Breach Investigations: 4 TrendsMandiant's Charles Carmakal on Breach Actors, Actions
What are the common trends emerging from recent data breaches? Based on recent investigations, Mandiant Director Charles Carmakal offers insight into attack patterns.
The top takeaway: organizations are only as strong as their third-party service providers or partners.
"Attackers are commonly using outsourced service providers as a means to gain access to their victim targets," says Carmakal in an interview with Information Security Media Group [transcript below]. Once the partner is infected, the attackers gain far easier access to the targeted organization.
Among the other common breach trends:
- Hackers do their homework. They'll leverage network documentation, penetration tests, PCI assessment reports, among others, to study the environment they're infiltrating to better access data they want, Carmakal explains.
- Once a target, always a target. Too many holes remain unpatched, leaving breached organizations vulnerable to repeat attacks. "Last year, 38 percent of our investigations that we conducted were associated with a re-compromise of our clients' environments," he says.
- Strategic web compromises are on the rise. Targeted attackers, Carmakal says, will compromise websites that are often visited by their targets. "They'll plant malicious software that will exploit web browsers' third-party applications on their target victims, so that they can ultimately gain access to the environments of the individuals visiting the website," Carmakal explains.
In an interview recorded at Infosecurity Europe 2013, Carmakal discusses:
- Reactions to the recent Mandiant report detailing security threats from China;
- Mandiant's role in breach investigations;
- Common threads from recent breaches.
Carmakal is a director with Mandiant based in Washington, D.C. He has more than 13 years of experience running intrusion investigations, threat and vulnerability assessments, enterprisewide remediation programs and enterprise security strategy engagements.
Prior to joining Mandiant, Carmakal served in various leadership and management roles within PwC in the U.S. and Australia. Most recently, he led PwC's security consulting practice in Sydney. He also led PwC's attack and penetration testing, Payment Card Industry (PCI), and web security global core teams.
TOM FIELD: Mandiant has been in the news a great deal as of late. To start out with, can you tell us a little bit about yourself and your role with Mandiant, please?
CHARLES CARMAKAL: I'm a director with Mandiant, based in Washington, D.C. I help my clients with enterprise-wide intrusion investigations or scaled security remediation containment programs and provide strategic security consulting to the business and technology executives to help them counter targeted threats.
Addressing a Breach Incident
FIELD: How long have you been with Mandiant now?
CARMAKAL: I've been with Mandiant for about a year and a half.
FIELD: And what a year and a half it's been. Mandiant has been involved with many high-profile incidents in recent months. The New York Times comes to mind; the report that Mandiant issued comes to mind. To give us some context, when does Mandiant typically get called into a breach incident?
CARMAKAL: Last year, 62 percent of our clients were notified of a breach by a third party, whether it's law enforcement or an intelligence agency, maybe even a business partner. We typically receive phone calls from victim organizations shortly after the notification. The vast majority of our work comes through referrals from law enforcement or former clients.
FIELD: If I could ask you just a quick follow-up: Why do you find that so many organizations are notified by third parties of an incident and they don't recognize it first themselves?
CARMAKAL: What we tend to find is most organizations don't really have the security-monitoring capabilities in place for them to be able to detect targeted, sophisticated attacks. What we generally find is that they become notified by third parties because the third parties generally have quite a bit more intelligence around specific threat actors that common organizations just don't tend to have.
Common Breach Trends
FIELD: You've uncovered and participated in a number of recent investigations. What would you say are some of the common threads you see in organizations that have been breached?
CARMAKAL: There are four trends that we've observed in our investigations last year. The first one is that attackers are commonly using outsourced service providers as a means to gain access to their victim targets.
The second thing we've observed is, once inside the victim's network, attackers typically leverage network documentation, penetration tests and reports, PCI assessment reports, etc., to study the environment and more efficiently gain access to the data that they're interested in.
The third observation is once a target, always a target. Last year, 38 percent of our investigations that we conducted were associated with a re-compromise of our clients' environments.
The fourth thing that we're seeing is an uptick in strategic web compromises. What we tend to find nowadays is that targeted attackers will compromise websites known to be visited by their targets. They'll plant malicious software that will exploit web browsers' third-party applications on their target victims so that they can ultimately gain access to the environments of the individuals that are visiting the website.
FIELD: That's an interesting first point because, essentially, what you're saying is no matter how secure you make your own organization, you're only as strong as your partners, really.
