third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Once a computer is infected the malware ensures that a back door is opened on the computer allowing the botnet herder to give commands to the infected computer. The computer has thus become a bot in the botnet, also known as a ‘zombie’. The malware aims to be as inconspicuous as possible. For example, by lowering the priority of his own process to the operating system, all actions that the user carries out take precedence, with virtually no notable deterioration in the computer’s performance. In a traditional botnet a bot receives the instructions from a C&C server. The botnet administrator uses this server to communicate the commands to deploy the botnet. The C&C server is therefore the critical component focused on in the fight against botnets. Once this machine is switched off the botnet can no longer be controlled and the bots remain inactive. To reduce vulnerability, administrators build an infrastructure with sometimes hundreds [13: FS 2013] of individual C&C servers in the same botnet. An alternative architecture that is used to make combating botnets difficult is the ‘peer-to-peer’ (P2P) botnet. Here, a bot is instructed and then passes the command on to the next bot so that is spreads like a patch of oil across the botnet. Because a different machine is used as the starting point each time, the source of the instructions is difficult to determine. Instructions are also spread on social media. Because of the astronomical volume of messages on networks such as Facebook and Twitter there is no monitoring as to whether there are accounts between them sending coded commands that are read by bots. In addition, there is repeated switching between accounts. 3.3 Developments 3.3.1 Current situation The botnet landscape is currently dominated by a number of botnet families. The most notable is the family of ZeuS botnets. Derived from this is Citadel, which enjoyed media attention in the Netherlands, following incidents concerning Dorifel and Pobelka (see boxed texts). Alongside ZeuS, ZeroAccess and Carberp are also very common. As well as click fraud, ZeroAccess is often used to exploit the computing power of bots for bitcoin mining. The bitcoin is a digital currency that is not managed by a central bank, is not recognised by international organisations but that is increasingly accepted as a payment method. It works on the basis of cryptographic principles 123 Microsoft Threat Encyclopedia, W32/Carberp http://www.microsoft.com/security/portal/ threat/encyclopedia/entry.aspx?Name=Win32%2fCarberp 124 C. Rossow et. al.: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets http://www.christian-rossow.de/publications/p2pwned-ieee2013.pdf 125 http://webwereld.nl/nieuws/112177/update-maakt-botnet-citadel-langer-onzichtbaar.html 126 NCSC Cyber Security Assessment Netherlands CSAN-2, p. 52. 127 http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/ ENISA_Threat_Landscape/at_download/fullReport and is ‘mined’ by performing complex calculations. Deploying an entire botnet to mine for bitcoins is therefore a lucrative business. Carberp is known for creating fierce competition in the underground economy. The botnet attempts to switch off other malware [123] and gain control over a bot for itself. The organisation is so professional that there is presumably a marketing department behind this botnet to attract more customers. Mobile telephones, in particular smartphones, are increasingly the target of malware, resulting in the emergence of mobile botnets. Malware that tries to intercept financial transactions sometimes appears both on computers and mobile telephones to intercept not just the transaction in the internet browser but any authorisation code sent by SMS. Botnet developers are also demonstrating their innovation in combating detection. In addition to the increasingly common P2P architecture [124] , they are using encryption and administrators are communicating by Tor to retain their anonymity. Large botnets are deployed only in small sections and target very limited objectives to remain under the radar as much as possible. [125] The conventional way of switching off botnets through their C&C servers is therefore virtually redundant. Botnets often revive because of the ease and speed with which networks can be built and because of the high percentage of infected computers. For example in CSAN-2 there was still talk of dismantling the Kelihos botnet [126] , however this botnet re-appeared [21: McAfee 2013-1] on the radar of anti-virus companies in September 2012. 3.3.2 Expectations The success in dismantling botnets is reflected in the declining volume of spam sent by these botnets. [127] With spammers’ attention shifting to social media, new botnets are being to set up to provide different functions, such as DDoS attacks. As a result, it is impossible to estimate how effective dismantling is, based on the volume of spam. In the short and medium term, an increase in the number and size of botnets can be expected. Drivers behind this are: »» revenue from hire remains high; »» the increasing interest in carrying out DDoS attacks; »» the increasing ease of use of ‘create your own botnet packages’; »» the rising bitcoin exchange rate. Currently, the PC is still the most commonly infected device. This is expected to remain the case, certainly given its market share, but proportionally botnets for devices with Mac OS X, iOS and Android will increase significantly. 64
