CMIT 495: Current Trends and Projects in Computer Networks and Security
Task
Edit the provided discussion.
Then write a one page conclusion to the paper.
Part 1: Threat Landscape Analysis
The threat landscape is still rapidly evolving as cybercriminals develop new tactics. Cybersecurity threats are a regular part of life, affecting even the most adaptable, creative, and esteemed organizations worldwide. Every day, cybersecurity experts put in a lot of effort to create newer defenses against online and future attacks. Analysis of the cybersecurity threat landscape is unsettling, to say the least. The widespread opportunities that today’s digital connectivity produces come with new opportunities for threat actors to compromise systems and cause harm. According to vmware, “Threat analysis is a cybersecurity strategy that aims to assess an organization’s security protocols, processes and procedures to identify threats, vulnerabilities, and even gather knowledge of a potential attack before they happen” (Vmware, n.d.). The threat landscape of today is a fertile hunting ground for crafty attackers, with opportunities to abuse the Internet of Things, take advantage of weak supply chains, and penetrate critical infrastructure. Your company needs to proactively develop advanced cyber defenses to counteract these attackers more than ever. Organizations must adopt a mindset that is focused on cybersecurity in this dynamic threat environment.
According to encyclopedia by kaspersky, “The threat landscape is the entirety of potential and identified cyberthreats affecting a particular sector, group of users, time period, and so forth” .The vulnerabilities, malware, and specific attacker groups and their tactics that pose a threat to a certain industry, organization, or even person are typically thought of as part of the threat landscape. “The threat landscape changes both over time and as a result of events with a significant impact on the organization, group of people, or sector for which the threat landscape is defined. For example, as a result of 2020’s large-scale shift to work from home, attacks targeting remote-access tools have surfaced on many companies’ threat landscapes (Kaspersky IT Encyclopedia, 2022).” The threat environment is influenced by the following variables: the emergence and identification of vulnerabilities that give cybercriminals new opportunities for attack; the introduction of updated software with improved features; the introduction of new hardware platforms and methods for processing data, such as the use of cloud services or edge computing; Global occurrences like the COVID-19 pandemic have forced organizations to make significant infrastructure changes.
The adoption of work-from-home business models by organizations in response to the COVID-19 pandemic has changed completely work and life parterns. Businesses and employees are now accepting many of the changes that were initially intended to be temporary as the new norm. According to the executive summary of a report from Fireeye.com, “Cyberspace has become a full-blown war zone as governments compete for digital supremacy in a new, largely unnoticed theater of operations. Cyber-attacks, once the domain of opportunistic criminals, are now a crucial tool for governments looking to protect national sovereignty and assert their power (Cyber Security Experts & Solution Providers | Fireeye.com, n.d.). How does the threat environment look right now? a hugely epic digital battleground. The wolf is staring you in the face and stealing your data, just like in the story of “the boy who cried wolf,” so don’t take that statement lightly.
The cybersecurity threat landscape in the paper According to a quote from Daniel Coats, “the potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malicious actors become more emboldened and better equipped in the use of increasingly common cyber toolkits” (Coats, 2018). The number of connected devices today and the enormous number of devices that have not yet been connected are the interesting parts of that quotation. For instance, I can now tell my smart assistant to start the coffee maker while I do a load of laundry from across the country, inquire about the weather, and obtain the traffic information for my route to work. It’s important to consider how intelligent something is even though it may be smart enabled, from your fridge to your pet’s collar. There is no embedded security on any of these devices. Your approval of the device’s connection to your internet-connected app is the true security. The connected device app may have two-factor authentication enabled, which is a great idea, but the device lacks an antivirus or anti-malware program, making it vulnerable to exploits. All of these connected devices would be rendered useless if another nation or foreign state actor targeted internet connectivity in just one region of the world because they cannot function without internet connectivity.
