Web Attacks: How to Improve DefenseAkamai's Mike Smith on How to Spot, Respond to Warning Signs
Nobody wants to be a cyber-attacker's first victim. But there are benefits to being second or third, says Akamai's Mike Smith. Then you get to enjoy the true benefits of the oft-discussed information sharing.
The topic of information sharing comes up in a discussion about the latest attack trends, and what are some of the warning signs organizations can look for in advance.
"Nobody ever wants to be the first person attacked, because you don't know a lot necessarily about what the attackers do," says Smith, CSIRT director at Akamai. "But the more targets that particular attacker has attacked, the better knowledge base we have just as an industry on who they are, what they look like ... and what are their tactics, techniques and procedures?"
The more attacks, the better the knowledge base - and this becomes the true benefit of information sharing, Smith says.
"As you get smarter about this and have this bigger knowledge base, you can know what exactly to look for," Smith says. "Or, more importantly, if you see one particular set of activities, you know what the context is relatively well."
In an interview about the state of web attacks and response, Smith discusses:
- Types of attacks he's seen launched in the past year;
- Warning signs of attack;
- Advice on how organizations can improve their defenses.
Smith serves as Akamai's CSIRT Director and is responsible for leading a team of web security incident responders and researchers that study the tactics, techniques, and procedures of web attackers and apply that knowledge to help protect Akamai customers during events such as Distributed Denial of Service. Prior to his current role, he served as Akamai's Security Evangelist and as the customer-facing ambassador for the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions.
TOM FIELD: What are the kinds of attacks that you've been seeing over this past year?
MIKE SMITH: There's a wide variety, and it's interesting for us just being in the service provider space. A lot of times when I'm looking at attacks, just from what I do on a day-to-day basis, it's stuff that we prevent. You see small traces of it; so you might see a reconnaissance activity, or a lot of log-in attempts, somebody with a scraper, or even DDOS. You might see 24 requests that are blocked, something small like that.
But as far as overall trends that we've seen, a big one for us is log-in abuses. I've got a wide variety of customers, and they're using what we call rate control; you just count the number of requests per second from a source IP address, and when it exceeds the threshold you cut it off. Well, we've got lots of customers that have this set up, and they've got it set up only to count log-in requests. You can still go down and only count two log-in [attempts], only if there's actually log-in information there. We're seeing lots of that activity simply because somebody can go and phish the user on a small e-commerce or social media site. They will actually go out and phish the user credentials that way and then check to see if the user reuses those credentials across multiple websites, including the financial websites.
We are seeing some things that are just low impact, high frequency type events. Scrapers and scanners fit in there. They send a volume of traffic, but for the most part are either checking for vulnerabilities to see if [they] exist, or grabbing information. One that makes me laugh somewhat in the financial services space is scraping for stock or interest rates. There's one organization out there, they go out and scrape a wide variety of websites, and they're looking for things that feed in the Consumer Price Index - what is the price of a gallon of milk in all these different countries- and then use that to feed what the cost of living comparison between those different countries are. They also do the same thing [with stocks] - what are the rates that our competitors have? What are stock prices? How do we jump in, grab stock prices, and then feed that to mobile applications? There are a whole bunch of different ways that people are consuming lots of content off websites; they're consuming a lot more volume than they actually need.
There's this other piece, which is DDoS. We haven't seen as much DDoS, at least in financial services, as we have in a while. A couple things that make that statistic happen. One is we had a large campaign in 2012 and 2013 that tipped all the stats, but there's another thing where organizations are getting better at defending themselves. It's not as lucrative for the attackers to go launch large DDoS attacks, at least against financial services.
FIELD: When you look at these attacks, how do you see them being launched, not just against banking institutions, but against other organizations as well?
SMITH: It starts a lot with reconnaissance. A good attacker knows what their target is; so anything as simple as loading up a tool, one of the web application scanners, and scanning the target knowing what the exposed surface is. Typically what you're doing is looking for things that are formed, publicly available, things that you don't need to log-in to get to. So typically you're looking at a search function - a branch office locator, something with a database behind it, anything where you can get a quote, say insurance. So you put in PII. There's an intermediate step, and at the end you say, "Oh, yeah, we could save so much on life or health insurance," or whatever it is that you need.
You're looking at things like that that are publicly available, not behind a log-in wall, that are a form, and then you start from an attacker's perspective. You look at the inputs into that application looking at the actual form itself. Is there any hidden data? A whole bunch of stuff is in there, but it all starts with being probed by a scanner, some kind of spider or a web application scanning tool. That leads to subsequent attacks.
We see lots of those. Most of the time we're just going to block those, and it's already set up with a policy to just say, "Oh, yeah, if it's a particular user agent, block that; if they exceed a particular volume of requests, go ahead and block that." That catches a lot of pre-attack activity and makes it go away, and you won't actually see the attack come in later simply because the attackers realize that the target is defended, and they won't go in and try to hit it.
Most Targeted Regions
FIELD: What size organizations and what regions in the world do you see as the most attractive for some of these increasingly sophisticated attacks?
SMITH: It varies a lot. One of the things that I've done with my team is set up monitoring for some of our customers. We call it the Smith algorithm internally because I developed it, but what we do is try to monitor across various industries and geographies. So, for instance, I've got banking in Southeast Asia, North America and Northern Europe. Each one of these has a different pattern of attacks and a different set of attackers that are trying to hit those particular sites.
Southeast Asia is really interesting to me in that there are lots of small micropayment services that are being established; some of them are mobile applications, some are friend-to-friend payments and some are utility payments. There are a whole bunch of really different micropayment services that are standing out, but they're functioning like a services aggregator where you go to this third party. You give them your credentials, they log into your bank's website, and sometimes they use the facilities in the website to withdraw money and make that payment to somebody else.
What we'll see with a lot of our Southeast Asia banking customers is a completely unknown service stand up and suddenly is sending a lot of requests to that customer's website, and we have to go in and triage. "Is this service a fraud service or a business partner from the bank? Is it just somebody who's a complete scam and is ripping off their users? What exactly is going on there?"
Meanwhile, inside of North America, you've got a lot of the account takeover issues, and we see those quite a bit. You've got the scrapers. It's a more mature kind of attack environment, where you've got good defenses that are set up, and also attackers that are used to attacking because they do it day in and day out.
Inside Northern Europe, we don't see a lot of direct attacks against financial services customers. We did have a large chunk of DDoS in the Netherlands associated with the Stenhouse cyber bunker. We do see some log-in abuses, especially in Northwest Europe. It's interesting to me, because there's not a lot of stuff that's very overt or small, [leaving] little traces and fallen bread crumbs.
Impact to Targets
FIELD: What do you see as the specific impact on the individual targets and the industry as a whole?
SMITH: It really goes back to, "Why does a financial services organization have a website?" And it usually comes down to, "This is how you bring in new customers." Especially if you're looking at marketing to individuals and using your website for actual enrollment or to make a sale. Insurance fits into that very well, and some of the small micropayments or peer-to-peer payments. You're using your website to actually generate income for you. It's a lot more like what I would expect for a profile for a retail or e-commerce site in that you've got this marketing effort, you're looking at conversion rate as your big measure, and if somebody can disrupt the site, then that directly impacts the amount of gross income that you have coming in.
There's the other group of organizations who use their website for customer care. It's the most cost effective way to service your customers, and as a result, your costs are cheaper. So you either increase your margin, or decrease the price of your services to your customers. [There are] a couple different ways you can do that, but you have alternatives.
