taG this

CyberCrime:

a Persistent threat

By rory c oe n

ast July, Qatar Today focused on the burgeon- trusion prevention systems (IPS), anti-virus and web gateways, ing digital economy in Qatar and how the Qatari only scan for the first move, the inbound attack. These systems government was leveraging its potential for the rely heavily on signatures and known patterns of misbehaviour 2030 Vision. Part of the report focused on the to identify and block threats. This leaves a gaping hole in netthreat of cybercrime and revealed that its now work defences that remain vulnerable to zero-day and targeted bigger than the drugs trade. Cybercriminals are no longer inter- APT attacks. Consider the time-lag in signature development due to the ested in getting their kicks from $5 thefts but are instead trying to gain long-term control of compromised computer systems, need for vulnerability disclosure and/or the mass spread of an and the way theyre doing this is through advanced persistent attack to catch the attention of researchers, he said. Malicious code is identified over the course of a few days as it spreads. threats (APT). Ray Kafity, Regional Sales Director FireEye, Middle East, However, polymorphic code tactics counterbalance the effects Turkey and Africa, spoke at Starlinks IT Security Roadshow in of signature-based removal. Signatures represent a reactive Doha last month about the unabated threats of intelligent mal- mechanism against known threats. However, if attacks remain ware. FireEye is involved in stopping advanced targeted attacks below the radar, the malware is completely missed and the network remains vulnerable, especially to zero-day, targeted APT that use advanced malware, zero-day exploits and APT tactics. Kafity prefaced his presentation with an overview of the Stux- malware. No matter how malicious the code is, if signaturenet worm which caught the worlds attention a couple of years based tools havent seen it before, they let it through. Cyber-criminals have figago. Stuxnet wasnt designed the new statUs QUo: ured out how to evade detecto steal money, identities or advanced attacks tion by traditional defences. passwords, but it targeted Using toolkits to design polythe controls of industrial facyber-esPionage & morphic threats that change cilities such as power plants. cybercrime with every use, move slowly, The worm was available on and exploit zero-day vulnerthe web for download and abilities, the criminals have could have been altered by broken in through the hole any cyber-criminal for his or advanced Persistent Theats zero-Day Targeted attacks left by traditional and nexther own malicious purposes. Dynamic Trojans Stealth Bots generation firewalls, IPS, A former director of the cybercrime anti-virus and web gateNational Security Agency ways. This new generation in the US revealed that naof organised cybercrime is tions were now involved in a disrUPtion Spyware/Bots persistent, capitalising on new phase of conflict where organisational data available cyber-weapons could Worms Viruses on social networking sites to be used to create physicreate targeted phishing ecal destruction of critical 2004 2006 2008 2010 mails and malware targeted infrastructure. at the types of applications Kafity took a step back and operating systems (with from this and discussed the mechanics of these threats and why they are so difficult to detect all their vulnerabilities) typical in particular industries. Once inside, advanced malware, zero-day and targeted APT and eradicate. Next-generation threats have changed radically from just attacks will hide, replicate, and disable host protections, cona few years ago, he said. Advanced malware has replaced the tinued Kafity. After it installs, it phones home to its command broad, scattershot approach of mass-market malware designed and control (CnC) server for instructions, which could be to for mischief. Most of todays attacks are targeted to get some- steal data, infect other endpoints, allow reconnaissance, or lie thing valuable sensitive personal information, intellectual prop- dormant until the attacker is ready to strike. Attacks succeed erty, authentication credentials, insider information and each in this second communication stage because few technoloattack is often multifaceted, requiring at least two stages one gies monitor outbound malware transmissions. Administrators remain unaware of the hole in their networks until the to get in and one to get valuables out. Traditional protections, like next-generation firewalls, in- damage is done.

80 Qatar toDay

May 2012

damage of attacks