Ed. note: This is the first in a three-part series on CyberWars that will explore what is happening, why businesses should be concerned, and what they should do.
In the last five years the first shots in a new kind of conflict, dubbed CyberWars by the press but more accurately “advanced persistent threats” by data security experts, have been fired. The revelations of Operation Aurora, the 2009 penetration of Google, Jumiper Networks, Rackspace and probably several other technologically sophisticated companies; Night Dragon, the penetration of the major oil and gas companies; Shady Rat; the RSA penetration; and, of course, Stuxnet, revealed a new kind of cyber threat. And these are only the cases that have been reported publicly. In a highly secret environment, where both the perpetrators and victims have strong reasons to keep their activities secret, the question is: What don’t we know?
All this may sound inflammatory, but the fact is that businesses worldwide are caught in the crossfire. Dmitri Alperovitch, who lead the team at McAfee that identified and investigated several of these incursions and who last year co-founded a new security company, CrowdStrike, to develop software and services to counter them, warns that “all the companies that I investigated had antivirus, they all had firewalls, they all had prevention systems and a variety of other security technologies, and they all got hacked. The existing models of building better walls and try to keep the adversary from getting in are not going to work” against these highly sophisticated, targeted attacks. “They’ll use insiders, they’ll bribe people, they’ll find weaknesses in these programs, & they’ll leverage them successfully & repeatedly. That’s exactly what’s been happening over the last decade or so.”
This threat has several important characteristics that make it very different from what companies have been used to, say the experts. These include:
- They are highly focused on a specific target. Stuxnet is malware targeted specifically at the control software for the centrifuges in the Iranian uranium enrichment facility. If it happenes to get into any other computers it would be inactive.
- They are very well researched and targeted at specific weaknesses in an individual organization. As Mike Rothman, analyst and president of security consultancy Securosis, www.securosis.com says “If you’re going to knock over a bank you are going to do some surveillance, you’re figuring out what the best way in is, what their specific controls are.”
- They will succeed in penetrating even the strongest defenses. These actors are both very sophisticated and very determined. They are playing for the long term and apply both advanced technologies and psychology. If one attack fails, they come back with another. Shawn Henry, former FBI Executive Assistant Director (EAD) for CyberSecurity and now President, CrowdStrike Services, says bluntly, “The sophistication of the adversaries is such that they’re able to jump over the firewalls.”
- They are persistent. Traditional cyber-crime is often “smash and grab” – a short term penetration or attack designed to either grab valuable information or do some damage and get out. These penetrations are designed to go on for months or years and are often only discovered accidentally.
- They target a wider range of data. Cyber-crime is usually focused on either stealing money directly or credit card and bank account information preliminary to stealing money, or on denial or service or other basically annoying activities. The Project Aurora penetration of Google was focused on gaining information on Chinese dissidents, Stuxnet on seriously damaging Iran’s ability to produce nuclear weapons, NightDragon on the bids major oil and gas companies planned to make for exploiting new fields worldwide in competition with the Chinese state oil and gas companies. This is not to say that financials may not be targeted, as Rothman points out presuming that large criminal organizations cannot mount their own targeted attacks is a dangerous mistake.
The data system virtualization trend is rendering companies more vulnerable, warns Eric Chiu, co-founder and president of HyTrust, a security startup focused on securing the virtualization layer. Basically in a virtualized environment anyone who gains access to the virtualization management system can control everything in the environment, from accessing any data to shutting down virtual machines completely.
“People are using advanced persistent threats and social engineering to gain access to these privileged accounts and the credentials of IT admins,” Chiu warns. “In the case of the RSA they targeted the seed records for secure ID. They could just as easily target your credit card information or, in a healthcare provider, your patient health information.”
“Valuable intellectual property is being literally vacuumed off from Western companies, Western governments by the truck load in an unprecedented fashion, says Alperovitch. “What we are witnessing is the greatest transfer of wealth in history in the form of this intellectual property theft that is going on, with China being the major beneficiary.”