UNCLASSIFIED January 2013 Cyber Case Study: Why The Top 4 Measures Are Essential Guidance for the Government of Canada ITSB-97 Introduction Government of Canada (GC) networks and systems are increasingly vulnerable to adversaries’ attempts to gain unauthorized access to sensitive government information. To increase the GC’s network protection efforts, the Communications Security Establishment Canada (CSEC) developed the Top 35 Mitigation Measures (ITSB-89A). Implementing the top four measures as a package would prevent the vast majority of intrusions that CSEC currently responds to. The top four mitigation measures are: patching operating systems, patching third party applications, minimizing administrative privileges and application whitelisting. This document provides a case study to demonstrate how a typical intrusion might occur and how the top four mitigation measures would have been effective in mitigating the compromise at each stage of the intrusion. Three Stages of a Typical Intrusion While there is no single pattern to an intrusion, the following outlines the typical stages of a spear phishing compromise. Spear phishing represents a common method with respect to targeted cyber intrusion attempts on GC networks. Stage 1: Code Execution An adversary performs reconnaissance to select a target user, and sends this user a malicious email. This reconnaissance is easier if the user’s email address is readily available via departmental web sites, social networking web sites, or if the employee uses their email address for purposes unrelated to work (e.g.: posting on forums and newsgroups). Once the user opens the email and either follows the link or clicks the attachment, malicious software is run on the user’s workstation. Further, the software is typically configured to persist by automatically running every time the user restarts their computer and/or logs on. The malicious software is remotely controlled by the adversary, enabling them to access any information that is accessible to the user. Stage 2: Network Propagation The adversary moves through the network to access information on other workstations and servers. Information may include computer and network configuration details, organizational hierarchy as well as usernames and passphrases to enable the adversary to maintain persistent access to the network. Acquiring access to an account with administrative privileges significantly assists an adversary to access greater amounts of information and move more freely through the network. Information stored on and gathered from the network can provide valuable insight to facilitate future intrusion attempts. Stage 3: Data Exfiltration The adversary successfully exfiltrates information from systems residing on the network. Several compromised computers are often left behind as backdoors to facilitate further exfiltration of information in the future. A Case Study: Larry the Financial Advisor Larry works as a financial advisor within the Department of Commerce (a fictitious GC organization) and receives an email in the days preceding a major international summit that seems related to the event. Although the email is from a Gmail account, the name of the sender is listed as someone in his department, so he decides to open the PDF attachment titled “Draft Agenda”. 1 UNCLASSIFIED Stage 1: Code Execution The email is malicious and has been socially engineered to seem as if it has been sent by someone in Larry’s department, enticing him to open it. The attached PDF has been deliberately manipulated to exploit a known vulnerability in Larry’s version of Adobe and automatically installs a backdoor on his workstation. The malicious software provides the adversary with remote access to Larry’s workstation. Stage 2: Network Propagation While it isn’t required for Larry to perform normal work-related tasks, his account was originally set up to have local administrative privileges, granting him the ability to install and customize software. Having compromised Larry’s administrative account, the adversary strengthens their ability to persist on the network by implementing a number of configuration changes that significantly impact the security profile of his account. The adversary is now better able to use this account as a foothold to further propagate throughout the network. The adversary uses Larry’s account to exploit a number of additional systems on the network, specifically gaining access to an account with administrative privileges for the entire network. Having successfully gained access to these domain administration privileges, the malicious software is easily able to spread, hide, persist, obtain sensitive information and resist efforts to remove it from the department’s network. In order to further penetrate and persist in the network, the adversary uses the network administrator’s account to gain access to thousands of user passphrases and network configuration files. Stage 3: Data Exfiltration The adversary now has access not only to Larry’s information, but also to sensitive information residing in other teams, including sensitive business documents, policy position papers and event speaking points. The adversary remotely exfiltrates sensitive information and installs a number of backdoors on various systems to maintain future access to the network. By opening just one malicious email attachment, Larry has compromised not only his own workstation, but his department’s entire network. 2 UNCLASSIFIED Effectiveness Of The Top 4 Mitigation Measures Implementing the top four measures would have successfully mitigated this intrusion at several stages of its execution. Application Whitelisting: Malicious software that provided an adversary with remote access to Larry’s workstation was able to easily run on the department’s network. Further, this software was able to exfiltrate sensitive information from the network and automatically run every time Larry restarts his computer. If the department implemented application whitelisting, any unidentified software would have been treated as suspicious and would have been prevented from running. Patching 3rd Party Applications: Larry’s department uses an old version of Adobe. This particular exploit would not have been possible had the department been using the latest version of the software, where known vulnerabilities were patched. Patching Operating Systems: Even if Larry was using the latest version of Adobe, his department is still running an old version of Windows. If the operating system is compromised, any action or information handled by that computer is at risk. Using a version of Windows in which known vulnerabilities have been patched would have minimized this risk. Minimize Administrative Privileges: Administrative accounts should only be reserved for those that need them to undertake their role. Not only does Larry not require administrative privileges, he was using this account to perform risky activities like checking his email. If Larry had been forced to use a secondary (unprivileged) account for these risky activities; the adversary would not have been able to easily access his administrative account. 3 UNCLASSIFIED Summary No single measure can prevent a targeted cyber intrusion. Organizations should undertake a defence-in-depth approach to IT security by ensuring the measures they select address all three high level stages of an intrusion. The top four measures complement each other as they target each stage of a typical intrusion, amplifying their effectiveness when implemented collectively. Further, it should be noted that some measures may require the implementation of another measure to be fully effective. For example, for application whitelisting to be effective, users are often required to not have local administrative privileges. Likewise, patching operating systems is critical – if the operating system is not stable and secure, then the effectiveness of other security considerations will be significantly undermined. This further emphasizes the need to implement the top 4 mitigation measures as a package. Additional Information The full list of CSEC’s Top 35 Mitigation Measures as well as a range of supplementary advice can be found at www.cse-cst.gc.ca/its-sti/publications/index-eng.html. For general questions regarding this guidance document, contact: [email protected]. 4