Attack lessons: Shared responsibility and the cyber kill chain

Dr. Josephine Wolff

Andrew Wertkin

Last month, cybersecurity expert and author Dr. Josephine Wolff joined BlueCat CTO Andrew Wertkin for our Lessons from the Aftermath webinar to dissect significant cybersecurity attacks from the last decade and what we can learn from them.

Wolff and Wertkin took a deep dive into two watershed breaches: Ashley Madison and DigiNotar. They reveal two key takeaways. First, that we tend to place too much emphasis on individual organizations as the only line of defense against cyberattacks. And second, that we tend to hyper focus on a single moment of attack where the perpetrator got their foothold.

Instead, a cyber kill chain approach views attacks as a series of escalating stages, with an opportunity to predict, detect, prevent, or respond to incidents at all of them.

A dating website for people seeking to have affairs, Ashley Madison was hacked in 2015, with profile information from 36 million users published online. Prior to the breach, the then-CEO had made very public claims about the site’s security and privacy, touting a paid service to delete your account from the website. All of the supposedly deleted data was still stored when the breach occurred, resulting in charges from the U.S. Federal Trade Commission.

“It was this moment for organizations to reevaluate how they publicly presented their data security and even to consider whether there were risks to making too strong promises, or potentially misleading promises, from an enforcement perspective,” Wolff says. “Because a lot of what the Federal Trade Commission can enforce is around unfair, deceptive business practices. A lot of the complaint they ended up filing against Ashley Madison really hinged on this idea that the company had been very deceptive, which is different than being very insecure.”

On the other hand, DigiNotar, a Dutch certificate authority, took their security very seriously, with complex segmentation and firewall rules for their network. But it was still possible for somebody to exploit a vulnerability in a content management system on their external facing website and tunnel through to their secure network to issue fraudulent digital certificates. More than 500 fake DigiNotar certificates were found in 2011, including a set for Google.com.

The rogue digital certificates were used to conduct man-in-the-middle attacks. Perpetrators flooded DNS servers with fake records to send users to the wrong sites (so, for example, intercepting a user’s request to go to Google.com and sending them to their own webpage designed to look like Google’s instead). Just under 700,000 different IP addresses were redirected, impacting about 400,000 individuals, almost all of them living in Iran.

Browsers blacklisted DigiNotar certificates, and the company went out of business.

“Most companies that undergo data breaches or security incidents do not then go out of business. But for a certificate authority, where trust is its whole business, it actually turns out to be a massive big deal for them. And not just for DigiNotar, but also for all of the browsers—Chrome, Firefox, Internet Explorer—that were implied because they have listed DigiNotar in their list of root certificate authorities that could be trusted by all of their users,” Wolff says.

It’s important to recognize here the nuances of these attacks and how many entities are implicated, Wolff adds.

“There’s often this implied sense that there’s one company that’s responsible for all of it and it was their fault and their security failures that allowed this to happen,” she says. “There were all these other things going on that made it possible to do what these people did that were not just about the decisions of those two companies but also about the decisions of DNS operators, content hosts, and software developers. It becomes clearer how complicated and also how many opportunities there are for thinking about defense in this space.”

DNS can play a number of roles in the cyber kill chain. This might include delivery command and control, reconnaissance, or Domain Name System Security Extension (DNSSEC), which uses cryptography to provide authentication and integrity for DNS queries.

Wertkin suggests doing port scans for looking for anything that’s open. Or reverse mapping the network via DNS to find host names that might be of interest to hackers.

“It’s multiple areas along that kill chain—there’s different types of DNS behavior we might see,” Wertkin says. “Any of these areas in the kill chain aren’t segmented to one technology or one strategy. It’s the same sort of technologies and strategies can be used pervasively across them, especially as they link across into cascading effects.”

For more, be sure to view our Lessons from the Aftermath webinar.

—–

Wolff is an assistant professor in the public policy and computing security departments at Rochester Institute of Technology, a fellow at the New America Cybersecurity Initiative, and the author of You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. Andrew Wertkin is BlueCat’s chief strategy officer.