Security Experts:

Brobot: Information Sharing Lessons Learned

With Brobot as a Prime Example, it is Apparent that we Need a Large-scale, Machine-to-Machine Approach to Information Sharing.

Unless you’ve been stuck on a desert island for the past nine months or so, you most likely have heard about or encountered the fallout of a wide ranging, nearly continual cyber assault on banks, often referred to as “Brobot” or “Operation Ababil.” The people behind this virus-like tool called “ItsOKNoProblemBro” have been breaking into and leveraging thousands of web servers with this malware and other attack tools, turning them into brobots. After being compromised, servers in this network of large shared hosting servers (forming a new kind of botnet) are given commands to attempt to overwhelm targeted banks’ servers with various attacks.

Timeline

Cyber Attack Information SharingThe massive Distributed Denial of Service (DDoS) attacks back in September 2012 temporarily disrupted online and mobile banking services for some of the world’s largest financial institutions. After several weeks of attacks, they abated. During this period, rudimentary sharing of attack details within various trust groups was established in order to share intelligence in the hopes of mitigating future attacks. There were plenty of false starts and mistakes early on including reporting of non-attacking infrastructure. In general, the biggest problem was not sharing enough information to the right people or in a timely fashion, as would be expected with organizations newly under fire. However, with the straightforward nature of those attacks (large amounts of easy to filter attack traffic coming from non-spoofed sources) mitigation efforts were quickly enhanced by even the barest minimum of data sharing, which then improved over time.

Due to this information sharing, enterprises were better prepared when the attacks resumed in December 2012, largely absorbing a second wave of attacks that experts feared would be even more damaging. It was an encouraging sign that Internet security experts were learning how to adapt and adjust to the tactics that some banks were, in many cases, ill-prepared for last September and October, despite advanced warning of the attacks.

For later waves of attacks on U.S. banks, the perpetrators used a modified version of Brobot; however, this was a minor development, and the banks were able to adjust their countermeasures accordingly. According to Keynote Systems, Inc., monitored banks’ websites had only a 94.86% reliability response rate during the first phase of the brobot attacks. But that rate rose to an average of 97.21% for the week ending Jan. 13, 2013, during which time the second wave of attacks was in effect. The numbers serve as empirical proof that banks’ attempts to ramp up their systems based on intelligence sharing were successful.

The miscreants behind the attacks continue to adjust their methods, with increased attack vector variations, which has led to them occasionally interfere with effective mitigation of various victim sites. This has also allowed the attackers to claim “victory”—with publicity appearing to be their primary goal. Recently, companies in other sectors like payment providers appear to have been targeted as well. However, improvements in information sharing have followed, with far more detail around the nature of attacks and more timely reporting allowing the people in the sharing “circles” to much more effectively fend off these attacks than others.

Score a Victory for Information Sharing

The improved response over time has been in large part, the result of improved information sharing and collaboration between banks, ISPs, mitigation providers, federal authorities and security-minded groups like the Financial Services Information Sharing and Analysis Center (FS-ISAC). Without giving away operational intelligence, it can certainly be said that the miscreants provided plenty of information to build mitigation strategies around—especially since they pre-publicized most of their Brobot attacks in order to garner attention.

What has been particularly encouraging in the response to Brobot, is the cross-industry collaboration between service providers, security researchers and victims to share techniques and malicious infrastructure elements. Such information sharing makes blocking and remediating the affected web servers much more effective than organizations trying to go it alone. Information on attack patterns and characteristics shared between defenders also allows for much quicker mitigation of attacking traffic.

It has been very refreshing to see organizations that compete on various levels working together to make the entire ecosystem stronger. That said, we still have a long way to go, with much room for improvement possible in this effort and future cooperative efforts like this.

State of Play Today

Although the defenders can claim a fair amount of success via information sharing efforts, the hard reality is that these attacks continue to this day and though at a smaller scale from a size perspective, remain effective for the attackers’ purposes. This latter point is due to rapidly changing tactics from the miscreants combined with what is clearly a robust monitoring program they are utilizing to respond quickly to counter-measures. There is no reason to believe that these assaults will stop any time soon, so it is imperative to continue to improve the capabilities and responsiveness of the defenders. Clearly there is much more that can be done to improve the velocity and quality of data sharing within the operational security community.

Further, in an interview with online publication Bank Info Security, a security evangelist at Akamai Technologies estimated that the Brobot network of controlled servers has grown to three times the size it was at the end of January. So even though enterprises are fighting off most attacks, due to Brobot’s sheer size and continuing changes to how the network is carrying out attacks, it is getting more and more difficult to mitigate for some, especially the newer targets.

So what can we do to improve the overall situation?

The Players

The banks aren’t the only sector that is dealing with mitigations when it comes to handling these Brobot attacks. In fact, the attackers have to run through a gauntlet of companies that all are working to keep these financial institutions online.

1. Banks—Obvious. These are the businesses that are the end target of the cyberattacks. In a perfect world, they should see all attack traffic characteristics—volumes and sources in real time that are hitting their infrastructure.

2. Direct upstream Internet Service Providers —These are the major ISPs in the U.S. like Verizon and AT&T. They tend to be well instrumented and employ various tactics like access control lists and traffic filtering to mitigate attacks against their customers.

3. Anti DDoS vendors—These include many strong vendors like Prolexic, VeriSign, Neustar, Arbor Networks and others. Companies in this space offer a wide variety of tools and techniques to mitigate attacks.