CARMAKAL: That's exactly it.
FIELD: Let's talk about some lessons that we've learned recently about breach actions. What do you find to be today's most common schemes? Do they vary at all by global region? For instance, we're seeing a lot of DDoS in the United States and in Europe. Are we seeing different types of activity elsewhere in the world?
CARMAKAL: The two most prevalent types of threat actors that we deal with are state-sponsored threat actors originating from China, but also other countries not limited to China, and also organized crime originating from primarily Eastern Europe. Their techniques and their objectives do vary. State-sponsored generally are interested in data that has economic, military or political value to their countries. Organized crime, on the other hand, is generally interested in data that can be quickly monetized. So for example, we'll see them compromise environments to steal credit card data for credit card theft, bank account information for wire fraud, or they'll steal personally identifiable information to commit identity theft.
FIELD: Those are the actors. What types of actions are they taking? What are some of the most advanced threats that you're seeing? That's really what I'd like to drive to here.
CARMAKAL: Some of the more advanced things that we're seeing, as a specific example, are SSL certificates being stolen from particular environments to encrypt communication between victim organizations and command-control infrastructure. We're seeing certificates being stolen from victim organizations to digitally sign malicious software so that as investigators are trying to uncover malicious software within an environment, it makes it a little bit more difficult to find when malware is digitally signed by known authentic certificates. Those are two common examples that we're starting to see a little bit more nowadays.
FIELD: Do you find that these vary much by global region or do the threats tend to be similar wherever you are in the world?
CARMAKAL: They certainly do vary a bit, but it depends on the types of threat actors. Again, the two main threat actors that we deal with are those that are state-sponsored, primarily originating from China, that are going after economic, military and political data, and then organized crime from Eastern Europe that's mostly after data that could be quickly monetized.
FIELD: You mentioned nation-state, and I want to ask you about that. About two months ago Mandiant made big wide news with its report naming China as a significant nation-state threat. What's been the reaction to that report?
CARMAKAL: The response has been overwhelmingly positive. The report has taken the issue from a mid-level security management level to the executive and board level. Now they have a better understanding of the financial implications associated with state-sponsored threats. Additionally, many of the organizations have taken the threat intelligence that we provided to help them look for indicators of compromise within their own environments.
FIELD: Have you seen changes in the threats? Essentially, you called out China. Has that changed the activity that you see?
CARMAKAL: A little bit. We provided threat intelligence associated with one particular threat actor, and what we have seen subsequent to the release of our report and the threat intelligence is that a lot of the command-and-control infrastructure may have changed a little bit. We see the attackers are using different IP addresses and different domains to change registration details associated with some of their domains. ... We see them using variations of malware that they previously used. But the fact of the matter is that APT1 and various other threat actors are still very active today. APT1 as a specific example has changed a bit how they operate, but they're certainly still out there actively breaking into other organizations and stealing data from those environments.
FIELD: What are some of the current manifestations of nation-state threats that you're seeing, including what you're seeing from the APT1?
CARMAKAL: There's really an overwhelming amount of evidence linking attacker activity to nation-state threats. There are several dozen threat actors, many of which that originate from China. As a specific example, we believe China's People's Liberation Army, Unit 61398, which we call APT1, is responsible for hundreds of network compromises. We've been able to attribute the activity to them based on the tools that they use, the IP addresses that they come from, the type of data that they steal and indicators from the host systems that they connect from.
When you look at that data individually, it's hard to pinpoint the activity to a particular group. But when you look at it in whole, the observations are compelling. For example, when we see an organization that's breached during trade negotiations with a Chinese-based company, we see Chinese character sets use the malware that they use, we see Chinese IP addresses through errors on their proxy tools, and we also see Chinese keyboard layouts from the attacker systems, it seems pretty clear that the threat is coming from a certain part of the world.
We do acknowledge that there's one other unlikely possibility with specific examples from an APT1 perspective. Perhaps there's a secret resource organization full of mainland Chinese feeders with direct access to Shanghai-based telecommunications infrastructure that's engaging in a multi-year, enterprise-scale computer espionage campaign right outside of Unit 61398 that performs similar tasks that are known to 61398's mission.
FIELD: And if it's not that, then it is ...?
FIELD: You can pretty much draw your own conclusions.
CARMAKAL: That's right, Tom.