From Russia to Zero-Trust

 

A discussion on modern cybersecurity challenges and solutions with Peter Bahas CISSP, Senior Solutions Engineer at Keysight Technologies.

Any conversation about cybersecurity right now must consider the warnings by experts around the globe of a potential increase in Cyberattacks timed with Russia’s invasion of Ukraine. While Russia has long been recognized as a source of significant, nefarious cyber activity, one cannot help but wonder why a conflict between two European nations might spark a rise in cybercrime in Australia?

Advertisement

According to Peter Bahas CISSP, Senior Solutions Engineer at Keysight Technologies, this is just the latest in a host of reasons why organisations and governments must continue to shore up defences against cybercrime, and eliminate common gaps in order to do so.

Potential for Infrastructure Attacks

Peter has over 20 years’ experience designing, managing and securing networks across the world for large Enterprise, Government and Service Providers and is no stranger to understanding and thwarting cyber-attacks. He explains that, because Western allies like Australia are showing support for Ukraine and rallying against the war waged by Russia, it might make Australia a prime candidate for potential infrastructure attacks.

“You’ve got to remember, in today’s day and age, critical infrastructure systems for controlling energy grids, utilities, chemical plants, transportation and defense systems, to name but a few, are online and controlled by applications, making them susceptible to Cyber Attacks. What’s worse, is the attack can be initiated from anonymous networks, such as the Dark WEB, hence making it very difficult to point the finger at a particular Nation State or Cyber Criminal responsible for the attack. It is very easy to instigate a cyber attack and do significant damage,” states Peter.

“A lot of people have the misconception that, ‘a cyber-attack is something virtual, it’s online, it’s not going to affect me.’ That’s not true. In fact, nothing could be farther from the truth,” he says. “The damage and impact that can result from a targeted cyber attack may be equivalent to conventional warfare methods using artillery, missiles and explosives.”

Peter gives the example of a well-known cyber attack, the Stuxnet cyber weapon which resulted in substantial destruction on a nuclear facility in the middle east. Another famous case he references is the extensive damage caused by the cyberattack on Ukraine’s power grid.

“I was in the U.S. about ten years ago working with the National Guard and the Department of Homeland Security. In our discussions, I asked, ‘What do you think was the major cause of loss of life in Hurricane Katrina?’ Believe it or not, most lives were lost not through the hurricane directly, but through the lack of resources such as electricity, power and water that came about after the event. That’s where the major loss of life occurred. In terms of a cyberattack, where it is increasingly easy to target critical infrastructure thanks to increased connectivity and the internet of things, the threat to citizens is very real.”

When a country like Russia feels it is under siege from the global community, the potential for retaliatory cyberattacks extend well beyond attacks on critical infrastructure. According to Peter, the types of attacks we might see are – as always – directly correlated to the motivation of the people carrying out the attack. Whilst this can sometimes be a desire to disrupt in order to protest or send a message, it’s most often about money at the end of the day. The raft of stringent financial sanctions currently in place have the potential to give rise to a wave of finance-based crimes as groups and individuals seek to obtain money, wherever and however they can.

Combating a Rise in CEO Fraud

Peter gave the example of CEO fraud, which has been one of the more popular ways criminals have sought to steal money in the last few years, “costing organizations billions of dollars.”

“These crime gangs operate on the assumption that a command to do something, coming from a company’s CEO, will most often be met with little, if any, resistance by employees. As such, cyber criminals spoof or impersonate things like the CEO’s phone number, caller ID, email address and so on,” Peter states.

“It’s easily done. There are a host of websites out there that enable this kind of action. Email spoofing is just one example where the name of the CEO, along with his or her email signature and email address are used to send an instruction to an employee to immediately pay an invoice or transfer funds. The email might claim that if this request isn’t actioned immediately, then it could impact the continuity of business. Cybercriminals understand that urgency can be used to coerce people to circumvent normal due diligence and procedures.

“Unfortunately, once that transfer occurs, the funds are lost. This type of cyberattack has been very profitable for cybercriminals in the past few years.”

According to Peter, with a little diligence, these types of attacks are easily detected and thwarted.

“In order to detect and prevent such attacks, there are a number of telltale signs people should be aware of. The perpetrator begins the process of committing fraud by creating a domain that is similar to the original company web domain, but with a very subtle difference. For example, in the case of facebook.com, a criminal might spell Facebook using zeros instead of the letter O. Once the web domain is registered, it is a simple matter to set up an email address that looks like it’s coming from the CEO. For example, if the CEO was named John Smith, then his email address might be john.smith@faceb00k.com.

“The best defence against this type of attack is to train employees to be diligent, conduct employee online security awareness programs and then allow them to question unusual requests.”

Perimeter Security is Not Enough

According to Peter, what most people fail to understand is that, unlike CEO fraud, the majority of cyberattacks no longer come into an organisation through the perimeter.

