Corporations concerned about the release of thousands of CIA documents detailing hacks against Apple iOS and Mac OSX, Google’s Android, Microsoft’s Windows, Linux and Solaris need to conduct a fresh round of risk assessment that takes the new revelations into account.
While the trove of leaked data – known as Vault 7 – doesn’t include code for actual exploits, it does describe the types of vulnerabilities they take advantage of, which can still be of value to both defenders and potential attackers, says John Pironti, president of IP Architects, a security risk consulting firm.
The released documents give a view of the capabilities and targets of the CIA, but it also offers a broader perspective, says Michael Shaulov, head of Check Point Software’s mobile and cloud security products. “Replace the CIA with any other entity and you have a blueprint of how sophisticated actors operate.” The next step is for corporate security pros to figure out whether their current defenses protect against the range of threats the documents describe. “They need to understand where they have gaps.”
Pironti says they’ll then need to come up with new compensating controls.
For now, given that the actual exploit code has not been released, but the vulnerabilities they take advantage of may still be unpatched, enterprises should consider security tools designed to detect zero day attacks in general, Shaulov says.
When, as Wikileaks promises, the specific exploits have been responsibly disclosed so vendors can patch against them, security pros should make sure they patch, he says. But given the spotty track record enterprises have for patching in a timely fashion, the new exploits are likely to be used for a long time. (The Open SSL exploit Heartbleed, for example, is still present on nearly 200,000 Internet exposed servers.)
Meanwhile, Pironti says details about vulnerabilities that are documented in the Wikileaks dump can be built into new threats by criminal reverse engineers. These details act as breadcrumbs that lead them to promising flaws. “You’ve just made their research time a lot shorter,” he says.
A section of the released documents entitled “Development Tradecraft DOs and DON'Ts” could be used as a textbook by less experienced hackers, he says. The tips it includes help make it more difficult for victims to respond to incidents, perform forensic reviews and attribute attacks.
It offers tips such as keeping binary size small to avoid detection, hiding data being stolen by using common protocols and shutting down network connections that are no longer being used. It’s information top hackers already know, but, “It’s information that would help raise the education level of the more novice adversary,” Pironti says. And it can give experienced adversaries intelligence to increase the effectiveness of their attacks.
The leaks mean more and different types of attacks that will be based on information in these leaks, says Eric O’Neill, National Security Strategist for Carbon Black. “Attackers are brilliant and lazy,” he says. “Why develop when you can grab something out there and modify it to your use?”
Criminals and national espionage agencies will try to make use of the tools described in the Vault 7 data. “It’s important to understand what’s in there.”
Not all of Vault 7 is current, says Kaspersky Labs. For example, one vulnerability mentioned in the leak known as heapgrd, was “previously known and fixed in Kaspersky Lab products in 2009,” Kaspersky says. “The products mentioned in the Wikileaks report … are outdated versions of Kaspersky Lab software and have been out of the technical support lifecycle for several years.”