High-profile attacks highlight need for defenses against targeted threats
Attacks against RSA, Lockheed Martin, Oak Ridge show focus needed on network monitoring, outbound filtering, whitelisting
Computerworld - The recent spate of successful cyberattacks against high-profile organizations has focused fresh attention on the need for enterprises to implement new defenses against targeted threats.
Over the past few months, several supposedly secure organizations, including RSA, Lockheed Martin and the Oak Ridge National Laboratory, have been the victims of major attacks.
Last week, the International Monetary Fund joined the list when it admitted to a similar intrusion. An anonymous IMF source quoted in a story in The New York Times described the incident as a "very major breach" that likely resulted from so-called spear phishing.
All of the recent incidents have appear to be very targeted and persistent attacks carried out by adversaries using a combination of social engineering techniques and sophisticated malware programs.
Dealing with such threats requires companies to look beyond security strategies that are focused purely on dealing with traditional network threats, analysts say. Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users; outbound traffic filtering; and whitelisting.
"Time and again, as details of these attacks are made clear, we find that attackers are not behaving like stereotypical burglars -- smashing a window, grabbing what they want, then walking off with a big bag marked 'swag' while the alarms ring," said Mike Lloyd, chief scientist at RedSeal Systems.
Gartner analyst John Pescatore said that instead, "a common thread through many damaging incidents is targeted executables getting installed on critical servers or high-value employee PCs."
The goal behind many of these attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on an organization and steal information.
One way of dealing with such threats is to constantly monitor for configuration changes on important assets, Pescatore said. Network forensics and database activity monitoring products such as those from FireEye and Damballa are useful in detecting and blocking targeted threats which conventional signature-based tools let through, he said.
Moving to application-aware firewalls that can limit unknown application traffic over Port 80 is another step forward in protection, Pescatore said.
The key thing to remember, though, is that monitoring alone is not a panacea, he added. "For most of these incidents, monitoring the right things is more important than how often you check. And protecting the right things is even more important than monitoring," Pescatore said.
Continuous network monitoring using intrusion detection systems alone is "useless" against targeted attacks, said Richard Stiennon, an analyst at IT-Harvest. "Attackers may still engage in old-fashioned network scanning and attempts to exploit vulnerabilities, but most of the successful attacks recently have involved custom Trojans delivered by socially enriched emails," he said.
Data breaches
- N.J. mayor arrested on hacking, conspiracy charges
- Security researcher urges IT to keep up with SAP patches
- Anonymous claims it hacked a DOJ site
- Banking malware spies on victims by hijacking webcams, microphones, researchers say
- Utah CTO takes fall for data breach
- UNC Charlotte: 350,000 SSNs exposed in decade-long breach
- Twitter says many leaked passwords inaccurate, duplicates
- Hackers blackmail Belgian bank with threats to publish customer data
- Russian cybercriminals earned $4.5 billion in 2011
- Nissan, Under Armor report breaches of employee information


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Demonstrate PCI Compliance through Better Change Management
- Demonstrating PCI compliance with policies and regulations is an IT necessity, especially when periodic audits are conducted. ITinvolve has a better approach to...
- Stop Hackers Before They Attack
- Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
- A Proactive Approach to Server Security
- Learn why security-conscious organizations are taking a more proactive approach to server security. Download this Spire Research whitepaper to understand how you can...
- From the Frontline - Preventing APT
- Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
- Bit9 Parity Outperforms McAfee and Symantec
- Tolly Group conducted a review of APT attacks that were blocked and not blocked by vendors. Download the full report to see how... All Data Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Spear Phishing and the Modern Cyber Attack
- Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear...
- Distributed Database Security with Real-time Monitoring
- View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
- InfoSphere Warehouse Packs Demo
- These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
All Data Security Webcasts
