Ghosts in the machine

Cyber rogues are getting better at lurking around systems undetected

‘They’re here,’ said the little girl from Poltergeist.

She was right of course; and if she could see inside today’s enterprise networks, she’d be right again.

Cyber criminals are getting better at sneaking past security defences un-noticed, then staying for days, weeks and even months while they prepare to exfiltrate valuable data and IP.

Its not so long ago that Citrix — a global provider of technology networking equipment and software to Fortune 500 companies — revealed that ‘international cyber criminals’ had been roaming around its corporate network for half a year.

The hack was initially blamed on state actors — specifically an Iranian-backed group — but that’s been questioned since. Instead of espionage, the top motivation seems to have been theft of intellectual property and information that could impact stock valuations.

At first the company said hackers stole business documents. Then they added that the stolen information may also have included personal data, including social security numbers and financial information.

You might think that a rock-solid, multi-billion-pound networking tech company that’s been trading since 1989 would know if someone was camping on its own network. But you’d be wrong. The FBI told them they’d been hacked.

Ghouls spooking around IT infrastructure have become today’s ghost in the telly, capable of finding their way into seemingly secure environments, then staying there ’til someone sees static on their screen.

Moving side-to-side

Once a cybercriminal has breached defences and feels confident that they haven’t been detected, they start a series of lateral movements on the network to gain access to sensitive data.

Moving laterally means between going between servers, endpoints and applications on the network in order to map the system, identify targets, and eventually get to the organisation’s ‘crown jewels’.

If the attacker is able to secure administrative privileges, those lateral movements can be very hard to detect, looking at first glance like normal network traffic.

Even when cyber defences do detect that something might be amiss, IT teams are often inundated with system alerts — many of them false positives — and may not have the time or resources to investigate properly.

An expensive game of hide & seek

Studies show that the average breach today can take 5–6 months before being properly identified

Security vendor FireEye’s Mandiant 2019 M-Trends report found that for breaches detected infernally, attackers had already been inside the network for an average of 50.5 days. When an organisation was tipped off by an external source (as Citrix was), attackers had already been inside for 184 days on average — just over six months.

The time it takes to detect a breach has an immediate impact on cost. An IBM/Ponemon Institute study of the cost of data breaches calculates that organisations able to contain a breach in less than 30 days saved over $1 million (USD) over those that took more than 30 days.

The people factor

No matter how clever cyber thieves become, they often get a little help from human nature.

In Citrix’s case, weak password security was partly responsible. The hackers used a technique called ‘spraying’ to hit multiple user accounts with common userid and password combinations. Once a few accounts had been cracked, they used the foothold to dig in further and apply other techniques that gave them admin-level permissions.

When the Triton malware first started affecting systems at a Saudi oil refinery in 2017, managers assumed it was a standard mechanical glitch. It triggered a safety system alarm that brought the plant to a standstill. Then two months later, other systems were tripped, causing another shutdown. It took three-months of inexplicable system behaviour before plant managers decided to bring in IT consultants and investigate.

Seeing the ghosts in your machines

As good as they are at covering their tracks, hackers do leave a few virtual breadcrumbs and sweet wrappers behind when they alter settings and change permissions.

IT teams are using more AI and SIEM tools to better triage and analyse system alerts. Employees can also play a stronger role in spotting a hacker’s trail by flagging weird or unexpected behaviour when they see it on company systems.

The Citrix hack tells us that organisations in every sector of the economy need more than the latest kit to detect breaches. Employees in and out of the IT department need to be more empowered with cybersecurity awareness.

The signs of an attack on an organisation’s network are often directly observable, or detectable when people have know how to recognise them.

The best security systems in the world are both susceptible to human error and improvable with human agency. With better training and education, staff can act as a company’s early warning system for breaches, and avoid becoming the source of a breach themselves.

-30-