All it takes is for a foreign state actor to shut down the electricity grid, which will negatively affect some of the nation’s refrigerators and result in millions of dollars in damages from ruined food and supplies. The threat landscape can change significantly from month to month and from year to year due to a variety of factors. The authors of The Changing Threat Landscape in Today’s Cybersecurity draw attention to a few very worrying issues. They touch on a variety of topics, including the digital divide and how serious a problem it is. These regions are so underserved by technology and internet access that they lack the expertise, experience, and skills necessary to identify and defend themselves against these dynamic cybersecurity threats. (Harris, 2020). This should be a top priority in terms of national security. It only takes a threat actor to target these locations, enter, steal data, and then utilize that data to benefit from other exploits and propagate potentially undetected. We also need to consider other global concerns, such as the effects of COVID-19 right now. Everyone has switched from utilizing corporate internet connection, which is more safe, to home internet, which depends on the user’s capacity to protect their home, as a result of the global epidemic. Due of this, businesses, governments, and educational institutions are constantly rushing to buy, set up, and secure new technology.
Part 2: Advanced Persistent Threat (APT) Analysis
The single greatest cybersecurity risk in cyberspace is now Advanced Persistent Threats. A focused, government-backed, and financially funded Advanced cannot employ the same extensive array of resources as a lone criminal. “This term is applied to concerted, stealthy, ongoing attacks against specific organisations — in contrast to speculative, isolated, opportunistic incidents that make up the bulk of cybercriminal activity” (Kaspersky IT Encyclopedia, 2022). Typically, APT (advanced persistent threats) attacks are government based. Such attacks make use of highly sophisticated malware to breach an organization’s security defenses. Group 5 was assigned APT32. “APT32 (aka OceanLotus, SeaLotus) is a Vietnamese-backed advanced persistent threat group known for targeting foreign companies investing in multiple Vietnam industry sectors, Vietnamese human rights organizations and activists, and worldwide research institutes and media organizations” (Gatlan, 2021). APT32 is one of the world’s most notorious hacking groups. “FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests” (Dennesen, 2017). “APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials. APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet. APT32 has sent spearphishing emails containing malicious links” ( MITRE ATT&CK , n.d.). APT32 has been charged with conducting cyberespionage on political opponents, authorities, and companies with connections to Vietnam.
Attacks by APT32 against journalists, activists, private businesses, foreign governments, and governments are well known. According to the study on APT32 (OceanLotus), they have been a persistent cyberthreat since 2014, with government agencies, significant private companies, and media outlets in Southeast Asia as their primary targets. Target countries for APT32 often include Vietnam, the Philippines, Cambodia, and Laos. APT32 has also demonstrated its capacity to create and distribute exploits for zero-day flaws, such as CVE-2018-0802 in Microsoft Office, swiftly through phishing scams and site compromises. Malware assaults seem to be one exploit that APT32 is particularly adept at using. According to the Fireeye.com report, they launched over a dozen malware attacks between 2015 and 2018 that made use of malicious downloaders, backdoor exploits, and web-compromise attacks. cite the discussion from the report,
“APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails. APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.doc” file extensions, the recovered phishing lures were ActiveMime “.mht” web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages” (Dennesen, 2017). “APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials. APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet. APT32 has sent spearphishing emails containing malicious links” ( MITRE ATT&CK , n.d.). “The attacker also used DLL hijacking leveraging Windows Search, Google Update and Kaspersky’s Avpia to load fake DLLs containing malicious code. It used DNS tunneling for C2 communication and data exfiltration” (Townsend, 2017). “To ensure that the DNS traffic will not be filtered,” reports Cybereason, “the attackers configured the backdoor to communicate with Google and OpenDNS DNS servers, since most organizations and security products will not filter traffic to those two major DNS services.” According to Sergiu Gatlan of beebing computers ”The spyware used by the APT32 hackers allowed them to read and write documents on compromised systems, launch malicious tools and programs, and monitor their victims’ activities. As Amnesty International said, these attacks are part of an ongoing campaign focused on tracking and spying on Vietnamese HRDs, bloggers, and nonprofit organizations” (Gatlan, 2021)
A summary of intrusions linked to APT32 that FireEye has looked into reveals that, A European company’s security was breached in 2014 just before it started building a factory in Vietnam. Vietnamese and foreign-owned businesses involved in the banking, media, technology infrastructure, and network security sectors were targeted in 2016. Midway through 2016, FireEye discovered malware on the networks of a worldwide hospitality industry developer with intentions to extend operations into Vietnam that it thinks to be specific to APT32. Two subsidiaries of American and Philippine consumer goods companies that are based in Vietnam were the focus of APT32 intrusion operations from 2016 to 2017.
