14 DAY TRIAL // The attacks of the Syrian Electronic Army (SEA) have made numerous headlines over the past weeks. The high-profile attacks teach us a lot about the current cyber threat landscape.
We’ve done an interview on the topic with Gordon MacKay, the executive vice president and chief technology officer of Digital Defense, Inc., a network security company that specializes in providing penetration testing, vulnerability assessment, application development and security policies.
MacKay joined the company in November 2002. Currently, he is responsible for strategic design, planning, and establishment of platform road maps, new platform development initiatives, and maintenance of the company’s security information event management platforms and proprietary assessment solutions.
He also oversees the Platform Development architecture as well as manages the Platform Development and Vulnerability Research organizations.
Softpedia: The Syrian Electronic Army has been highly active over the past period. In many of their attacks, they’ve breached the systems of third parties to hijack the accounts and websites of their true targets. How efficient is this method and what can these third parties do to protect their systems against such abuse?
Gordon MacKay: The Syrian Electronic Army’s (SEA) primary mission is to unleash an onslaught of pro-government propaganda upon the Internet in support of the Assad regime. To achieve this goal, SEA has been attacking targets that have access to large media communication channels.
The motivation here is directly related to their mission. The compromising of their selected targets has resulted in the ability to quickly disseminate their views throughout the world.
Based on their stated mission, the list of their past targets and a detailed analysis of the breach events and methods used to compromise these selected targets, we can conclude SEA uses intelligence in its planning and are surprisingly organized. It is also evident that SEA is extremely efficient in achieving its campaigns and mission.
One of the strategies employed by SEA to successfully compromise their enemies and ultimately achieve their goals. One such strategy, attributed to one of Sun Zhu’s Winning Strategies: “Surround Wei to rescue Zhao”, is to indirectly attack the enemy by attacking one of their weak allies/relations.
One example of this strategy as applied within the context of internet security, involves attacking the weaknesses present within third party software and/or services that a primary target organization uses as part of their ongoing operations.
SEA has used this strategy very successfully on several occasions. A recent example of SEA’s use of this strategy is their successful attack against Outbrain.
Outbrain.com offers a content recommendation service that enables internet publishers to increase their web traffic at their websites. Outbrain achieves this by use of its “Widget” which presents content from participating publishers over the widgets to the publishers’ subscribers. Its clients include large publishing giants such as CNN, Time, Washington Post USA today and many more.
SEA understood that by compromising Outbrain, they could in turn control and modify the content presented to the subscribers/readers of the participating publishers’ content. To achieve their end, they used a form of social engineering known as phishing.
In this instance, the phishing details involved SEA’s setting up a “WORD HERE” website that prompted a user for a username and password, crafting an email which included a link to this “WORD HERE” website and which appeared to come from the CEO of Outbrain, and then sending this email to all of the Outbrain employees.
One of the employees fell for the ruse and clicked on the link within the email and upon arriving at this website, proceeded to fill in the form with their Outbrain username and password. SEA, easily retrieved the entered username and password.
SEA was able to then retrieve these authentication credentials and then login to the widget control utility and modify the publisher’s content.
They redirected some of this content to an SEA propaganda site. Any reader who would then view a given publisher’s content and click on certain links would then be redirected to the SEA propaganda site where they would have an opportunity to read SEA controlled information. The success of this attack on a third party actually resulted in a compromise of content for three of SEA’s main targets.
Although phishing is not considered a very complex hacking mechanism, the conscious use of this strategy and the manner in which it was executed, clearly show an advanced level of intelligence, and organization behind the SEA. Several experts criticize SEA stating the hacking techniques used are not advanced.
While I agree with this, I instead point out SEA members were wise to not use advanced methods since lesser sophistication is not as costly to the attacker and therefore provides SEA with more ROI. With that, one can argue they are effective planners as they have technical ability and understand the economics of warfare.
