Rather than stealing data, attackers corrupt its integrity to cause chaos and catastrophe.

Pam Baker

February 20, 2019

10 Min Read
Manipulating data
Shutterstock

Today cyberattacks aim to steal information or hijack infrastructure. While these threats are damaging enough, nation states and bad actors are not resting on their laurels. Next up in their nasty bag of tricks is blowing a hole in data integrity via unauthorized data changes, planting false information, changing sensor reads, and other data modifications and entanglements sure to create chaos and even death. While any data validation tool, such as blockchain, will likely prove helpful, tools that can spot and stop these attacks will be doubly so.

Data Manipulation Evolution

Attacks on data integrity are not new. But the tactics and targets have changed over time making such attacks harder to spot and even harder to stop.

Crandall-Carolyn_Attivo-Networks.jpg

Attivo Networks’ Carolyn Crandall

“Unfortunately, attackers changing data is not new — attackers have taken advantage of web pages with cross-site scripting vulnerabilities to modify prices on e-commerce sites for years,” says Carolyn Crandall, chief deception officer at Attivo Networks. “However, when attackers successfully bypass perimeter defenses and modify data instead of just stealing it, the changes often go unnoticed until something goes wrong.”

Today, attackers are getting increasingly crafty about how many ways they can use data manipulation to change things to their liking.

Rosefelt-Guy_NSFOCUS.jpg

NSFOCUS’s Guy Rosefelt

“In 2016, voter fraud stepped into the limelight— it’s a prime example of this type of attack,” says Guy Rosefelt, director of product management for threat intelligence and web security NSFOCUS. “Last year, a group of children as young as 11 years old demonstrated at DefCon how easy it would be to change posted election results, which is something that happened in a Ukrainian election by Russians hackers.”

Like other evolving and increasingly sophisticated cyberattacks, it’s hard to tackle newer forms of data manipulation early and head-on. These attacks are built from the ground up to thwart common protection tactics and to adapt in unexpected ways in order to continue to survive.

“The problem with the newer, more subtle and clever approaches to data modification is that the malware often manifests itself at a future time, rather than being immediately obvious in production and detectible by production-oriented security tools, the predominant focus of the security industry,” explains HotLink‘s CEO and founder Lynn LeBlanc. HotLink works with MSPs on data backup reliability, resiliency and recoverability.

“At the same time, security vendors universally warn customers to keep their backup systems up to date as a last line of defense against the attacks that evade tools running in production. However, there’s an obvious flaw with this logic,” LeBlanc added. “If latent malware evaded the front-end protection environment, the very same malware was inherited by the data protection system. Thus, the backup/DR system has also been compromised.

This approach could potentially enable attackers to time their…

…attacks when they are least likely to be discovered and most likely to create the most amount of damage. While causing an autonomous vehicle to wreck in real-time is still a likely scenario, setting it up to trigger at a later date to time — such as during rush hour or holiday traffic — could also be advantageous for bad actors. The same is true of attacks on infrastructure. If malware is triggered to shut down the electric grid on the coldest of days, more people may die of exposure or illness as a result.

The End Goal Is to Steal Your Trust in Your Data

While the immediate goals of data manipulation attacks are often to create chaos and/or to destroy something in the physical world, the ultimate end game is to terminate trust in the data. Just as a nation state can work at destroying trust in another country’s elections, courts or media, so too can destroying a company’s trust in its data cripple that company’s actions and competitive stance in the marketplace.

Hayslip-Gary_Webroot.jpg

Webroot’s Gary Hayslip

“These types of attacks are based on targeting the trust an organization has in the integrity of its data,” explains Gary Hayslip, CISO for Webroot. “It is removing one of the legs of the foundational cybersecurity pyramid — ‘Confidentiality, Integrity and Availability’ — and it would create chaos in an organization and its business operations.”.

Resolving data trust issues is no simple matter.

“With a data manipulation attack, unless you have tight data governance controls, it can be an extensive and costly effort to try and remediate the compromise, and you may never know if you have completely resolved the issue,” adds Hayslip. “This type of attack could be used in a variety of scenarios including the traditional hold for ransom, financial fraud by manipulating data to make money on investments,and changing data to influence an investment or M&A.”

Time Becomes a Threat Too

Malik-Javvad_AlienVault.jpg

AlienVault’s Javvad Malik

“It’s important to understand what changing data actually does,” says Javvad Malik, security advocate at AlienVault. “By compromising the integrity of data, one is fundamentally breaking trust — and this can have serious repercussions. This can be particularly bad if small changes are made over a long period of time. Not only will these be hard to discover, but the victim won’t know how far back in time to go in order to get a reliable snapshot.”

“For example, suppose credit rating scores were changed over a long period of time. It could cause irrevocable damage whereby credit scores become meaningless because there is no trust in the data,”

These types of slow and far-reaching attacks are limited only by the imagination of the criminal mind.