APT32 has targeted foreign governments, Vietnamese dissidents, and journalists in addition to specifically targeting the corporate sector with ties to Vietnam. Malware and strategies consistent with APT32 operations targeted journalists, activists, dissidents, and bloggers in 2013. APT32 also used a spear-phishing attachment in 2014 called “Plans to crackdown on protests at the Embassy of Vietnam.exe” to target unrest among the Vietnamese diaspora in Southeast Asia. APT32 also conducted an infiltration into a Western nation’s national legislature in 2014. The security research division of the Chinese company Qihoo 360, SkyEye Labs, published a report in 2015 that described threat actors who were aiming their attacks at both public and private Chinese entities, including governmental organizations, research institutions, maritime organizations, sea construction companies, and shipping businesses. According to the evidence in the study, the offenders employed the same malware, same infrastructure, and identical targets as APT32. Two Vietnamese media sites were targeted by malware that FireEye determined to be specific to APT32 in 2015 and 2016. The actor’s lures were likely used to target members of the Vietnamese diaspora living in Australia as well as government workers in the Philippines, according to social engineering content that was discovered in 2017.
Part 3: Cybersecurity Tools, Tactics, and Procedures
With the current trends in information security, cybercriminals rely on tools that help them achieve their nefarious goals. Like thieves use tools to open doors or break windows, cyber criminals employ mechanisms that aid them in infiltrating companies and corporations. Even if the means employed are developed for testing and analysis, cyber criminals seem always to be one step ahead of information security researchers and use the tools to perform intrusions and gain information. Hacking groups like Vietnam-based Ocean Lotus, which is also known as Advanced Persistent Threat group 32 (APT32) by cybersecurity researchers, are one of the groups that have been getting notoriety in recent years. APT32 is described as a state hacking group backed by Vietnam, and its primary targets are nonprofit organizations and human rights activists that oppose Vietnam’s views. APT32’s mode of operation includes:
• Gaining access by phishing.
• Escalating privileges.
• Monitoring the distribution of malicious documents.
• Establishing backdoors for entry.
• Moving laterally within the organization to maintain access.
Additionally, APT32 relied on research tools like Daniel Bohannon’s Invoke-Obfuscation framework to hide their activities and continue to operate.
Cybersecurity researchers have several recommendations to disrupt organizations like APT32 that could protect potential victims. Researchers have recommended using monitoring tools to track suspicious activity in the network. Furthermore, a firm password policy could deter most hackers by adding complexity to the accessibility of a system. Moreover, data encryption can protect private information from being openly disclosed and propagated online. Other strategies for protection against hackers would be to monitor personal and corporate email accounts closely and not open any suspicious emails or links. In addition, keeping up with software and hardware vendor updates and properly setting up a firewall could boost the security of the systems. Lastly, awareness within the information security industry could help to prevent intrusions by scams.
In incidents where ransomware is an issue, remember that a perpetrator must first have access to the data to use their ransomware software. To limit exposure, an individual should consider having a data backup strategy. A best practice would be to keep a data backup physically separate and offline. That way, even if the hacker has access to their data, they do not have to pay a ransom. To fight ransomware, companies must use secure multi-factor authentication. Force firm password policy on employees and instruct them not to use said passwords on other accounts, as well as keep all software up to date and avoid clicking on suspicious links in emails (Ortiz, 2022).
Often, stolen data is used to steal and impersonate victims. Fraudsters can use this data to apply for credit cards, take over cell phones, open bank accounts and make fraudulent purchases in their name. In addition, fraudsters can sell their data to others. Essential information like social security numbers, passports, and driver’s licenses are sold anywhere from $1 to $2000 on the dark web (Anonymous, 2019). Some people might brush it off by saying, “so what if they have my last name” but what some people fail to realize is that just a tiny amount of information gained by a hacker could lead to catastrophic results (Ortiz, 2022).
