Responding to the ‘Dark Seoul Cyber Attack’

Posted: May 2, 2013 in Cyber Security
Tags: , , , , ,

Published May 1, 2013 on the Korea Herald print and online: http://www.koreaherald.com/view.php?ud=20130501000683

On March 20, 2013, South Korea suffered a cyber attack that resulted in the denial of service of several major banks, broadcasters, and the defacement of the websites of a telecommunications operator. Although reported as a major cyber attack, multiple security experts reported the malware as having a relatively low level of technical sophistication.

What’s concerning is this attack could have been completely prevented by simply keeping antivirus software updated, making sure Windows security protection was enabled, and avoiding opening suspicious emails. However, Advanced Persistent Threats, or APTs, cannot be prevented by using the measures above as a one-size-fits-all solution. And if we take into account that the same attacker conducted the attacks in 2011, then these guys can definitely be classified as an APT.

The wave of cyber attacks is spreading at a really fast rate and the defense against them is almost impractical. This present day it’s all about Advanced Persistent Threat attacks, zero-day exploitations, dynamic trojans and stealth bots.

Business-as-usual protections would typically involve traditional methods of intrusion prevention systems, antiviruses, next-generation firewalls and Web gateways.

The problem with such methodologies is that they only scan for the first strike of attack, by mainly relying on signatures of the viruses/worms and bots, as defined by their behavior, and thus stopping them. That now leaves a gap between known and unknown signatures, as there are zero-day exploits and well-planned advanced persistent attacks.

Zero-day exploits are security holes that have not been patched yet, thus allowing hackers to freely exploit vulnerabilities in systems. Recent examples are the Adobe and Java zero-day exploits that were used in attacking Facebook, Google, Apple and Microsoft.

During an attack by an APT, malware could be injected into a website that is vulnerable to SQL injection or cross-site scripting which is then accessed by an employee of a targeted company. Upon opening that link or file through carefully planned social engineering, the victim gets hacked, and that is leveraged through what we call pivoting into the entire network. This was precisely the method used in the “Dark Seoul Attack.” What can be done to prevent such attacks?

National security strategy

A comprehensive cyber policy governing the nation’s cyber security should be at the centerpiece of a robust defense. This strategy should tie together all stakeholders because one weak component is all that is needed to bring the whole system down.

An important component of this strategy is the identification of critical information infrastructure and assets and the design of defenses that reflect the asymmetrical nature of cyber warfare.

The 2009 Cyberspace Policy Review identified cyber security as one of the most serious economic and national security challenges faced by the U.S. As a result, President Barack Obama ordered a National Cybersecurity Framework, building on the Comprehensive National Cybersecurity Initiative, an effort to secure the United States in cyber space that began under the previous administration.

The NATO Cooperative Cyber Defense Center of Excellence issued a National Cyber Security Framework Manual in 2012 intended to help academics and policymakers examine all the relevant factors of security cyber space in the national context.

Cyber laws

Global critical information infrastructure or assets providing products and services to the public, for example Public Key Infrastructure, should be governed under international law.

Though governments do not run the Internet, an international legal framework could be effectively used to govern the management of global critical infrastructure and assets with sanctions for corporations, institutions and governments that fail to meet a certain level of assurance. It should be understood that a successful attack against any of these assets constitute an attack on the safety of the Internet user anywhere in the world.

The Tallinn Manual on the International Law Applicable to Cyber Warfare is an initiative by the NATO Cooperative Cyber Defense Center of Excellence to support the application of international law in the cyber domain. The manual addresses issues including sovereignty, responsibility of nations, the jus ad bellum, international humanitarian law, and the law of neutrality. Cyber warfare will be an important part of defense in the 21st century; therefore it must be addressed properly by the international community to prevent unnecessary casualties.

Many countries now also have laws to deal with crime in cyber space. Some have taken a step further by regulating information security of banks and other financial institutions. Thoroughly written legislation can go far in forcing corporations to improve their security infrastructure and management practices in order to protect consumers and the economy in general. However, due care must be taken to prevent overregulation when legislation mandates specific technologies to be used in securing public infrastructures, such as what happens in South Korea.

Development of cyber security workforce

We know a lot of very intelligent people are working for the wrong side. There must be ways to either attract these people to take legitimate jobs or train a competent workforce to deal with them.

Some experts estimate that North Korea has as many as 5,000 trained cyber warfare specialists. According to this year’s Mandiant M-Trends Report, China is estimated to have hundreds if not thousands of cyber warfare specialists in Unit 61398 of the People’s Liberation Army.

The most powerful APTs are nation states, and all of them are investing heavily in equipping their human resources with the skills needed to develop sophisticated malware. The U.S National Cyber Security Workforce Framework is a response to the need of highly skilled cyber security professionals working for the right side.

Robust systems and social engineering awareness

Most security holes are caused by poor programming practices. If nation states are to stand any chance against the APT, then security must be built into software by design, not as an afterthought.

A clear message to the software industry can be sent if government agencies were required by law to use fulfilling a certain standard. Standards could include software provision of security features such as control flow integrity, stringent input validation, or sandboxing.

Further, the majority of APT attacks exploit human vulnerabilities as their initial entry point, but not enough attention has been brought to seriously address this. It is just as important to consider the security level of employees, as it is to deploy the state-of-the-art firewalls, antivirus and IDS devices.

Apart from ensuring awareness programs and compliance of security policies, social engineering tests should be regularly carried out in order to assess the security robustness of the human factor. Limitation of employee participation in social networks should also be considered as the information gained could be used in launching an attack against the organization. Since the beginning of warfare, people have been the first line of defense.

Technology has not and never will replace the human factor.

The bad guys are almost always one step ahead. We need to do all we can to minimize the gap between their capabilities and ours.

By Bright Gameli, Jonathan A.P. Marpaung and Michelle Kang

Jonathan A.P. Marpaung is a computer security researcher at Dongseo University and Spentera Security in Jakarta; Bright Gameli is a freelance information security researcher on Web & Network Penetration Testing; and Michelle Kang is a columnist studying at Kyungsung University. The opinions reflected in the article are their own. ― Ed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s