4. Content Delivery Networks—CDNs include the large-scale vendors like Akamai and Cloudflare. The CDNs keep data flowing by load balancing and mitigating DDoS traffic. They often may use the services of Anti-DDoS vendors themselves.

5. Security vendors—These companies provide research to determine how attacks are being launched, how to block attack traffic and where attacks originate. Many security vendors also provide mitigation services that notify web hosting companies of brobots on their networks, along with providing cleanup techniques.

6. Coordinating bodies—In Brobot’s case, the coordinating bodies are FS-ISAC and some ad-hoc, vetted private groups that share threat information on a selective basis. This sharing typically takes place over email, but in some cases with automated data exchanges.

7. Web hosting companies—These include hundreds of companies in the business, but the larger the player, the more likely they are to see compromised servers.

Small, Insular Sharing Groups Do not Scale

Even though Brobot targeted some of the world’s largest companies, information sharing has been done on a fairly limited scale. With Brobot, there have been small groups of sharing, essentially tightly knit “trust circles.” As mentioned above, these circles consisted of FS-ISAC and other small ad-hoc groups. These groups limit sharing to people who know and trust each other, and whether or not they are a financial institution.

Furthermore, some of the information that has been shared in these small groups was merely for information purposes. There was no “allowed” action to be taken on this information in these cases. That’s because these groups literally operated like a fight club, what was spoken of couldn’t leave the group. Often times, emails have been color coded by what’s called Traffic Light Protocol or TLP which is essentially a set of designations used to ensure that sensitive information is shared with the correct audience. They consist of:

• Red (personal or for named recipients only)—This information is limited to those who receive it directly.

• Amber (limited distribution)—The recipient may share amber information with others within their organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.

• Green (community wide)—Information in this category can be circulated widely within a particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community.

• White (unlimited)—This information may be distributed freely, without restriction.

Communication Breakdown

Now to the email issue. It’s no great secret in the security industry that most “community” actions are largely achieved via closed emailing lists where data, theories and actions are exchanged when individual members have information and time to send it out. Email requires a) someone is sitting at their desk when the information comes through, b) reading through that data, and c) manually taking action on the information. This makes for ad-hoc, asynchronous, non-standard communications that are often difficult to automate—especially if something like a PDF file is sent around, which is often the case. Still, getting even that kind of intelligence often proves invaluable, and compared to not getting information at all, it is highly effective. As per the industry paradigm, most Brobot information sharing is done via email. With all of the years we’ve been putting into these efforts, and the size and scope of these recent attacks, it’s definitely time to use more modern and timely communications and information sharing mechanisms. Now to be fair, there have been some automated data exchanges set up, but those are largely bilateral, making these efforts non-scalable across the complex ecosystems we’re talking about here.

Trust is King

Information accuracy is also a major issue in coordinated responses. If you can’t trust the information coming in, you can’t take action on it. We certainly saw plenty of issues with that in the early days of the Brobot attacks, where the volumes were high, and people reacting quickly without necessarily checking the way their instrumentation was set-up or how to interpret it. This led to false positives and various other issues. While accuracy has certainly improved over time, it has been hard for some to engender trust in an effort that may have burned them in the past. Further, as tactics change, there’s always a concern that people will end up hurting themselves more in their response than the actual attacks can, as today’s mitigation techniques could become a liability in the future. This is a standard ploy by attackers throughout history—create confusion amongst your enemy.

Time for a Large-Scale Automated Approach

With Brobot as a prime example, it is apparent that we need a large-scale, machine-to-machine approach to information sharing. If EVERYONE (including law enforcement, all of the aforementioned vendors, etc.) was informed about and able to take action on attacks in real-time, the proverbial Brobot head could have been cut off way back in September. But instead, businesses are constantly playing catch-up to the evolving attack vectors. This machine-to-machine model would include all IP addresses and traffic pattern analysis through a model of ingress, distillation, filtering of false-positives, prioritization and the appropriate data fed to everyone working to mitigate the attacks. The latter done with the caveat that the participants are trusted and authenticated.

The current information-sharing model of small peer and industry-driven manual information sharing, as primitive as that seems, has proven to be quite effective, albeit on a very limited scale. That proves the power of information sharing, versus everyone working in their own silos. That’s great, but certainly not nearly effective as things could be, and these individual battles are taking up valuable resources in order to just handle basic communications. Those are resources that are far better used in further research, actual mitigation efforts, attribution, and enabling people to focus on their core business. In order to win the war with today’s cybercriminals that are using the same attack vectors on a massive scale, a real-time, automated information platform that pre-empts ongoing attacks is an imperative.

Related: What the Debates on Information Sharing Seem to be Missing


RelatedThreat Information Sharing - Fighting Fire with Fire

RelatedCombating Emerging Threats Through Security Collaboration

view counter
Rod Rasmussen co-founded Internet Identity and serves as its lead technology development executive. He is widely recognized as a leading expert on the abuse of the domain name system. Rasmussen is co-chair of the Anti-Phishing Working Group’s Internet Policy Committee and serves as the APWG’s Industry Liaison, representing and speaking on behalf of the organization at events around the world and works closely with ICANN. He also is a member of the Online Trust Alliance’s (OTA) Steering Committee and an active member of the Digital PhishNet and is an active participant in the Messaging Anti-Abuse Working Group. Rasmussen earned an MBA from the Haas School of Business at UC-Berkeley and holds two bachelor’s degrees, in Economics and Computer Science, from the University of Rochester.