Targeted cyberattacks test enterprise security controls

Instead of prevention, the real focus should be attack mitigation

Targeted cyberattacks of the sort that hit Google and more than 30 other tech firms earlier this year are testing enterprise security models in new ways and pose a more immediate threat to sensitive data than a full-fledged cyberwar.

They're also an "existential threat" to the U.S., a top FBI official said last week.

Unlike older e-mail and network-borne worms and viruses, targeted attacks are stealthier and can give adversaries a way to break into an enterprise network -- and stay hidden there for a long time. Typically, the goal behind such attacks is to snoop and to steal sensitive information.

State-sponsored groups with deep technical skills and computing resources have been directing such attacks against government and military targets for several years now. But the increasing number attacks, and the fact that they have begun to spill over into the commercial arena, have prompted some people to speculate about whether the U.S. is in the midst of a cyberwar.

Not war -- yet

The consensus: Not yet. Instead, the targeted attacks highlight what's called the advanced persistent threat (APT) facing U.S commercial entities. The attacks typically rely on sophisticated social engineering techniques to exploit previously unknown security vulnerabilities, and they're difficult to fend off because they're designed to elude the signature-based malware-detection tools traditionally deployed at most companies.

Most attacks use social engineering to trick people with access to key information into opening tainted e-mails or other communications.

The malicious messages are crafted to look as if they're from someone the recipient knows and has been communicating with, said Paul Wood, a senior intelligence analyst in Symantec Corp.'s MessageLabs Intelligence unit. They can even be inserted into an ongoing e-mail exchange, gaining authenticity because they include familiar subject headers and references to ongoing conversations.

Who's most at risk? Company directors, vice presidents, managers and executive directors -- especially at smaller companies, according to MessageLabs. Because larger companies tend to be better protected than smaller ones, cybercriminals aim for small firms that might be suppliers or business partners to big ones, Wood said.

Dealing with these threats requires a new ways of thinking, said Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services. Because the attacks often take advantage of zero-day threats for which no defense exists, blocking them with signature-based anti-malware tools is almost impossible, he said.

Detection is key

As a result, companies need to strengthen their ability to detect intrusions and respond quickly, Arries said. Since targeted attacks are designed to siphon out data via the network, keeping a close eye on network traffic can help detect anomalies. A gusher of data going out over the network is a warning sign that something's amiss.

As part of their security efforts, companies should implement network traffic flow analysis tools, Arries said. Terremark, for instance, uses technology from Arbor Networks to monitor and model the normal flow of data on its networks. The tool helps Terremark quickly detect any traffic patterns that are unusual, he said.

In addition, Terremark uses technology from NetWitness Corp. to do network packet inspection. The NetWitness technology allows Terremark to quickly go through network logs and inspect specific data packets flagged as suspicious, Arries said. Though open-source tools such as Snort can do packet inspection, a commercial product such as NetWitness can allow companies to quickly sift through and investigate large volumes of data for suspicious packets, he added.

Using a whitelist can also be useful, said Amit Yoran, CEO of NetWitness. With a whitelist, a company can allow specific traffic over its networks while excluding everything else.

This sort of a default-deny approach can be very effective in stopping traffic coming in from or going out to destinations that have not been previously approved. Companies can block traffic from entire network blocks or even whole countries, if needed. As a result, even if a hacker compromises a network, the chances of his being able to smuggle out data is almost nonexistent.

The problem is that it's not very scalable, Yoran said. Restricting traffic to specific destinations is unworkable, especially in large enterprise networks. But it can work in specific situations, such as when protecting systems containing credit card data.

Could the cloud help?

Moving security controls into the cloud can also help companies detect targeted attacks, Wood said. As a provider of hosted security services that sifts through large volumes of network traffic on a daily basis, Symantec, for instance, can spot suspicious activity sooner than an enterprise would. Late last year, for instance, it was able to spot targeted attacks that took advantage of an undisclosed vulnerability in Adobe's PDF software -- a full month before the flaw was publicly disclosed and fixed.

Enabling remote logging capabilities is crucial, Arries said. Often, those who break into a server tend to wipe out activity logs and any other evidence of their presence from the server, he said. One way to get around this is to make sure that all logs are created and stored at a central location.

"If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky -- or you aren't looking closely enough," Yoran added.

Expect these kinds of attacks to continue. As George Kurtz, CTO of McAfee, explained after the Google attacks were made public: "These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered -- it is too late."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies