How to mitigate hackers who farm their victims

Feeling raked over? You’re not alone; someone is probably probing your low hanging fruit right now.

Nation-states and savvy criminal hackers don’t pull uninformed, spur-of-the-moment smash-and-grab jobs on data networks. They reconnoiter and position themselves to slowly implement precise surgical maneuvers to exfiltrate your information treasures. Most of these attackers are capable of ensuring you remain unaware of their movements until it is to their benefit for you to know.

High-profile attacks that leveraged extended dwell time inside the networks of large retail chains such as Target are examples of how hackers farm or manage victim organizations in this manner.

Hackers farm their targets by maintaining a veiled presence in sensitive places in and around government and enterprise networks, revealing their position in a calculated way at an optimal time to achieve some strategic goal, says Danny Rogers, CEO at Terbium Labs.

Even then, hackers maintain as much concealment as they can in order to preserve future hidden access and achieve maximal impact in their longer term goals, Rogers explains. “If they’re doing that job well, how would we ever know they were there?"

With dwell time inside networks extending from months to years, we often don’t know they are there.

Nation-states and advanced criminals and hackers have been effectively farming their targets for some time now, explains Todd Inskeep, Advisory Board Member, RSA Conference. The earliest examples were enabled by Trojan horses and backdoors that they left in a system to return for easy access time and again; it’s almost hacking 101, says Inskeep.

The farming is more sophisticated now with advanced Command and Control (C&C) servers that they use to make system changes remotely, multiple backdoors in multiple systems, bogus accounts they create to sell or reuse, and sensors they leave behind to identify and harvest specific data, says Inskeep.

Command and control servers work by receiving communications from malware-infected systems that call out to the internet via outbound network traffic. This works because most network security is geared to defend against what is coming in, not what is going out. Hackers can spread large numbers of Trojans into different kinds of systems because they can pair these backdoors with many different kinds and pieces of legitimate software from OS and application updates to games. Once hackers have administrative control of a system that can create login credentials, they can create as many as they like. Unless security locates and shuts them all down, the attackers will still have some approved access.

Sensors in this context are not the physical devices that might come to mind. “‘Sensors’ could be code embedded in documents that phone home if they are disturbed, routines similar to chron jobs that run in the background looking for specific activities, or anything that indicates back to the attacker that something has changed,” says Inskeep.

These are the activities of Advanced Persistent Threats (APT) that hang around, watching and waiting for the right time and opportunity; many actors like these will continue to treat their portfolio of assets and well-groomed targets like a crop that only becomes more valuable the longer that they nurture it, says Inskeep.

Examples, evidence, outcomes

Nation-states are playing a long game, says Inskeep, using information from their farming tactics in a strategic manner to nudge events along in their favor. “For example, though we can trace early reports of the now famous DNC hacks back to at least June of this year, we really only received the information much later than that when it could create an impact during the convention,” says Inskeep.

This release of information changed the story of the first couple of days of the Democratic National Convention and changed the DNC’s leadership during a crucial time in the election cycle, Inskeep insists.

As nations and the world become increasingly dependent on the internet as a utility and on its related structures, this type of farming will be the new normal and much more commonplace, posits Inskeep.

Governments and the enterprise should assume that state-level and some other hackers are already in their networks and systems in some stealthy manner. Rather than fully preventing attacks, organizations must manage the risks. “This is in contrast to the old information technology security mindset, which centered on deploying a standard set of defensive technologies and assuming that you are OK until a proverbial fire breaks out,” says Rogers.

Plan and prepare with the understanding that data will always be at risk of theft or sabotage. “In addition to deploying a standard set of defenses, implement plans and technologies that assume that those defenses will fail at some point. Examples include proactive monitoring outside your own network, good breach remediation, incident response planning, and good data breach insurance,” says Rogers.

[ MORE: Why doesn’t my cybersecurity insurance cover that? ]

There are security companies that monitor the dark web for your data to let you know it is circulating on the seedy backstreets of the information highway. Companies such as Massive, MarkMonitor, and Terbium Labs offer these kinds of monitoring services.

In breach remediation, respond immediately, communicate fully, investigate forensically, find all traces and vulnerabilities, and clean, patch, secure, and replace (reimage) whatever you must while following a response plan you have tested with current, valid tabletop exercises.

Though governments and enterprises with a lot to lose will find it difficult to do, all organizations need to establish an individualized, tailored cybersecurity policy, says Inskeep. According to Inskeep, this requires organizations to first answer questions about when to call in the government for help; what levels and agencies of the government to involve; what kinds of help to expect in what kinds of scenarios; how much you can spend on managing the risks, especially those of nation-state attacks as well as of onslaughts from other threat actors. “You have to determine where your boundaries will be and then build the relationships, processes, and capabilities to maintain those,” says Inskeep.

While a few Fortune 100 companies have bigger budgets than some countries, says Inskeep, their allegiance to shareholders and Wall Street will ultimately limit their investment in cyber defenses; besides, companies shouldn’t have to defend themselves from nation-states without some government help.

It takes a community spanning enterprises, industry groups, security companies, governments, and law enforcement, sharing information and uniting in the cause to defend organizations and countries effectively. This is the kind of response we need to mount against these odds.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscybersecurity

More about AdvancedAPTCSORSAWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts