The Impact of a Cyberattack is a Lot Bigger than You Think

 A recent report by Deloitte has suggested that most of the impacts of a cyberattack are not considered by senior management and network professionals.  The report refers to two types of impact, “Above the Surface” are direct costs that are well considered, but it also mentions, “Beneath the Surface” impacts, those that are less understood and as a result not considered when assessing risk.

The report mentions 14 impact factors in total, 7 above the surface and 7 below.  Although one might disagree how cut and dry this 50:50 split really is, the report certainly raises important areas of consideration that budget holders must look into when deciding on cyber-protection spend.  That said, while a rough cost has been attributed to each of these impacts in the report, the cost in real terms should be considered on a business to business basis.  For example, one of the hidden costs, ‘value of lost contract revenue’ would be far larger for a business trading on long term contracts as opposed to a brand-focussed B2C business.

The ‘above the surface’ costs are as follows: Technical investigation, Customer breach notification, Post-breach customer protection, Regulatory compliance, Public relations, Attorney fees/litigation, and Cybersecurity improvements.  The report’s principal author, Emily Mossburg, states “the effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs—many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information or other strategic assets.”  These hidden costs of course vary from industry to industry and business to business, but each can be carefully considered fairly easily if you’re looking for a rough idea of risk.

The most eye-catching statistic raised, however, is the scale of these hidden costs.  The report suggest that over 90% of costs in real terms could be made up of the hidden costs, largely in lost contract revenue, lost value of customer relationships, and devaluation of trade name.  The impact to an engineering business or other areas with limited assets in key areas could be even more alarming, once loss of intellectual property is considered.  The increase in state-sponsored cyber espionage could raise eyebrows for this loss of IP risk, with accusations all over the globe of governments stealing valuable IP data from commercial entities.

How much reports such as this will change how businesses protect their networks remain to be seen, however, the days of just deploying a firewall, some anti-virus and having a post incident plan in place are certainly over.


The Snoopers’ Charter and the new Prime Minister

The long debates into the Investigatory Powers Bill continue, although now the Home Secretary that so passionately brought the bill forward is the Prime Minister, concerns are growing that their could be an impact on personal data privacy.  Even more so since on the 13th July Earl Howe suggested that “intelligence agencies must retain the ability to require telecoms operators to remove encryption in limited circumstances, subject to strong controls and safeguards, to address the increasing technical sophistication of those who would seek to do us harm."  The suggestion that backdoors in encryption will be made for security purposes opens up new concerns for security professionals since it fundamentally weakens cybersecurity, leaving data exposed should anyone other than the intended intelligence agencies gain access to that backdoor.

Head of Perception Cyber Security, Dan Driver, meets the new Prime Minister Theresa May at an event in 2014, while she was Home Secretary

Head of Perception Cyber Security, Dan Driver, meets the new Prime Minister Theresa May at an event in 2014, while she was Home Secretary

Although the government’s and the new Prime Minister’s view is that this bill would keep the country safer, the potential negative effect on the innocent is often seen as something too large to accept.  Many companies have already taken action to avoid the impending success of the ‘Charter’, Eris Industries, a Blockchain Infrastructure company, announced it would leave the UK due to surveillance concerns, and the same occurred with social media start-up

But what of the data collected?  How can ISPs ensure that the 12 month backlog of user activity they will be obliged to keep is protected fully?  There will be an expectation that extra layers of security will be put in place to protect what must be huge swaths of user data, but what form that protection takes will, understandably, be kept under wraps.

Dridex switches from office docs to security notifications in new spam run

Dridex is back, after seemingly dropping out of favour once all major filtering systems tried to find a way to defeat the macro-downloaded payload.  Building in popularity throughout May and June, this new iteration uses scare-tactics to convince the user to open an attached .zip file.  Previously Dridex was deployed via macro by convincing a user to open an attached office document.  Now the attachments are ‘security notifications’ and the email uses scare tactics by trying to pretend to be a blocked attachment supposedly sent from the mail server. When paired with a certified application (CertUtil) the threat is more likely to pass through sandboxing solutions meaning infections are much more difficult to block. CertUtil can quite legitimately have macros packaged up with it.

Whilst this shouldn’t change much for network security professionals, as the advice remains to not open anything you’re not expecting and always stay suspicious of compressed files anywhere, this could increase the occurrence of Dridex infections.  As a result, try to stay vigilant of any suspicious network activity that could indicate Dridex presence on your network.

Although the download vector has changed in this new iteration, researchers at Trend Micro (who have already added protection to their MainlineDV filter), have suggested that once downloaded, the malware behaves the same as previously.  That is to say, keep your network monitoring running, and a keen eye out for an increase in Dridex again.


Over half of UK business decision makers are worried about cyber attacks

Recent research carried out by YouGov Plc and Noddle Protect (part of Callcredit) has suggested that over half of the decision makers in large businesses deem cyber-attacks as something that keeps them up at night.  Slightly less than half of the 281 respondents said that they were having sleepless nights about a data breach resulting from data theft or irresponsible action.

