IP theft – an old crime with a modern method
5 August 2019
How should we think about the theft of intellectual property? Tim Bandos, VP Cybersecurity, Digital Guardian, unravels a few truths about this high value predicament.
Almost every aspect of modern life – both the good and the bad – has been transformed by the digital revolution. Intellectual Property theft is no different, with modern day industrial espionage targeting both technology and human vulnerabilities to help criminals profit from the hard work and investment of others.
In the current context of the trade dispute between the US and China, the cost of alleged Intellectual Property theft has been given new focus. It’s even had a value put on it, with US government estimates placing the loss to US businesses in the range of $225 billion to $600 billion per year.
These estimates are so large that relating to them in an everyday situation is not easy, but the point is, IP theft on any level can be devastating.
Spies in the Supply Chain
One of the more common IP theft exploits used by attackers today is to target a poorly secured third-party supply chain. Intellectual Property owners may well have long-standing relationships with their supply chain where trust is the cornerstone of a successful partnership, but in effect, the IP is only as safe as the weakest link in the chain.
As a result, adversaries will avoid targeting the more secure technology infrastructure of the IP owner, and instead gain a foothold further down the chain in an organisation with more vulnerable security.
To make matters worse, in most scenarios, the IP owner has little or no visibility into these remote environments, meaning that at any point an attacker could gain unauthorised access without their knowledge. From there, they just blend right in.
Gaining a view of your environment’s normal day-to-day activity is crucial when it comes to sniffing activity that could indicate vulnerabilities in supply chain security.
For example, an IT administration company was recently targeted by an attacker moving laterally through a third-party firewall. This gave them access to the target network where they leveraged the Windows Sysinternals utility PsExec to authenticate across the environment using an account with Domain Administrator privileges stolen from the supply chain vendor.
After identifying the target IP data, the attackers leveraged a free file compression utility to compress and password protect the IP. This data was moved back through the third-party firewall to exfiltrate and avoid the need to install malware or use any exfiltration protocols on the target network.
The behaviour was detectable after baselining the environment for lateral movement over the course of the previous 60-90 days to identify anomalies. In doing so, the exploit stood out immediately.
Also of interest: 8 Top Tips on Human Training
The Inside Job
The idea of the ‘inside job’, where criminals are helped by someone in a position of trust is just as relevant today as ever. Consider the following real-world scenario: Routine third party maintenance scheduled on a company’s IT infrastructure takes place, but when a technician arrives on the scene (and this could, in theory, be a representative from a trusted tech partner), additional configuration is performed on one of the routers opening a backdoor for a remote attacker to walk right in.
In traditional terms, the technique is no different to having an inside accomplice working at a bank who provides the means for the criminals to get into a locked vault.
Once access had been gained, the adversaries installed a well-known Remote Access Trojan, 9002 RAT, with an extensive list of exfiltration capabilities tying back to the command and control infrastructure of the attackers.
Stored on each of the endpoints at the site was an application that synced IP data to a local database. The backdoor was able to locate this data and tunnel it out over an encrypted protocol.
Among the many and serious problems this creates is that detecting this type of behaviour can be almost impossible. However, a degree of visibility into endpoint activity could have helped, and by logging remote authentication attempts, creating alerts on unsigned binary executions, and keeping a watchful eye on third party tech engineers could have significantly reduced the risk of IP theft.
Also of interest: Video - A hacker’s advice for introverts working in InfoSec
Ignorance is (Not) a Defence
Insiders threats can take a number of forms, and unfortunately, the human factor is always a concern given the level of access people have and their knowledge of where sensitive data is stored. Catching insider criminals can be further complicated when the tactics used allow them to feign ignorance.
Here’s a classic example: An insider “accidentally” clicking on a phishing link, feeding important intelligence to attackers. Because this can also readily happen with no malicious intent, claiming ignorance is often a way to escape responsibility. Look at it this way, if a business receives hundreds of phishing emails and a few people click on the link, how can the IP owner understand the motives of each person, find anyone responsible for facilitating IP theft, and prevent it happening in the future?
While not everyone who clicks on a phishing attachment should be investigated, it’s not without precedent for an employee to allow their computer to become infected to enable criminal access to the network, only to claim ignorance when the connection was made.
In one particular real world case, the data being targeted was stored in a compressed zip file on a network share. By examining logs, it was possible to see that six months earlier, the data had been compressed and stored by that same employee.
But, lack of visibility on the organisation’s servers meant that the data was exfiltrated after the adversaries dropped a file with China Chopper code - a web-shell capable of exfiltrating information back to a remote command and control server.
While the methods might have changed, the motivation behind IP theft remains predictably consistent. Any business with IP worthy of protection needs to be sure it’s making every effort to safeguard the effort, dedication, and innovation of its workforce.