Even with some or all of the methods employed above, APTs might still be able to access some systems. APT’s goals are set to remain undetected for a prolonged period until their mission is accomplished. The threat remains persistent because they gain access, then attack and take control of a system, delete logs and corrupt data, and finally do it all over again. These groups remain “persistent” because they are state-sponsored and can afford the best hardware, software, and talent without the fear of getting in legal trouble. Another reason for their persistence is constantly changing tactics and using or developing different tools.
Part 4: Machine Learning and Data Analytics
Cybersecurity is evolving because of two key ideas: machine learning and data analytics. The process of finding patterns in massive volumes of data, making predictions based on those patterns, and offering suggestions is known as machine learning. Supervised machine learning involves providing labeled data into an algorithm so it can learn from it, which is the most well-liked type of machine learning. In this case, the algorithm will be given raw data, including labels or classifications for photos or text documents. For instance, if humans wanted an algorithm to categorize images into various categories, they would give it a set of images that were already categorized into various categories, such as cats or dogs, along with their accurate labels, so that it could learn how to categorize new images into these classifications properly (Rahim et al., 2020). Large-scale data analysis is known as data analytics. It involves looking for patterns in the data to anticipate the future and make suggestions based on those predictions. Combining these two ideas has given security professionals a new perspective on safeguarding their data better.
Machine learning is a technique that allows systems to learn through experience without being explicitly programmed. In 1959, Arthur Samuel established the field (Qin & Chiang, 2019). He created a checkers program that picked up moves from games against other players’ computers and from their play. This software could improve by playing itself because it could learn from its failures and victories and the movements its rivals were making at any given time. It achieved this by examining several aspects of each play it made (such as whether it won or lost), which allowed it to assess whether the move was effective and, if it was, repeat similar actions in subsequent games (Rahim et al., 2020). Cybersecurity experts can leverage the power of big data to develop new strategies for defending their organizations against cyber threats by combining machine learning and data analytics. Thanks to machine learning, organizations can now analyze massive amounts of data more rapidly and accurately than ever. For cybersecurity experts who can leverage the potential of ML and data analytics, the future is promising. Cybersecurity professionals can create new ways to protect their organizations from cyber threats by applying these two technologies in tandem.
Several businesses offer cutting-edge defensive cybersecurity techniques based on data analytics and machine learning. Malwarebytes is one business garnering media attention; it recently released a new product dubbed “Anti-Exploit” that employs machine learning to prevent exploits. Another business is Invincea, which Symantec obtained lately. Zero-day attacks can be quickly identified by Invincea’s technology and stopped before they harm a user’s computer. The business accomplishes this by developing what it refers to as an “Adaptive Cloud Protection Platform” utilizing “artificial intelligence.” (Morota et al., 2018). Companies like CrowdStrike, Carbon Black, and FireEye also offer comparable services. If the CTO wants to take more precautions to safeguard his network against cyberattacks, I would advise him to use all of these tools. In this case, I suggest these businesses because they have shown their competence in this field through in-depth research and development. Additionally, they have incorporated cutting-edge approaches into their products that still need to be added to the market. As an illustration, Clearswift has made significant investments in its Dynamic Anti-Spam (DAS) platform, which employs Deep Learning (DL) advanced technologies to instruct its systems to learn from billions of email messages and guard against malicious emails that are frequently sent out by phishing scams using phony email addresses or subdomains (Qin, & Chiang, 2019).
Part 5: Using Machine Learning and Data Analytics to Prevent APT
Data exfiltration is the process by which information is transferred from one system to a different one without the system’s owners being aware. A data exfiltration assault is typically carried out to steal sensitive data that can be utilized for financial gain or as a competitive advantage. To send their stolen data covertly to their servers in Vietnam, the APT32 attackers employed a highly developed mechanism. Finding the victim’s machines and open ports is the initial stage. APT32 discovered systems using ports 80 (HTTP), 23 (Telnet), and 22 by using freely accessible programs like Shodan, Maltego, and Censys (SSH) (Morota et al., 2018). Additionally, the attackers track down susceptible web-based programs running on these ports and attempt to use known flaws to their advantage. Once they have access to a computer, they install locally run scripts that other computers can use on the same network to carry out remote operations. These programs make data exfiltration from infected machines possible across various routes, including HTTP, FTP, Netsend, and Netcat. However, data analytics and machine learning are advantageous for the victim organization. In reality, had the victim organization used these technologies at the time of the incident, APT32 (cyber espionage actors) could have been discovered and prevented (Adi et al., 2020).