“Traditionally, we’ve seen hackers attacking perimeter security targeting firewalls, intrusion detection systems, data loss prevention systems and the like, but in reality, these perimeter attacks are no longer the greatest threat. Most modern cyberattack activity is carried out by way of communications between trusted devices within organisations. The problem is greatly exacerbated in a couple of trends we are seeing. Firstly, the prolific onset of employees bringing their own, perceived trusted, but compromised devices (BYOD) into trusted network zones, and secondly, the fact that organizational secure perimeters have become more fluid, expanded but not well protected with new “work from home” methods. This presents a significant problem as this internal space is not being sufficiently monitored or protected by perimeter security. If a hacker can compromise just one host device that has access inside a trusted network, it can then propagate across the network internally within the organisation, in many cases remain undetected, possibly for months or years.

“To illustrate the point, we can look at what happened with the Equifax credit bureau back in 2017. Being a credit bureau, they housed hundreds of millions of files with personal information pertaining to users – their date of birth, their social security numbers and so on.

“As you might imagine, Equifax were heavily protected from a cybersecurity perspective, but they had one web server open to the internet to allow people to log complaints. Either the server wasn’t properly patched or had some other easily overlooked vulnerability, and as a result it was compromised,” explains Peter.

“Once that server was compromised, the perpetrators we able to infiltrate the organization and move into other servers that were not exposed to the internet, which meant they were considered safe. They were also able to access sensitive information in databases that were housed on other servers within the Equifax organisation.

“This is what is often referred to as an Advanced Persistent Threat (APT), where hackers were able to remain undetected and exfiltrate sensitive information piece-by-piece over time compromising the details of hundreds of millions of people. As you might imagine, this information can be quite lucrative, so it is put up for sale on the dark web where people buy it in order to hijack somebody’s identity and carry out fraud-based crimes.

“The point being, after the initial entry point this type of compromise happened through the internal corridors and was not picked up for a very long period of time.”

Zero Trust at a Packet Level

According to Peter,  a zero-trust architecture, where the communications between assets within the organisation are monitored to identify any anomalies, can quickly identify this type of attack, The best way to detect and prevent these sorts of internal attacks is through the monitoring of packets and metadata information, which only exists within the payload of the actual network conversations.

“Most corporate and government organisations have IT security staff working with a number of monitoring tools at their disposal; trying to identify, combat and work out what is happening as the result of a cyber-attack. In most cases, they are flying blind because they’re solely relying on logs and flow records, which summaries events or high-level notifications from their network or security devices, and are not the actual conversations that are the attack itself. To make matters worse, they’re trying to correlate these logs from different systems, which in itself is a challenging exercise.

“Hackers often erase logs so the security team may be working with incomplete data. These logs and flow records do not easily lend themselves to determining the anatomy or extent of the attack. Which files were exfiltrated? What sensitive information has been leaked? The answers have been hidden, having been encrypted by the hacker or funneled out of the organization via allowed common protocols that do not raise red flags such as Email, File Transfer or upload to Cloud Servers.

“There is only one way to really see the complete anatomy of an attack, and that’s by looking at the actual packets, the conversations, the actual frames including the metadata which represent those conversations. It’s like listening to a full recording of the conversation between the hacker and your infrastructure, rather than simply knowing that a person from point A accessed your network at point B.”

Of course what you really want to know is what activity they conducted whilst they had that access.

“Network Packets give you a complete picture of the actual code within those conversations that can initiate and propagate attacks,” says Peter. “It’s those packets that give you the full picture. So what organisations need to do is put methods in place which enable this capability. It’s quite simple. We often work with law enforcement to implement wiretaps. Similarly, in Networks we implement what’s called Network Taps, that are invisible in the Network and to hackers. They will never know you are recording and watching their activities.”

Only by monitoring these internal “corridor” communications, and maintaining zero trust between devices, even if they’re internal, can you truly protect your network. An organization must understand which systems should be talking to each other and – equally important – which systems and devices shouldn’t be talking to each other. That is critical to effective network security. This is where organisations like Keysight can really help.”

If you would like to know more about Keysight Technologies, visit www.keysight.com.

Peter Bahas CISSP, Senior Solutions Engineer at Keysight Technologies.

 

About Keysight Technologies: Keysight delivers advanced design and validation solutions that help accelerate innovation to connect and secure the world. Keysight’s dedication to speed and precision extends to software-driven insights and analytics that bring tomorrow’s technology products to market faster across the development lifecycle, in design simulation, prototype validation, automated software testing, manufacturing analysis, and network performance optimization and visibility in enterprise, service provider and cloud environments. Our customers span the worldwide communications and industrial ecosystems, aerospace and defense, automotive, energy, semiconductor and general electronics markets. Keysight generated revenues of $4.9B in fiscal year 2021.