Banking is a great example, where if the bank website is down you can use the phone line, go into a branch office or an ATM, and each one of these has a different cost associated with it. But what you'll see is that attacks against online banking, in a wide variety of ways, will indirectly impact the costs for that bank to do service. So it's different. Then you have some websites that do both of these, so they're both an income generator and a way to service your customers. You're looking at, "What is the direct cost of building security controls with the indirect cost of controls because of reduced efficiency with a whole bunch of other things?" So there's an impact, but a lot of that impact is going to be indirect unless it's the retail model where you're selling directly to the public. You're not going to have a direct cost which is easy to measure.
FIELD: What are some of the warning signs that an attack might be imminent?
SMITH: A lot of it is preparation, where you see the reconnaissance happening. There's another piece in there, which is information sharing. Maybe we'll talk about information sharing here in just a minute, but it always is bad to be the first person. Nobody ever wants to be the first person attacked, because you don't know necessarily a lot about what it is the attackers do. The more targets that particular attacker has attacked, the better knowledge base we have as an industry on who they are, what they look like, what are their indicators of compromise, what's the traffic signature they send you and what are their tactics, techniques and procedures?
The more people get attacked, and the more times you get attacked, the better this knowledge base is, and you can share with other people so that they can look out for it. As you get smarter about this and have a bigger knowledge base, you can know what exactly to look for. Or more importantly, if you see one particular set of activity, you know what the context is relatively well, and you can go look for other associated activity that you didn't catch.
There's a loop that my team does where we start out with an indicator. Let's look at the context around that indicator. What's the other associated traffic? Out of that we'll find other indicators, go look for those in the traffic, find additional incidents or events that happened, look for the context around that, and basically loop through this four or five, maybe a dozen, times. You get a good picture of who the attacker is, what they are trying to do and what other things you need to look for. As you iterate through this little intelligence cycle, you're getting more and more information that helps you detect stuff when it first starts.
A Better Defense
FIELD: Based on what you've learned in your research, what advice do you offer to organizations to fundamentally defend themselves better?
SMITH: Information sharing is huge. Sometimes I have a hard time with how people use the phrase "information sharing," simply because they don't actually qualify what it is. Really what you're doing is sharing the overall concept, and what's most important is you get contacts with your peers inside of competitors, or industry contacts. There's been a big shift that's actually good for me, in that financial services organizations are realizing that their business partners also need to know this information. We've seen sharing back, and people need to be able to trust their vendors and give them information. I get a lot of information from my customers, and I share a lot back to them, but they need to understand that I'm not going to turn around and give that to a sales guy who's going to go pitch that. There's kind of a gentleman's agreement and several NDAs.
But the big thing for me is that information sharing, through intelligence sharing is a hub model. The hub works as a data broker, shares out to all of the members of that community. When that hub is connected to things like law enforcement or the intelligence community, blocks of good information go out, and then information sharing is a peer-to-peer activity.
It's a "Hey, I know this person at this other organization and off-the-record, what's your opinion on this because I'm seeing this type of activity. Have you seen that?" And [you might say back] "Oh, yeah, that's actually relevant and here's another set of indicators in TTPs they have around that. Please use this, and when you find other ones, share them back with me."
Information sharing is huge. I've had a lot of threat briefs for customers for prospects for the public at large. One of the things that I've started doing with my team is a webinar once a quarter to say, "Hey, out of the past quarter these are the main things that we saw attackers do, and here's what we recommend for protection." Even if it's not directly related to products or anything else that we normally do, it's still things that we've actually had to respond to.
A good example would be DNS hijacking, where we've had numerous incidents. We had one during Thanksgiving that resulted in the defacement of 40 or 50 different sites that were defaced when a worker had their DNS hijacked and sent to a different server. That server started sending defacement, just simple job descript defacements. I'm not a registrar, I don't sell domains. I don't lock them in, but a set of recommendations at that time was go ahead and lock your domains, and here's how you go do that. We get a lot of value out of sharing information like that with our customers, and they also share back. I turn those into rock rules, push those rock rules out for all my customers, and everybody gets safer and smarter.