“A few simple examples would be changing the network logs following…

 

Costas-Alex_Schellman.jpg

Schellman & Co.’s Alex Costa

… a cybersecurity incident in order to deflect blame onto an innocent party, inserting a back door into the code of a cryptographic algorithm to induce a supply chain attack during the next release cycle,” says  Alex Costas, software engineer at Schellman & Company, a global independent security and privacy compliance assessor.

“Or, simply changing the data underlying financial institutions behaviors towards their customers in order to topple a segment of people who were otherwise doing relatively well into the cycle of foreclosure and bankruptcy — which would likely precipitate a recession if it reaches a large enough audience.”

Indeed, the most likely culprits behind such long-term attacks have drawn intense interest from militaries around the world.

Reiber-Jonathan_Illumio.jpg

Illumio’s Jonathan Reiber

“Campaigns involving data manipulation can take months or years to play out and could be part of a broader cyber sabotage effort,” says Jonathan Reiber, head of cybersecurity strategy at Illumio, and former Pentagon chief strategy officer for cyber policy.

“Given the lack of financial incentive, coupled with the opportunity to cause widespread disruption or panic, nation states and terrorist groups are the most likely actors in data manipulation attacks. That’s why the military and intelligence services take them so seriously.”

How to Spot and Stop Data Manipulation Attacks

Just as with other forms of cyberattacks, there is no panacea and there likely won’t be. That’s because threats keep evolving and attacks increase in the level of sophistication. But that doesn’t mean the fight to defend companies, governments and individuals from such attacks are fruitless.

Today there are several efforts underway to spot and stop these types of attack and to restore trust in data again. Not all of them are pureplay cybersecurity tools, such as blockchain, but nonetheless could conceivably be a smart addition to security’s arsenal.

As to cybersecurity tools, here is what the experts had to say about what’s available now and what’s coming available soon.

Old tools still work. “Have modern security infrastructure in place. Encrypted data, secure connections, strong credential management, logs with verifiable integrity whether locally using hash chaining or globally using a blockchain. In the future look forward to homomorphic encryption, AI/ML and quantum cryptography revolutionizing this space,” says Schellman & Company’s Costas.

“The only difference between causing havoc with stolen versus modified data is that the modified data can potentially be detected using conventional or AI/ML supported pattern analysis. These kinds of techniques are already employed to detect malware, irregular network activity, determine hacker identity and so forth,” Costas added.

Shut down anonymous access. Today, applications are decoupled from servers. Applications are packaged together with all of their dependencies into an entity called an image. Images are stored in registries which provide anonymous access if not…

…properly configured.

In 2017, Twistlock released a joint study with Docker that found 60 percent of registries were not properly configured and enabled anonymous write access.

Stopel-Dima_Twistlock.jpg

Twistlock’s Dima Stopel

“In such cases, an attacker can manipulate the image in the registry so that once it is deployed it gives the attacker access to the server itself and other internal resources as well,” explained Dima Stopel, founder and vice president of research and development at Twistlock. “Protection from such scenarios requires a two-step approach. First registries should be properly configured to disable anonymous access. This is a compliance issue. Second image integrity should be validated between the point where the image was just created (CI) and the point it is deployed in production environment.”

Cran-Jonathan_Kenna-Security.jpg

Kenna Security’s Jonathan Cran

Look to NIST for specific guidance. “U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53 includes the following controls that address integrity and may be directly reflected within software implementations,” says Jonathan Cran, head of research at Kenna Security.

  • Tamper resistance and detection (SA-18)

  • Transmission confidentiality and integrity (SC-8)

  • Protection of information at rest (SC-28)

  • Software, firmware and information integrity (SI-7)

  • Information input validation (SI-10)

  • Memory protection (SI-16)

Mackey-Tim_Black-Duck.jpg

Black Duck’s Tim Mackey

Use tools in tight combinations. “From a tooling perspective, there are tools available to facilitate the creation of threat models,” says Tim Mackey, senior technical evangelist at Black Duck by Synopsys. “Static code analysis and fuzzing tools are readily available to validate threat vectors like SQL injection. Interactive analysis tools facilitate identification of privilege escalation scenarios, and log analysis services can detect malicious traffic patterns. When coupled with network protection tools like stateful web application firewalls and intrusion detection systems, visibility into the overall security of the application can be gained, monitored and managed.”

Use hashing. “Hashing is the main mechanism to ensure data has not changed,” says Alan Rynarzewski Jr, MIS, a faculty member at Purdue University Global and course lead for IT and cybersecurity. “We currently use hashing when downloading files form the internet. You can download the file and run the hashing algorithm against it. The hexadecimal value you get should match the value of where you downloaded it from. The data has been altered if the values do not match.”

“We can take that same technology and implement it on our files. Encrypt your file and hash it. The hash should not change. If it does, then someone has modified the file.”

Read more about:

MSPs

About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, Linux.com and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like