Softpedia: The SEA’s attacks clearly show that even less sophisticated methods, such as spear phishing, can be highly effective. How should such attack vectors be dealt with?
Gordon MacKay: Yes, I agree SEA’s attacks clearly show an attacker can achieve one’s goals with high gain with minimal complexity. I described above where their use of spear phishing in the sense that they limited their attack to employees of Outbrain (quite a few spears and quite a few fish).
In fact, according to SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. There are several types of solutions that protect against spear phishing attacks:
Employee Security Training
The majority of the security technologies offered in the marketplace have been those that do not cover one the organization’s weakest links; the human element. According to a Ponemon Institute 2013 study, over 35% of breaches can be attributed to the human factor.
I would argue that regardless of the internet security technologies employed by a given Enterprise, consideration of the security risk involved with the human element is a must!
In order to “remediate” the weaknesses within the human element that give rise to security risk, all companies should invest in some form of employee security training, and preferably one which is effective.
Email Sandboxing
These types of technology solutions verify email links to ensure they are not malicious when a user clicks on it. It overcomes the shortcomings of simple email spam solutions in that the link is actually tested by the solution in real time when the email recipient clicks on the link within the email.
Real-time analysis and inspection of your web traffic
With this technological solution, web traffic is inspected and analyzed on incoming and outgoing web traffic in real time thereby blocking many types of malicious activity
I would propose an Enterprise select option #1 and either of the other two options. As mentioned above, any overall risk management program should include employee security training.
The reason is there always seems to be a way to bypass the technological protections when it comes to the human element; especially in the era where the traditional network boundary has been changing to include BYOD, enterprise IT outsourcing and use of IT cloud services.
Softpedia: Over the past weeks, other pro-Syria hacker groups have been spotted. Do you think these other collectives pose a real threat?
Gordon MacKay: Yes, there are other hacker groups that support the Assad regime. For example, researchers from Cloudmark have found evidence while analyzing hacked servers that are used by spammers, a group known as SeCuR!TY LiONS HaCK3RS. It appears they have defaced many websites with pro-Assad messages.
An answer with some substance behind it really requires a good understanding of security risk. Yet when one truly does understand this concept, one also realizes the answer, to quote Bob Dylan,“is blowing in the wind.” It is difficult to correctly answer this question with high level of certainty is due to the many unknowns that contribute to risk.
With this, I do not know whether or not they pose a real significant threat. I am not saying they have limited capability. It’s probable they have good capabilities and even if they don’t, they will most likely learn more over time and/or acquire more members who possess additional complementary skills.
I worry most when there is a strong motivation or desire to cause damage and harm. Risk involves several variables which may even influence each other. A simplistic view of risk involves three relatively independent variables: Weakness, Threat and Value.
The Threat component includes any agent sentient or non-sentient that can cause the value to diminish due to the presence of the weaknesses. In in this case, we are only considering the part of “Threat” contributed by these other Syrian pro-Assad groups, of which some may even be completely unknown at this time.
The real question in my mind is how motivated are they and how does that motivation vary? Motivation changes across time due to many events. For example, SEA have clearly stated, their targets will become more varied and increase under certain various world events.
Even if it were the case that the SEA had only minimal hacking abilities, their evolutionary pace will most likely increase if their motivation increases.
Softpedia: Advanced and allegedly innovative enterprise security solutions are launched each week, yet we see more and more companies being breached. Why is that? Because of poor implementation of these solutions, because of the fact that they’re simply not efficient enough, or is it because the breached organizations don’t deploy sufficient security systems?
Gordon MacKay: I will make a bold statement here by claiming a root cause for the above stated question. Along with this claim, I must state that it excludes two possible cases;
The case where an enterprise fully understands the required elements that make up a successful security risk management program and yet chooses for economic reasons to not apply certain required elements and/or does apply them all but realizes they don’t have enough budget to bring the risk to an acceptable level, and
We are not including breaches that were part of what the enterprise deemed as an acceptable risk.
