Bad actors have started to manipulate timestamps and chronological integrity: can we beat them in time?

Findings from VMware’s 2021 Global Incident Response Threat report have found attacks that cause destruction and threaten integrity occurred more than half of the time.

Whether it be via business email compromise, the manipulation of timestamps, or dreaded deepfakes, attackers are finding new ways to not just infiltrate victims’ infrastructure, but also colonize them to use for attacking others in turn.

What defenders have traditionally relied on to determine something digital as ‘real’ is data integrity – the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so.

Organizations go to great lengths to preserve data integrity as it is a key component of data security. It is critical to ensure data integrity and prevent malicious modifications of data in transit. Security systems and protocols heavily rely on data integrity for a ‘single source of truth’. However, these systems also all rely on a single point of failure–time.

Meddling with time

Time’s immutability makes it the foundation of security, and we have come to rely on timestamps, date records and chronological order as proof of authenticity. Cybercriminals are now taking advantage of this through the manipulation of timestamps or Chronos attacks, which nearly 60% of respondents observed.

Other research has also found that 41% of financial institutions had observed the manipulation of time stamps, as cybercriminals attempted to alter the value of capital or trades.

Environmental manipulations including time are particularly insidious. When attackers can make themselves invisible to any time-reliant queries, they evade detection and stymie response. By doing this, they poison data sets and undermine the confidence security teams have in them, making it harder to use time as a verifier of a single source of truth.

Offense as the best defense

Given the bad actors’ escalation to attacking the very reality of our data, is fighting back the answer? Some in the trenches sure think so, with incident response professionals now willing to employ cyber offense as defence.

VMware’s 2021 Global Incident Response Threat report found that 81% of respondents were willing to leverage active defense techniques in the next 12 months. These tactics range from deception to disruption, such as deploying deception grids and micro sharing data, and creating a hostile environment for would-be attackers.

While these techniques are useful in the fight against attackers, hacking back is not recommended. Instead, cyber vigilance must be the de facto weapon and penetrate every aspect of the organization.

These are some recommended tactics that CISOs can adopt:

  1. Track identities on the move and embrace multi-factor authentication
    Attacks today often occur under-the-radar. With attackers often covertly entering the system, just-in-time administration and multifactor authentication will be key to tracking identities on the move and catching them off at the pass. In the recently released Information Security during the Covid-19 pandemic handbook, the Vietnamese government emphasizes the need for two-factor authentication for users to safely operate in cyberspace.

    Despite being a commonplace option, not all organizations adopt the practice, making this an open loophole that must be closed. 
  2. Perform regular audits on all time-based dependencies 
    Knowledge is power: attackers are now setting their sights on data integrity, which means security teams must do the same. Audits should already be done on a regular basis, and now must include increased emphasis on the redundancy and resilience. Endpoint detection and response should also be deployed with time manipulation in mind and focus on time-based dependencies to ensure the integrity of upstream data sets.

    These audits should take into consideration possible attack vectors and scenarios that may be used to disrupt or manipulate timing infrastructure, as well as real world testing of time manipulation.
  3. Conduct regular threat hunting
    Prepare for the worst, hope for the best – so the saying goes. Security teams should assume attackers already have multiple avenues into the organization and can act accordingly. Threat hunting should be conducted on a weekly basis and on all devices and must be a key component of any organization’s cybersecurity strategy.

    Consequently, bug bounty programs are gaining traction in APAC, with Lazada launching a bug bounty program in Southeast Asia with up to US$10,000 per bounty. Bug bounties help security teams to detect behavioral anomalies, as attackers can maintain clandestine persistence in an organization’s system to conduct reconnaissance.

    Furthermore, threat hunting should not be exclusive to just the organization. High profile supply chain attacks on the US Colonial Pipeline and SolarWinds have proved that organizations are only as strong as their weakest (supply chain) link. Defenders should hence expand threat hunting to the outside general counsel, managed service provider, and even marketing or public relations firms.
  4. Apply micro-segmentation
    A Zero Trust approach with micro-segmentation builds zones within the organizational perimeter defence, limiting attackers’ abilities to move laterally. This forces attackers to pass multiple trust boundaries when attempting to cross security zones, with each transversion providing opportunities for detection and prevention.

It is simply a matter of time before attackers find more insidious ways to breach organizations.

Therefore, the time has come for organizations to have a defensive mindset at the top. From there, teamwork is key: starting with the CISO down to the folks on the frontline, the full organization must work together in the cyber trenches to stay one step ahead of attackers.