When discussing consequences of data breaches, the primary concerns for respondents was reputational damage.  This was seen as more concerning than loss of customers, regulatory fines or falling share prices.  This suggests that the long term effects of a data loss incident are more concerning than the short term impacts for decision makers in large businesses.

However most decision makers feel that they are prepared for a breach, 81% of participants say their business is ready to tackle this problem.  The biggest variation did come in exactly how these companies were prepared.  Post-crisis management processes are common, with over half having a business continuity plan, and only slightly fewer having a crisis management plan.  The statistics for catching and dealing with in progress incidents was comparatively low, only 39% have a security monitoring team; suggesting that the focus is on what to do after an attack, not to detect one in progress.


3 Reasons Why Organisations are Unprepared for Cyber-Security Incidents

Research from NTT Com Security’s 2016 Global Threat Intelligence Report suggests that over the last three years, over ¾ of organisations were unprepared for cyber-security incidents.  In 2015 NTT analysed 3.5 trillion (yes, trillion) logs, and over 6.2 billion attacks.  It’s worth a read for any network security professional, but the stand-out conclusion seems to be the same thing we hear all the time, businesses are not setting themselves up properly to avoid a major cyber incident.

So we tasked our analysts with finding out why Businesses don’t have the necessary expertise or equipment to deal with these threats, and they came back with 3 things you may not have considered:

They think they’re protected enough already

Many security companies tell customers that they are protected from any network threats with their product(s) and in the past this may have been reasonable.  The reality is that with the latest threats originating from both inside and outside the network this does not hold true. Security needs to be applied in layers, including staff training, technology and buy in from all levels of the business. Budget needs to be put aside and assigned to mitigate these vulnerabilities.

They can’t see the issue until it’s too late

Many organisations just don’t have the visibility of what users and software are doing on their network.  Whilst this is sometimes not necessary, as a network changes new vulnerabilities open up and these organisations may have a security hole that they are just not aware of.  This can make it difficult to build a business case for investment without the evidence to show how many ‘near misses’ there may have been.

They don’t look for long-term solutions

In many cases it seems that finding the malware is the end game.  While many product can assist with catching malware ‘in the act,’ it is often better to find the vulnerability or misconfiguration that allowed the malware or malicious user to get a foot hold and prevent it from happening in the first place.  An example would be bailing water out of a sinking ship rather than just plugging the hole that the water is coming in from.  Yes they’re technically solving the problem, but there’s a simpler and longer term solution for them.


Of course there’s countless other reasons why this might be the case, but it’s worth considering if you, or anyone you know fall into any of the above categories.

From the Labs - Data Exfiltration Scenario

The staff in Perception labs is asked one question more than any other by our customers and analysts alike, “What’s the most likely way a cyber-attack is going to occur?”  Realistically we don’t know since the answer to the question is based on a myriad of factors, but we can always say there is a way of breaching any system without being detected.  Our engineers, researchers, and analysts are constantly trying to discover these methods so that our products stay ahead of the attacker’s next move.

Simon Miles, an engineer in Perception labs, was kind enough to describe a hypothetical attack on a mid-size corporate network that would breach the typical security setup of most businesses today.  It’s worth noting that while we have seen the component parts of this attack in the wild, this is not a description of any real-world attack on a business, nor does it represent the security measures of any Perception clients. 

Data Exfiltration Scenario

1.       A Threat actor (Hacker) performs some initial background research using a mixture of social media and web research to identify a suitable person of interest within the organisation to be targeted. The identified user is going to be the target of a social engineering attack that will be used to compromise their machine and eventually obtain confidential information that will be used for ransom or other means.

2.       The identified user is sent a tailored spear phishing email that references something of specific interest to this person that builds trust with the end user and coaxes them to open an attached excel spreadsheet (e.g. Enhanced_Bonuses_For_Next_Year.xlsx spoofing the managing directors email).  The spreadsheet contains a macro which downloads a malware dropper payload.  The payload uses obfuscation techniques ensuring that it is unique; rendering existing signature based defences such as AV, IDS and IPS ineffective and also prevents analysis in a sandbox environment. 

3.       The macro contained has the ability to detect virtual machine environments using time based analysis to avoid detection in sandboxing

4.       The dropper installs and sets up a Remote Access Trojan (RAT) which will leave a small footprint on the user’s device. The RAT has been encrypted using paid for tools that are easily downloadable online that makes it fully undetectable (FUD) by the users anti-virus.  The RAT runs in memory and is persistent.

5.       The RAT is configured to establish a Command and Control (CnC) channel back to its control server using DNS port 53 as the control channel. DNS is often overlooked by security appliances as a method for CnC

6.       The RAT is configured to beacon home periodically to get more commands and actions to perform

7.       The RAT uses Domain Generation Algorithm (DGA) when performing the DNS lookup for the C&C server to avoid any domain name being blacklisted and to reduce the likely hood of detection by blacklisting.