If we exclude the mentioned cases, I would claim the root reason for breaches that continue, even though there exists sufficient security technology, is the enterprise’s failure in understanding or in the execution of their Security Risk Management Program.
The reason why we are continuing to see companies being breached is that no matter how hard we try, we can't seem to get away from the fact that we are only as strong as our weakest link.
We continue to see companies look to new technologies as a way of economically addressing their security issues, yet companies still don't take the time to fully understand the threats they face, and the risk that those threats pose.
I also see the danger in that many companies still think that if they meet compliance standards, be it PCI DSS, HIPAA, Sarbanes-Oxley, or FISMA, then they are secure enough. This is dangerous.
Essentially, we're seeing more and more technologies and compliance standards sought after as a solution to the security threats we face. Bruce Schneier (2000) said ten years ago that "Complexity is the worst enemy of security," yet today we continue to create more complex security systems and meet new compliance standards in vain.
Also, we continue to see seemingly simple IS tasks, such as changing the default password on systems, being an issue among many organizations. This, along with the continuing threat of social engineering, continues to be our weakest link in properly managing risk. How do we get past this?
First, companies need to develop a Security Mission Statement. We can see that the hacker threat is becoming more and more organized - they now even they now have mission statements, as you can see on the Syrian Electronic Army’s web site.
The mission statement should say something like, "Our IT Security Mission is to effectively manage our enterprise risk and understand our threat while maintaining business viability in an economical way."
Next, when assessing their risk, organizations need to understand their mission and scope, and they need to develop a process. During this process, they need to ask the questions, "What are we trying to achieve? Where do we start?"
The vulnerability risks companies face today are numerous and complex - their IT assets, or ecosystem, are also complex. I continue to see that many large organizations don't even know where all of their assets are located. Why?
Companies are constantly evolving to meet market demands and their IT systems evolve as well. Companies are also faced with staff turnover. People leave, and they take their security expertise with them.
Furthermore, companies are continuing to partner with outside organizations. This makes their ecosystem even more complex. So even if your organization is managing security risk, you can't be certain that your partner is effectively managing risk.
And as we saw with the recent attacks by the Syrian Electronic Army, companies can face indirect threats as well. This continues to challenge organizations as they attempt to manage their risk.
Many, if not most, successful organizations today are looking to outsource part of their risk management to not only help assess the threats they face, but to also assist in providing focus and answer the questions what are we trying to achieve? Where do we start?
How Digital Defense Helps Clients
Managed services, such as Digital Defense's vulnerability scanning solutions, fit within an organization’s security mission. We not only help assess threats, we also assist in helping organizations manage their risk in a way that makes sense and will meet their mission statement.
Next, we have to continue to realize that security is only as strong as its weakest link, and that technology alone will not help us manage risk. That weakest link continues to be the human. The Syrian Electronic Army’s recent attack was successful.
Why? Did they hack their way past secure systems with an unknown Zero-Day vulnerability? No. They simply used one of the oldest, and easiest, methods to bypass any security system - social engineering. Why are security training programs failing?
Unfortunately, they too, like compliance measures, have become another checkbox for companies to mark off their list. Let's face it, training is most times tedious and boring.
Again, in its effort to assist companies meet their security mission, Digital Defense created a new and unique training program called SecurED, which was demonstrated a 60% long-term learning gain in a recent Ponemon study.
Softpedia: What’s your take on the current cybersecurity landscape in general?
Gordon MacKay: I believe we are entering a new era in human history where there is no real precedence to compare against. I am not referring to the more localized security landscapes but rather, am referring to the landscape at the national level.
I believe this new era is the beginning of a very rapid competitive race between different nations in our understanding of all aspects related to cyber security.
What is very interesting to note is that this technological race will continue to factor in humanity as a key component and will most likely necessitate a better and deeper understanding of human psychology to combat these types of threats.
