Watch the companion video podcast to this report to learn more about the significance and the attack vectors of data manipulation. https://www.csiac.org/podcast/data-manipulation
Confidentiality, Integrity and Availability
In terms of cybersecurity, the Confidentiality, Integrity and Availability, also known as the CIA Triad, is a benchmark model for the development of security policies used to govern and evaluate how an organization handles data when it is stored, transmitted or processed. All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the CIA triad principles. Let’s look at the definitions of CIA: Confidentiality—protecting the information from disclosure to unauthorized parties; Integrity—protecting information from being modified by unauthorized parties; Availability—ensuring that authorized parties are able to access the information when needed.
What is data manipulation? A misconception is that hackers always steal data, but this assumption is incorrect. Data manipulation attacks occur when an adversary does not take data, but instead makes subtle, stealthy tweaks to data for some type of gain or effect. These subtle modifications of data could be as crippling to organizations as data breaches. Data manipulation may result in distorted perception by shifting data around, which could lead to billions of dollars in financial loss or even potential loss of life, depending on the system in question, and the type of data being altered. In some scenarios however, what the attacker does not do may have a more devastating outcome within the data space entity framework. The goal may be to manipulate data to intentionally trigger external events that can be capitalized. The higher the value of the fraud, the greater the chances are that the fraud has compromised data integrity. If the data manipulation does not occur on a specific date but is conducted over several weeks or months, it may be virtually impossible to correct this problem through a single system restore.
Hypothetical Data Manipulation Attack Examples
Let’s examine several hypothetical data manipulation examples. Can you imagine what would occur if a stock ticker symbol was manipulated to show a billion-dollar tech giant like Apple, Microsoft, Google, or Amazon having extreme financial gains or losses? It could cause immediate chaos and/or panic and could be used to target a competitor.
First, what if someone gains access to the FBI database to manipulating FBI biometrics fingerprint, facial, iris, and retinal databases? This would result in a significant loss of time and expense, as well as the wrong individuals being apprehended or released.
Second, what if someone gains access to government passport and visa databases and manipulates the data? This would result in improper individuals obtaining government passports or having visas extended or denied. This could wreak havoc on our ability to control who can enter or leave the country, with potentially dire activity and consequences from terrorists.
Third, what if someone gains access to health information records for patients in hospitals, altering critical data like drug dosages and prescriptions that need to be administered. This could result in sickness or even death.
And fourth, what if someone gains access to blueprints for a manufacturing facility and manipulates data of the design plans? They could make minor modifications to the drawings that could set the organization up for systemic failure.
Consider the impact of simultaneous data manipulation conducted throughout the healthcare, government, manufacturing, financial, and telecommunications sectors. Widespread chaos would be an understatement.
The United States Intelligence Community has warned Congress that the next phase of escalation in cyber warfare would likely involve the manipulation of digital information. Military system capability is heavily dependent on software, which enables critical functionality and flexibility to the war-fighting systems. What if a hacker was able to take control of these systems and largely operated undetected and/or manipulated the system by modifying or deleting troves of software codes? These types of malicious digital penetrations could undermine confidence in data stored and accessible on an unspecified DoD weapons system which could cause death to personnel; mission degradation; and/or damage to the environment.
Data Manipulation Attacks
Now, let’s examine some actual data manipulation attacks. The 1993 Salami Slicing Attack was one of the early integrity-related attacks. This attack results in an insignificant number that was changed on many transactions to create a large profit for a criminal. Also known as penny shaving, this is the fraudulent practice of repeatedly stealing money in extremely small quantities, usually by taking advantage of rounding the number to the nearest cent (or other monetary unit) in financial transactions. This would be done by always rounding down, and putting the remaining fraction of a cent into another account or accounts. The idea is to make the change small enough that any single transaction will go undetected. In the example of a financial institution, a transaction results in a value of $98.012458. That transaction would be rounded down to $98.01 and the remaining value; $.002458 would be transferred to an account or accounts. When this is done to hundreds of thousands or millions of accounts, that insignificant amount transferred would result in thousands to millions of dollars, depending on the number of accounts and the time that these attacks go unnoticed.
The Tesla Attack was conducted by a former disgruntled Tesla employee who allegedly exported gigabytes of confidential data and manipulated data on the Tesla Manufacturing Operating System. This disgruntled employee wrote computer code to periodically export data directly into the possession of third parties from the Tesla’s network. This software was deployed on three separate computer systems at Tesla so that the data would continue to exfiltrate data with increasing difficulties of establishing attribution for cyber operations. The employee caused “quite extensive and damaging sabotage” to the company’s operations, including changing the source code to an internal product and exporting data to outsiders.
