VMware
By Rick McElroy, Principal Cybersecurity Strategist, VMware
In one of my all-time favorite movies The Matrix, Morpheus asks Neo, "What is real? How do you define real?" As our physical worlds and digital worlds continue to blend, I think from a cyber perspective it's time we start to dive into what is truly real.
Let's start by defining what makes something real digitally. It truly comes back to the integrity of the data. As defenders, we are used to applying the CIA triad to information security and technology. CIA, "confidentiality, integrity and availability," is a model designed to guide policies for information security within an organization. We spend a large amount of our time on two key areas of the triad – confidentiality and availability, – but what about the integrity of the data itself or the underlying infrastructure that the data relies on?
Data integrity is the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so. Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle.[1]
In short, data integrity aims to prevent unintentional changes to information, but what if the changes are upstream of the system?
In this case, let's call the system a SOC platform that ingests data from network sources, endpoint sources, identity and authentication sources, and system logs to attempt to answer the contextual security question (i.e. am I breached and if so, what is breached?).
This system relies on any number of downstream systems to provide a "single source of truth" around attacker behaviors and situational awareness. These systems however all rely on a single point of failure: time.
In VMware's 2021 Global Incident Response Threat Report, we found the severity of attacks skyrocketed. Respondents indicated that targeted victims now experience integrity and destructive attacks more than 50% of the time. Cybercriminals are achieving this through emerging techniques, like the manipulation of time stamps, or Chronos attacks, which nearly 60% of respondents observed.
The manipulation of Network Time Protocol (NTP) and digital time itself are nothing new. Attacks on NTP date way back to 2002, most notably, the Tardis and Trinity College attack. These issues have largely been used to facilitate network outages and DDOS attacks, but this isn't what the boots on the ground are seeing these days. The time-based attacks are geared toward a couple of end goals.
Environmental manipulations including time are becoming more and more common for one reason. It makes detection and response harder as it undermines the confidence teams have in those data sets. Imagine a scenario where a threat hunter is looking for a specific set of behaviors within a well-defined timeline. As an attacker, if I can manipulate time and time stamps, as an attacker I can essentially make myself invisible to any query that relies on time.
Recommendations for incident responders
This audit should focus on all time-based dependencies with an emphasis on the redundancy and resiliency of time
Download the full Global Incident Response Threat Report and read more about the ways in which attackers are manipulating reality here.
[1] TechTarget, SearchDataCenter: searchdatacenter.techtarget.com/definition/integrity