Detailed section » 3 Botnets » Dorifel case Detection and incident response On 8 August 2012 the NCSC received report of failing systems. These systems were, through infection, part of the Citadel botnet. These systems had been ordered through the Citadel botnet to execute new malware that later became known as Dorifel. The Dorifel malware is a banking trojan, malware directed at stealing internet banking log-in details. The makers of anti-virus software had the first anti-virus updates available the next day meaning that users with up-to-date anti-virus software were no longer at risk from new infections from that moment on. However this was of only limited effect because this malware was able to switch of anti-virus software without this being noticed. As a result, systems infected with Citadel were still vulnerable. The Dorifel malware encrypted files on the system and on the network storage. The Dutch anti-virus maker SurfRight published a programme able to reverse this encryption. The NCSC advised various target groups of the risks and perspective into potential action. There was close collaboration with private investigative companies to analyse the malware. Much of the expertise in this area appears to be held primarily by private organisations and be limited in the government. Impact The version that appeared in the Netherlands was potentially a test version. The consequences were major because this version caused systems to fail. If the malware had worked as planned, this attack would probably have remained unnoticed. In the meantime it has become apparent that the number of infections in the Netherlands is greater than abroad. The IP addresses found on the Dorifel C&C servers show that at least 150,000 Dutch systems are (were) infected. One of the consequences was that organisations were unable to operate. Because Dorifel was probably not spread through a 0-day, it is likely that organisations were not careful enough in preventing and detecting infection by known malware. The organisations affected include local authorities, hospitals, parts of central government and government-related bodies. There is no data regarding the number of infections form organisations in the vital sectors. 3.4 Prevent and combat 3.4.1. Combat It is becoming increasingly difficult to detect and combat botnets. There is more frequent use of P2P architectures, encryption and large-scale randomly created domain names to prevent detection, infiltration and dismantling. Under current legislation there are few opportunities for investigators, companies and the government to tackle sophisticated botnets. Botnets are generally investigated, infiltrated and sabotaged by private parties. Investigative agencies and security companies are able to operate more freely than the government in an area where there are still many legal uncertainties. Investigators themselves are also calling for social discussion on whether it is desirable to have governments infiltrate botnets because of the high impact on the privacy of (innocent) users. [128] Government services are predominantly reactive in their actions during incidents and have no timely, complete and detailed picture of malware and botnet activity. Because of a lack of information provision and coordination of activities in this area, private sector efforts are often temporary and limited in reach or effect, because the efforts being made by various actors work against each other. One example of this is switching off of the Waledac botnet by Microsoft, something that according to investigators from Fox-IT among others was an unwise and undesirable act because the botnet was filtered, leaving people unable to collate information concerning infections. 3.4.2 Responsibilities Preventing infection by malware largely remains the responsibility of the owner (or delegated administrator) of a system. Software manufacturers, site administrators, Internet Service Providers (ISPs), etc. also share some of the responsibility. Users should continue with the time-honoured recommendations such as maintaining updates, being aware of clicking on links and using a virus scanner. It remains difficult for less technically savvy end-users to adopt technical measures, it takes time and effort and malware is spreading through constantly changing methods of social engineering. Recognising infection by malware is virtually impossible without sufficient understanding of how a computer works. [129] The high extent of spreading among victims leads to the assumption that data was stolen from various organisations. However it is not known what data was stolen by Dorifel. 128 http://www.f-secure.com/weblog/archives/00002056.html 129 Three of the five characteristics in the recommendation below require technical knowledge to recognise, the other two are not applicable to botnets: https://www.security.nl/ artikel/45721/1/Vijf_kenmerken_van_een_besmette_computer.html 65
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65: Detailed section » 3 Botnets 3 Bot
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?