Stealthy, sometime long-term cyber-espionage attacks to steal sensitive proprietary information — what some now call “advanced persistent threats” (APT) — have become a top worry for businesses.
Last week the Security for Business Innovation Council, a group of 16 security leaders from companies that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson and Northrop Grumman, summed up their thoughts on APT in a report, saying this type of attack is forcing IT to rethink network security. “Tackling advanced persistent threats means giving up the idea it’s possible to protect everything. This is no longer realistic.”
“Focusing on fortifying the perimeter is a losing battle,” bluntly states the report, which was published by RSA — itself the well-known victim of a successful APT attack. “Today’s organizations are inherently porous. Change the perspective to protecting data throughout the lifecycle across the enterprise and the entire supply chain.”
The report adds: “The definition of a successful defense has to change from ‘keeping attacks out’ to ‘sometimes attackers are going to get in; detect them as early as possible and minimize the damage.’ Assume your organization might already be compromised and go from there.”
The focus, it says, now has to be on working with business managers to identify the “crown jewels” of the organization and protect these “core assets,” while “also moving away from a perimeter-centric view.”
Dave Cullinane, chief information security officer at eBay, says there’s no doubt that the APT problem, which often may be financially motivated, is at the top of everyone’s list of concerns right now. Spear-phishing, which involves tricking an individual into opening an email with malware to gain control of a computer, is one way an attacker gains a foothold inside a network, as happened at RSA last spring. But Cullinane says there are insufficient protective anti-phishing products available.
“Adversaries know what works in spam filtering,” he points out. He says some companies, including banks, have devised their own custom-made defenses that combine e-mail information with threat-monitoring tools like FireEye and Damballa.
Cyber-espionage attacks are basically an infiltration that could come from nation-states, their hired-hand attackers as well as industrial competitors, perpetrators of organized crime, or “hactivists” like Anonymous.
Last week, security researcher Joe Stewart, director of malware research at Dell SecureWorks, offered his own evidence that the March break-in at RSA, in which sensitive information related to SecurID was stolen, originated in mainland China.
Stewart says his conclusion is based on analysis of two malware components that were used to conceal the attack on RSA. The malware, called HTran, which was originally written by Chinese hackers, was found to leak error-message information showing specific network IP addresses at ISPs in China, where hackers likely directed stolen data. The report on this from SecureWorks notes that without the cooperation of the government of the People’s Republic of China, further attribution of the hacking activity is “difficult or impossible.”
The possibility of a nation such as China engaged in large-scale cyber-espionage through APT attacks came up again last week.
In a report entitled “Revealed: Operation Shady RAT,” McAfee says evidence it got from a server out on the Internet shows 72 businesses and government agencies, most in the U.S. but from several other countries as well, have suffered APT infiltrations since 2006. McAfee says the attacker is probably a “nation-state,” but it didn’t point to any particular country.
McAfee’s “Revealed: Operation Shady RAT” only names a few of the victims, including the World Anti-Doping Agency in Montreal, the Asian and Western national Olympic Committees, and the United Nations, along with the Association of Southeast Asian Nations.
Dmitri Alperovitch, vice-president of threat research at McAfee labs, says McAfee has tried to reach those it believes were targeted based on the log evidence from the server it gained “legally” in March. “Some IP addresses are very clear, they’re the firewall of an organization,” Alperovitch says.
The intention of the McAfee report is to show that “someone is going to a tremendous amount of effort to compromise these computers,” he says. Alperovitch says the APT server in question is still in operation, and there are “hundreds if not thousands” of these servers designed to coordinate siphoning of sensitive data. The theft of intellectual property taking place represents a “massive transfer of wealth that is happening,” he says, as some infiltrator — probably a “nation-state” — tries to gain economic advantage by chipping away at the economic advantage others may have.