypted with Secure Sockets Layer!

If your trusted applications are doing the communicating, most security measures let them pass without a second glance. And by using several types of malware that act in concert, these techniques can leave no evidence of the targeted attack, let alone a trail to follow.

Believe it or not, this can happen even with major corporate investments in security technology. In fact, your security technology may not be able to let you know that you've been the victim of a targeted attack due to the high level of customization that is involved in such a breach. You may not find out that you've been attacked until your competitor introduces your secret new product before you do or displays an eerie ability to get in front of your prized customers and prospects before your sales team can do so.

With the escalating sophistication of attack methods and the richness of prizes available to hackers, we are far from safe. Think of cyberattackers as an innovative entrepreneurs--we must also innovate to stay one step ahead of their game. Corporations, government, technology vendors--especially the security industry--must take a proactive approach to security and continue to promote innovation and competition. After all, it will cost us dearly if we fall behind the innovation curve of those highly motivated hackers who carry out targeted attacks.