Organizations hit by a cyberattack have reason to call the attack "sophisticated." But calling an attack sophisticated doesn't make it sophisticated. We have put our heads together and come up with some rules for determining whether an attack is sophisticated, and we have put our names together (Ira and Ari) to give these rules a name: the Irari rules. If any of the following conditions occur, the attack is not sophisticated:
- The attack used malware that should have been detected.
- The attack targeted a known vulnerability.
- Multifactor authentication was not in use on the targeted systems.
- The attack exploited static passwords on critical servers.
- A strong, comprehensive awareness program was not in place, if phishing was involved.
- Detection mechanisms were not in place or were ignored.
- Proper network segmentation was not in place.
- User and administrator accounts that were exploited had excessive privileges.
If a bank leaves a bag of money sitting in the lobby, it doesn't matter if it is stolen by a master criminal or a street thug. Anyone with minimal skill and intent could do it. When an organization claims that an attack against it was sophisticated, it wants to imply that it was difficult to stop. But in case after case, although the organization of the attacks might appear sophisticated, the actual attack was fairly basic.
Even the FBI characterized last year's attack against Sony as sophisticated. Don't be fooled. Yes, administrator credentials were apparently hard-coded into the malware. Nonetheless, the malware's presence should have been detected. And the presence of the administrator credentials suggests several possibilities, none of them indicative of a sophisticated attack: 1) The Sony hack relied on a phishing attack, which better awareness might have prevented; 2) passwords were not changed frequently enough, if at all; and 3) there was a lack of multifactor authentication in use on critical systems. So, even if the attacker was the most skilled hacker in the world, the same results could have been accomplished by anyone with time and far-from-sophisticated skills.
Attacks like the one against Sony are the new normal. All organizations should expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities. What, then, does it take for an attack to rise above the new normal and be truly sophisticated?
Well, first, let's consider attacks that clearly are sophisticated. The Equation group, assumed to be tied to the National Security Agency, was able to go undetected for 14 years. It used malicious software to exploit zero-day vulnerabilities, impossible to detect and difficult to remove. It established excellent covert channels for communications back to its controllers. The Equation group was able to launch basically unstoppable attacks even against top-tier security programs. The nature of those attacks is very different from those that hit Sony and Target, for example.
From what we know about attacks by the Equation group, none of the Irari rules trip them into unsophisticated territory. Although we could have come up with additional rules, we believe that our list encapsulates almost all non-sophisticated attacks for the moment.
A closer look
Here's a breakdown of the eight Irari rules.
The malware used should have been detected. If the malware used is known well enough to be detected by anti-malware or antivirus software, then the attack cannot be classified as sophisticated. The attack could have been detected with properly configured and maintained tools available. Even if a sophisticated attacker was involved, an attack that uses detectable malware shows a lack of respect for the victim's security program.
The attack exploited vulnerabilities where a patch was available. If an attack exploited a vulnerability that could have been patched, the attack cannot have been sophisticated. A sophisticated attack would never rely on exploiting a vulnerability that could have been prevented. The fact that the known vulnerability existed on the exploited system demonstrates that anyone could have launched the attack.
Multifactor authentication was not in use on critical servers. Multifactor authentication is a common countermeasure for advanced security programs. It prevents a wide variety of potential attacks, including social engineering and password guessing. No attack against an organization whose critical servers don't use multifactor authentication can be considered sophisticated.
Static passwords were used in attacks on critical servers. Even with multifactor authentication in place, passwords should be changed frequently. Static passwords on critical accounts is just a poor security practice and represents an unsophisticated security program, and their presence eliminates the possibility of a sophisticated attack.
If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training. While we will acknowledge that there are some spearphishing messages that are very sophisticated, and even the most aware people might fall prey to them, these are rare. Exponentially more frequently, the organization's security awareness program is poor, if it exists at all. Security awareness programs that focus on computer-based training and phishing simulations are examples of poor awareness programs.
Detection mechanisms that could have stopped the attack in progress were not in place or were ignored. In the case of the Target hack, administrators apparently reported that their FireEye system detected unusual activity and were told to ignore it by management. In the case of the Sony hack, detectable malware on the network went undetected. Also, terabytes of Sony's most valuable data were exfiltrated and went completely undetected. When you have data that is so valuable, it is inexcusable not to have mechanisms in place to monitor for potential compromises.
There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems. Businesses want to save money by having seamless connections to all systems. While the Target hack is infamous for the attackers jumping from a vendor network to the point-of-sale systems, it is not unique. There are plenty of incidents that demonstrate that industrial control systems, even and especially in critical infrastructures, are on poorly protected business networks.
User accounts that were compromised had excessive privileges. It is very common for standard user accounts to have access to data and systems privileges that they don't need. Many organizations give employees administrator privileges on their PCs. This allows what should otherwise be a contained compromise that is easy to investigate to become a major incident. This again is the sign of a poor security program.
As you can see, the measure of an attack's sophistication is based upon the layers of security it had to bypass. And time and again, attacks that have been described as sophisticated should have been stopped at multiple points.
Why is it important that attacks be properly characterized? Claims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.
Pointing this out is not a case of blaming the victim. An organization that is attacked is not the bad guy. But organizations faced with the new normal do have a responsibility to deflect attacks that can be deflected, just as homeowners are expected to put locks on their doors and windows.
In fact, more sophisticated security programs should become the new new normal.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomes can be contacted through Ira's Web site, securementem.com. They will be doing a full presentation on these rules at the RSA Conference this Friday, April 24.