In this case, data centers “learn” from experience and continually improve performance. Machine learning algorithms are created to find trends in data sets, identify relationships between variables, and forecast future outcomes. Organizations utilize a variety of statistical approaches and techniques to glean knowledge from vast amounts of data, and the phrase “data analytics” is used to describe them all. Attacks can be recognized and predicted using machine learning. For instance, it can spot trends in occurrences and create regulations based on those trends that can be applied to stop further attacks (Moubayed et al., 2018). The term for this is anomaly detection. Low-level data like usernames and IP addresses that might not be identified by human analysts but can be linked to harmful conduct can also be found using machine learning techniques. Several crucial factors could have assisted in identifying and stopping this attack. Data analytics and machine learning can find anomalies, such as strange access patterns or activity, that could point to a security breach or compromised system (Morota et al., 2018). By examining log files and other data sources, data analytics tools can offer insight into what transpired during an incident. This kind of data can spot trends in attacker behavior that might not be immediately visible but are nevertheless vital signs that something is up in the environment. Machine learning can examine network traffic for abnormal behavior, including unusual connections or protocol usage, which would signify that an attack is in progress. System logs can be checked for unusual activity or faults that might point to an active attack using data analytics. Since Data analytics uses statistical analysis to identify patterns in large datasets, they can be used to analyze logs from security systems to identify suspicious activity that could indicate an attack is being launched against them. Additionally, machine learning may have examined all previous data to look for trends associated with APT32’s behavior. This data might then be used to develop criteria that would assist in anticipating future APT32 assaults, allowing us to take countermeasures before they happen (blocking traffic from specific IP addresses) (Adi et al., 2020).
Part 6: Ethics in Cybersecurity
Research has shown that even with the latest and most significant security software implementations, cybercriminals can still access restricted information by leveraging developmental skills and using publicly available and privatized tools, thanks to their state. If we put it in perspective, a screwdriver used to steal a car was meant to be used to drive screws into a wall. Should we, in change, ban all screwdrivers from stores? No.
APT32’s intrusion impacted C-I-A by bypassing confidentiality and having access to secret information, compromising systems and implanting malicious software, disrupting systems, and deleting important data. As part of APT32’s intrusion campaign, they remained in systems for many years before detection or eradication by cybersecurity firms. In the time that passed, they collected personal data, including emails, names, and addresses of victims, to use the data to conduct espionage for Vietnamese state interests.
Surprisingly, there is no code or set of rules for the private sector’s practitioners to follow, leaving ethics and morality to the practitioners’ decisions, even though they must conduct research ethically and morally. Cybersecurity experts must meet several rules as part of their professional standards. These consultants, for example, are expected to protect their clients’ security, whether individuals or organizations. While part of an investigation, information security professionals must not disclose personal information, demographics, and financial information to third parties. Following the laws and regulations on handling data breaches and collecting evidence is a good way for professionals to demonstrate the best standards. Another way to clarify the best procedures is to ensure they are not collecting any information irrelevant to the situation. When gathering data from a shared network, they should not gather information from others unrelated to the investigation. They are authorized only to provide the required data collected by a judge or magistrate. Cybersecurity professionals are more likely to have stable and safe careers if they implement good ethics and stay on the right side of the law.
The Mandiant’s disclosure of the breach was done ethically. However, further research shows that FireEye’s Mandiant incident response team acted unethically by publicly acknowledging APT32’s activities three years after they had been investigating and fully aware that the group started their corporate espionage in 2014. While not disclosing the information promptly, APT32 exploits have affected the private sectors of Vietnam, Germany, The Philippines, China, and The United States.
Task
Also write a one page conclusion to the paper.