An Employee Attack occurs when an employee modifies company records, either accidentally or with ill-intent to harm his employer, by damaging its business operations or reputation. The employee uses authorized credentials to modify databases and makes modifications appear to be legitimate. A significant amount of time may elapse before the Employee Attack is discovered. If a disgruntled employee modifies or deletes customer record lists, this could have an adverse effect on company profits. If the employee gets into the HR database, this could result in blackmail.
Ransomware is similar to the Salami Slicing Attack. It involves encrypting all the data on a computer or a server and forcing an individual or enterprise to pay for the decryption key. However, ransomware attacks are now morphing by using different techniques. One of the recent ransomware techniques goes beyond encryption to manipulating data. The victim’s data is modified by malware and held hostage to force an individual or organization to pay threat actors in exchange for not publishing certain data. However, even by paying the ransom, data integrity must now be verified when restored. So, in essence the individual or organization may have paid large sums of blackmail money for data that was both encrypted and manipulated, and thus needs to be verified.
Defense contracting companies that provide the U.S. military and DoD Intelligence Community with products and services have long faced data manipulation-espionage-motivated attacks. The United States Government Accountability Office states defense contractors are facing more sophisticated, aggressive attacks as nation states and other hacking groups increasingly use malicious software to block information or manipulate data. One recent example is the Boeing production plant hit by the WannaCry virus. Boeing’s cybersecurity operations center discovered an intrusion of malware which affected a number of systems. Once the Boeing cyberattack news broke, experts suggested the virus could perhaps infect an airplane’s control software and trigger a ransomware demand while in the air.
Organizations are no longer able to simply identify and defend against new ransomware attacks, but must also be able to verify the authenticity and integrity of their data. This is especially crucial for data used for decision making in high-risk medical and financial scenarios, necessitating effective mitigation measures.
Mitigating Against Data Manipulation Attacks
One of the greatest challenges posed by data integrity attacks is that the effects may not be detected for years. There are standards, methodologies, and audit guidelines for managing risks to data availability and confidentiality, but there seems to be little or no such guidance for managing threats to data integrity. The MITRE Corporation has addressed this major shortfall via the production and publication of The MITRE Att&ck Framework. This is a living, growing database of threat tactics and techniques that have been observed from millions of attacks on enterprise networks. It is a knowledge-based breakdown of adversary Tactics, Techniques, and Procedures (TTPs) and behaviors.
The MITRE Att&ck Framework outlines each phase of a cyberattack. The framework identifies eleven different tactics employed during an attack. These include the following: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration and Command and Control. MITRE has developed matrices that address both enterprise and mobile systems. These matrices provide detailed information on the best methods for detecting and mitigating each technique. The full ATT&CK Matrix™ for enterprise systems includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base. MITRE has developed two ATT&CK Mobile Matrices: one for adversarial tactics and techniques involving device access, and one for network-based effects that can be used by adversaries without device access.
However, backups are still among the most critical aspects of data protection. Enterprises should ensure that they have adequate backup procedures to protect against ransomware and data manipulation attacks. Most organizations have backup systems with a type of hashing or integrity-checking feature to ensure that there are no errors when data is restored. Organizations could also implement a file integrity monitoring (FIM) system so that the integrity of the data can be verified upon restoring from an attack.
Creating backups are not the only action to be taken by organizations. Organizations need endpoint visibility on their IT systems. Logging activity can help, but IT teams need to develop and implement internal controls, such as, password complexity and lockouts. Organizations also have to create policies and procedures for data quality and data integrity. In addition, based on lessons learned from specific incidents of data integrity compromises and cases of fraud, organizations need to develop appropriate policies and procedures to address these situations. Furthermore, organizations need to make certain that information assets are correctly valued, especially system configuration, log files, and metadata. It is this high valued information that if it were to be manipulated, could potentially cause the most widespread damage. Therefore, it is vitally important that organizations undertake a threat assessment of their high valued data. The utilization of a risk management approach to protecting data integrity is strongly recommended. Finally, organizations need to always ensure adequate protection of all data that is relied upon for investigatory purposes and include data integrity protection as part of their security awareness program.
The Defense Department’s Joint Publication 3-13, Information Operations, denotes that cyber capabilities can be used to “deny or manipulate” enemy decision-making, including by altering the contents of messages. Data manipulation attacks can compromise, complicate, negate, and/or pose threats to the U.S. vital interests. Furthermore, these types of attacks can have disastrous consequences, causing significant disruptions to major corporations, to other countries, or even, to global security. We need to ensure the integrity of the data. If the integrity of the data is ever in question it might result in worse decision-making than if no data was available at all. As an example, what if the data in a geographic information system utilized by the military was altered without our knowledge. One of our systems could use this data to launch a weapon to neutralize a hostile enemy target. However, if the geographic coordinates had been slightly modified, the weapon could end up striking the wrong location. Perhaps it might cause a friendly fire type event or, even worse, inflict casualties on innocent civilians. Therefore, you can easily see and understand the critical importance of maintaining the integrity of your data.