8.       The RAT is instructed to perform some reconnaissance activities on the network to allow the attacker to identify potential targets of interest, e.g. fileservers, databases etc

9.       The RAT performs a sweeping port scan (‘low and slow’ to avoid detection), identifying a few hosts and services of interest

10.   The attacker has determined that there is a server running an FTP service and they would like to investigate further as this may hold company information.

11.   Using common usernames, the attacker initiates a brute force password attempt against the FTP server to gain access to the information.  This attempt fails due to the hacker using a username that is not valid on the FTP server.

12.   After failing to brute force the password on the FTP server, the attacker needs to gain valid credentials from a user who has a valid login.  To do this the malware modifies the system settings in such a way as to generate a configuration fault with the victim’s machine.

13.   The initially exploited user then contacts their IT department to raise the fault with their machine. An IT admin shortly arrives and uses their own credentials to log in to the machine at which point a software key logger (installed by the RAT) is used to obtain these credentials. The configuration fault on the victim machine is rectified by the IT admin, however the malicious applications remain operational.

14.   The Attacker now has further domain information to retry the brute force access against the FTP server.

15.   The Attacker successfully establishes a connection with the FTP server and has full access to its data.  

16.   The attacker now has what they were after and can then exfiltrate the sensitive data out of the network via the victim machine. The attacker sends out 1GB of files over an 8 hr period to a cloud service they have access to.  This data is sent using port 443 HTTPS and is encrypted preventing detection by many security products. 

There are many different variants that could be implemented using Twitter as the CnC Channel for example or using exfil by USB stick, however the general process of the attack would stay largely the similar.

The important thing to take away here is that aside from restricting all user’s behaviours on a network, there is little network admins can do to limit malicious network behaviour.  However, while attackers get better, prevention gets more difficult and detection becomes more important.  It is important that Information Security personnel understand the need for the network monitoring layer.

Whilst we can’t speak for other network monitoring products, Perception would:

·         Identify the misuse of the DNS protocol in step 5

·         Identify the CnC beaconing behaviour in step 6

·         Identify the use of a DGA in step 7

·         Identify the port scan surveillance in step 9

·         Identify the brute force attempt in step 11

·         Identify the egress of data from the network in step 16

The genius of modern malware is that none of the steps described above alone are something to be alarmed by on any network, in fact they are normally a result of typical network behaviour.  The flaw that modern security systems have is that without knowing what the user is thinking and legitimately wanting to achieve, the system can’t differentiate between legitimate user behaviour and software-based malicious activity.

In the example above, Perception would alert the analyst that the above information, taken individually, is not indicative of an attack.  However, by mid-way through the attack, the system would look at the evidence collected so far and start to alert the analyst that the network behaviour, in that order, is

·         unusual,

·         potentially dangerous,

·         and worth quarantining then investigating

You can learn more about Perception on the About page, or apply for a free trial of Perception here

Fully Undetectable Malware

Antivirus is designed to discover and stop or quarantine any malicious code running on the host.  Fully undetectable (FUD) malware is designed to evade antivirus products by encrypting or obfuscating the executable malicious code so it doesn’t match up with a signature on the antivirus’ application.

However, malicious code uses stealth techniques that can go far beyond this.  A FUD piece of malware is only useful for as long as it hasn’t been successfully analysed, so the programmers include diversionary tactics in the programs behaviour to specifically make analysis very difficult if not impossible by automated methods.  This can range from completely harmless behaviour when in a virtual machine, to constantly creating and deleting random new files so analysts find it hard to identify its true behaviour.

For as long as the FUD malware is un-detected, it will evade popular antivirus and cyber defence techniques, and therefore be of value to the attacker.  Fortunately for the attacker, antivirus and firewall systems are cross-checking between a list of known threats and what’s actually happening, and they often struggle to identify small changes in an executable file.  For example, “Malware1” and “mAlWaRe1” are not literally the same.

Tools that are designed to build in some of the above techniques into malware have been available for some time online, as well as test sites where you can deploy your newly encrypted malware against popular antivirus systems.  Recently a popular one,, was shut down and two people in England have been arrested on charges related to running the service.

So what can we do to protect ourselves from FUD threats?  Broadly speaking the advice is still the same, keep firewalls and endpoint systems up to date since FUD threats are usually successfully analysed within a few days after being identified and rules-based systems updated shortly after.

Fortunately, FUD threats do not affect the effectiveness of network monitoring systems, as once exploited, each type of malware behaves in broadly the same way.  A network monitoring system such as Perception identifies the unusual and threat like behaviour happening live, rather than detecting the exploit itself, so as long as Trojans are still Trojans and RATs are still RATs, network monitoring systems will work just as well.  Effectively, FUD’s get you through the front door lock but do not stop you detecting the intruder with the internal burglar alarm sensors if you have them.