Neutralise advanced persistent threats

What are the biggest security threats facing government and critical infrastructure networks?

Ari Takanen: For government and defence organisations the biggest threat is data theft. For critical infrastructure providers, the threat is that cyber-attacks can cut off the supply of vital resources, such as water and electricity, and disrupt communication and transportation systems. The consequences of such an attack can be catastrophic.

The main issue with critical infrastructure networks is that the people running them don't understand just how open and vulnerable their networks are. Production networks are considered to be closed, even though they are connected corporate networks, which in turn have direct internet access.

Even if the network is a completely separate environment, well-financed and skilled attackers will always find a way in. Most critical infrastructure networks are so vulnerable that it does not take a sophisticated attack like Stuxnet to bring them down.

How should government, defence organisations and critical infrastructure providers protect their networks against advanced persistent threats (APTs)?

The best way to prepare networks against attacks by APTs is to proactively get rid of exploitable vulnerabilities. There are several types of malware, including viruses, worms, trojans, back doors, keystroke loggers, rootkits and spyware; what these all have in common is that they exploit software vulnerabilities.

These can be divided roughly into known and unknown vulnerabilities. Known vulnerabilities are flaws that somebody has already found and reported. Anti-virus software, firewalls and IPS/IDS systems protect networks against attacks exploiting known vulnerabilities - or variations of them - with signatures and heuristics.

However, these solutions don't provide any defence against attacks exploiting unknown vulnerabilities. Unknown or zero-day vulnerabilities are the biggest threat to IT security, because there are no defences against attacks exploiting them.

How can you defend against zero-day attacks?

The most effective technique for finding zero-day vulnerabilities is fuzzing, which involves triggering them with unexpected inputs. Fuzzers work on protocols, the languages that computers use to communicate with each other. The fuzzer can confuse a device by sending it an invalid protocol message. If there are vulnerabilities, then it can crash or go into a busy loop. This is also the method of choice of black hat hackers.

At Codenomicon, our tools are based on protocol specifications. We take the official 'grammars' of protocols to create our tests and that's why our tools contain all the possible fuzzing messages. So, by using our tools, you can make it pretty hard for the attackers.

Organisations can protect their networks by hacking their own systems?

Yes, exactly. Organisations can use fuzzing to find zero-day vulnerabilities in their networks and fix the flaws before anybody has a chance to exploit them. By removing potential zero-day vulnerabilities proactively, you can make it much harder for attackers to find exploitable vulnerabilities in your network, and devise an attack against it.

By integrating fuzzing into their software development and procurement processes, organisations can ensure that the software in their networks is robust and secure.

Could you describe some of the devices or systems can be fuzzed?

Basically, anything with an open interface - that is any device or system that communicates with another device or system - can be tested. Even security software like anti-virus programs or firewalls can be fuzzed.

What organisations often fail to realise is that their networks are just as strong as the devices connected to it. Nobody thought devices such as storage solutions, smartphones and printers could be used to attack networks, so the developers didn't try to make this difficult or impossible to do.

Can a network be hijacked by a device such as a printer?

Not exactly, but once the attackers gain control over the printer, they can install malware or a sniffer to monitor traffic within the network. With sniffers and malware, the attackers can gain access to sensitive network information like user names and passwords, which will enable them to launch further, more serious attacks against the network.

So, if you are purchasing equipment for a critical network, or a network connected to a critical network, then it's a good idea to fuzz equipment before they are incorporated. Better still, use your purchasing power and the vendors do the testing for you.

Software products have the highest amount of defects of products sold today. The next time you are having problems with software running on your laptop, this is not just a sign of bad quality - it is also a sign that your laptop can be hacked.

Codenomicon has been active in the security testing market since 2001. How has cyber-security changed in the past ten years?

Ten years ago, cyber-attacks were mainly carried out by hobbyists as pranks. But as we are using more and more IT in the workplace, have online records and do online banking and shopping, the opportunity to profit from stolen information has grown exponentially.

So, it's no wonder that criminals are moving into the cyber-domain, especially since the risk of getting caught is significantly lower online. Cyber-criminals act globally, but the jurisdiction of law enforcement is restricted by national borders. What little cooperation exists between different authorities is often overpowered by bureaucracy. Hacking is an international multibillion-dollar business. Anyone, terrorists, organised criminals and hostile nation states can purchase the expertise needed and carry out cyber-attacks. Botnets and malware are commodities that can be bought or rented from underground auctioning sites. You can hire an entire hacking team by recruiting on IRC channels or simply buy the attack online.

Are cyber-attacks predominantly motivated by financial gain?

No. In 2011, we saw a sharp rise in the activity of hacktivist groups like Anonymous and LulzSec. These groups want to retaliate for some perceived wrongdoing and embarrass their victims by messing up their website or announcing that they have managed to steal confidential information such as customers' credit card details.

But the most worrying attacks are the ones that don't get noticed. Spies working for governments and corporate espionage are carrying out some of the most technically advanced and resource-intensive attacks ever seen. They are the APT, the advanced persistent threat, and they won't be stopped by a firewall.

Can they be stopped by fuzzing?

By fuzzing their networks, organisations can make it significantly harder for attackers to find exploitable vulnerabilities. If we could give government organisations and critical infrastructure providers one piece of advice, it would be fuzz your networks. If you are not fuzzing your network, then it is an easy target for somebody else.