I came across a whitepaper from McAfee and CISCO that explained what a stealth attack is as well as how to counter them. This post is based on what I could grasp from the whitepaper and invites you to discuss the subject so that we all benefit.
What is A Stealth Attack
A stealth attack could be an active person querying data packets from and to your network so as to find a method to compromise the security. Once the security is compromised or in other words, once the hacker gets access to your network, the person utilizes it for a short period of time for his gains and then, removes all traces of the network being compromised. The focus, it seems in this case, is on removing the traces of attack so that it remains undetected for long.
The following example quoted in the McAfee whitepaper will further explain stealth attacks:
“A stealthy attack operates quietly, hiding evidence of an attacker’s actions. In Operation High Roller, malware scripts adjusted the bank statements a victim could view, presenting a false balance and eliminating indications of the criminal’s fraudulent transaction. By concealing proof of the transaction, the criminal had time to cash out”
Methods Used In Stealth Attacks
In the same whitepaper, McAfee talks about five methods that a stealth attacker may use to compromise and gain access to your data. I have listed out those five methods here with a summary:
- Evasion: This seems to be the most common form of stealth attacks. The process involves the evasion of the security system you are using on your network. The attacker moves beyond the operating system without the knowledge of the anti-malware and other security software on your network.
- Targeting: As evident from the name, this type of attack is targeted at a particular organization’s network. One example is AntiCNN.exe. The whitepaper just mentions its name and from what I could search on the Internet, it looked more like a voluntary DDoS (Denial of Service) attack. AntiCNN was a tool developed by Chinese hackers to get public support in knocking off the CNN website (Reference: The Dark Visitor).
- Dormancy: The attacker plants malware and waits for a profitable time
- Determination: The attacker keeps on trying until he gets access to the network
- Complex: The method involves the creation of noise as a cover for malware to enter the network
As the hackers always a step ahead of the security systems available in the market to the general public, they are successful in stealth attacks. The whitepaper states that the people responsible for network security are not concerned much about the stealth attacks as the general tendency of most people is to fix problems rather than to prevent or counter problems.
How to Counter or Prevent Stealth Attacks
One of the best solutions suggested in the McAfee whitepaper on Stealth Attacks is to create real-time or next-generation security systems that do not respond to undesired messages. That means keeping an eye on each entry point of the network and assessing the data transfer to see if the network is communicating only to servers/nodes that it should. In today’s environments, with BYOD and all, the entry points are many more compared to past closed networks that were reliant only on wired connections. Thus, the security systems should be able to check both wired and especially, the wireless network entry points.
Another method to be used in conjunction with the above is to make sure your security system contains elements that can scan rootkits for malware. As they load before your security system, they pose a good threat. Also, since they are dormant until “the time is ripe for an attack“, they are hard to detect. You have to spruce up the security systems that help you in the detection of such malicious scripts.
Finally, a good amount of network traffic analysis is required. Collecting data over time and then checking for (outbound) communications to unknown or unwanted addresses can help counter/prevent stealth attacks to a good extent.
This is what I learned from the McAfee whitepaper whose link is given below. If you have more information on what is stealth attack and how to prevent them, please share with us.
- CISCO, Whitepaper on Stealth Attacks
- The Dark Visitor, More on AntiCNN.exe.