'Smoking Holes' and the new age of retail cybersecurity
Following a recent series of data breaches targeting both large and medium sized retailers, many retailers are investing in technology that will help encrypt credit card data at the point of sale. Although a meaningful way to reduce risk, endpoint encryption is not the silver bullet solution hoped for by many retailers.
We're witnessing a new type of cybersecurity incident we’re calling "Smoking Hole Attacks”. Smoking Hole Attacks are designed to destroy a company's whole IT infrastructure, leaving nothing behind, potentially putting the company out of business! These attacks will steal and erase data, knock critical IT services offline, and severely impact the victim organization's entire ability to operate.
Many in the security community have predicted widespread Smoking Hole Attacks targeting US companies -- the digital equivalent of a Pearl Harbor-style event. Until now, most of the know-how to mount these sophisticated attacks was kept out of the hands of average hackers. The majority of Smoking Hole Attacks were in fact associated with “state sponsored” hackers like the attack on oil company Saudi Aramco in 2012 that wiped the hard drives of over 30,000 computers. Most recently, Sony was on the receiving end of the biggest Smoking Hole Attack on record, with many blaming North Korea as the protagonist.
Just how destructive was the recent Sony hack? Consider this:
• Just about every single piece of information within Sony's network is likely now compromised
• More than 47,000 Social Security numbers were included in the leak, in addition to thousands of emails, names, dates of birth and other pieces of personally-identifiable information
• Among the more damning pieces of evidence from the hack include racist emails from company execs, scripts for yet-to-be-released films, celebrity pseudonyms, petty emails from actors, vendor contracts and information about current court cases
• At least six class-action lawsuits have been filed against Sony thus far in the fallout from the breach
• In total the hack will probably cost Sony at least $100 million, although that number is likely to go up over time
Our research indicates destructive malware (called Wiper malware) used for Smoking Hole attacks is readily available for sale in underground hacker forums. Ransomware software also includes malware designed to wipe out files if a ransom is not paid by the victim. Although Ransomware malware has become more common, few companies have been crippled by it. The Smoking Hole attack at Sony served as a wakeup call, showing the industry how disruptive wiper malware can be to a company’s operations if hackers gain access to key systems. We expect Smoking Hole attacks to become more common and drive up the cost and impact of a cybersecurity response. We also expect Smoking Hole and Ransomware attacks to converge into one threat – one where the hacker will breach networks, infect systems and threaten to wipe servers, computers and POS devices and destroy it all if a ransom is not paid.
Encrypting data at the POS is an effective way to limit risk from a data breach. But POS does little to protect an enterprise from Smoking Hole Attacks. A Smoking Hole attack will likely begin with one of three different scenarios. 1. Hackers gain access to your network by exploiting a vulnerability in one of your company's Internet-facing servers. Once the server is compromised, they may be able to gain access to other systems on your network. 2. Hackers send phishing messages to employees. An unsuspecting employee clicks on a malicious file or link and installs malware that is remotely controlled by the hackers. Hackers now have the ability to snoop for vulnerable servers inside your network. 3. A disgruntled IT employee decides to use trusted systems access to plant destructive malware.
Initial indications show Smoking Hole attacks require time inside your network to map it out, gain access to servers and steal passwords. Evidence indicates that reconnaissance can last weeks or months. For maximum effect, hackers often create malware that is designed to synch a destructive activity to a single date and time, like wipe all hard drive data. The cumulative effect can easily overwhelm an entire company in minutes. Email, files and even entire databases are copied, moved off the network then erased. The techniques to restore these systems from backup are incredibly inefficient, often ad hoc and in the worst cases, unmanageable.
For retailers who don't have the skills and technology to detect and prevent a Smoking Hole Attack, the best defense is to plan for the worst contingency and have a way to restore critical systems. Your best bet is to implement strong detective controls that offer defensive capabilities to deter attacks and identify suspicious activity on your network before it leads to a Smoking Hole.
Professional service assessments can help identify vulnerable infrastructure where hackers can gain a foothold. Advanced security monitoring detection techniques can help detect reconnaissance activities before they get too far. Security monitoring can also detect suspicious activity from a malicious insider who is logging into systems and planting malware across an entire network. Advanced malware detection can help identify the destructive malware before it wipes your company's systems.
How Smoking Hole Attacks Will Evolve
The techniques to perform a Smoking Hole attack are already well-known throughout the hacker community. It will not be long before criminals begin to perform these attacks and demand ransom from victims similar to CryptoLocker. Monetizing these attacks will give criminals another source of revenue besides data theft. Many are already gaining unfettered access to company networks to steal data, and it would not be very difficult to begin to plan destructive malware and demand ransom from a victim in return.
Like all IT threats today and in the future, there are no silver bullet style solutions to protect yourself against these attacks. Security solutions that mitigate risk across the entire IT and network ecosystem (server, desktop/laptop and network) are required. Proactive threat identification, remediation and monitoring are key to limiting risk from Smoking Hole Attacks.
Pete Chronis is chief security officer at EarthLink, a leading provider of managed network, security and cloud solutions.