Tuesday, April 20, 2010

CYBERSPIES-1

How To Fight The New Cyberspies

Andy Greenberg03.03.10, 6:00 PM ET




Welcome to the third wave of the corporate cyber wars.

At the beginning of the last decade, the "hacker threat" was what cybersecurity researchers now describe as a pimply teenager in his mother's basement whose idea of a master plan was to write his pseudonym across AOL's home page. Then came the second wave of digital miscreants, organized cybercriminal gangs that operated quietly and turned identity theft into a vast criminal conspiracy.
Today the threat to corporate and government data is evolving again, says Ed Skoudis, a researcher with security auditor and post-breach response firm InGuardians. But the new cyberspies aren't netting financial data for high-volume crime. Instead, they're focused on specific files like confidential communications, patents and business strategy documents--and their methods make even organized cybercriminals look like amateurs by comparison.


"We've seen the threat vector shift to something more insidious, more advanced, more capable," says Skoudis. "If you were fighting the last war against teenage hackers in 2005, you missed organized cybercrime. And if you're just focused on cybercriminals today, you're missing this change in your adversary mix."
That new wave of sophisticated, targeted cyberspies--what the industry now calls the "advanced, persistent threat" or "APT"--began penetrating networks in earnest around 2007, Skoudis says. But since then, it's been busy expanding its targets.
Instead of merely focusing on government agencies and their direct relations, (including the hacking of major defense contractors that started last decade and continues to the present day) Skoudis says that now practically every part of the private sector has been infested. In just the first months of this year, it's been revealed that cyberspies also breached Google's network, along with dozens of other targets including oil companies and law firms. (See "Google Takes On China.")
So how to stop the encroachment of these advanced, persistent hackers? Even combating an advanced threat, cybersecurity gurus say, starts with some very basic steps. First among them: Patch software obsessively.
In February Department of Defense Cyber Crime Center Director Steve Shirley told Forbes that his forensics organization had found 102 breaches of the Pentagon's agencies, partners and contractors in the two-year period ending August 2009. Almost all of those cases used spoof e-mails laced with an attachment that installed hidden spyware on the user's machine. In most of the incidents, hackers didn't use a previously unknown flaw in the target computer's software. Instead they exploited a bug that the developer had long ago issued a patch for, but that the company's network administrators had ignored.

Almost as often, users at high-security companies including defense contractors employed laughably crackable passwords--even using the word "password" in some cases.
Beyond those nuts and bolts, Alan Paller, director of research at the security-focused SANS Institute, suggests another trick, one that the security industry calls "two-factor authentication." That involves giving each of your employees a cheap gadget built by RSA or Entrust that generates random number strings that represent passkeys. If a hacker can't access your network or get from one segment of the network to the other without that number, it makes users' accounts much harder to hijack and helps contain any breach that does occur.
At the same time, Paller says, network administrators shouldn't depend on that countermeasure or any other single tactic. Neither off-the-shelf firewalls, nor intrusion detection systems, nor antivirus software is enough to catch sophisticated hackers. "No solution is perfect," he says. "But if we use a whole lot of 80% solutions, we can make it very hard to break in."
The corollary of that realistic admission is that organizations should be ready to react to a successful breach. That means hiring personnel who can customize network intrusion software or build it from scratch to find spyware that's already infected your network and sending data back to the hackers' faraway server. "There's no one more valuable than a network engineer who can find attacks, reverse engineer them, and clean them up," Paller says.
One not-so-obvious piece of advice for those network clean-up crews: Don't move too fast, says Kevin Mandia, a former Pentagon researcher whose firm, Mandiant, now functions as a post-breach consultant. When a company finds spyware on some portion of its network and removes it immediately, the company often tips off the cyberspies without cleaning up the whole infection, and the hackers adapt their tactics to better hide the remaining spyware. "Day-to-day combat doesn't work," says Mandia. "Let [the spyware] accumulate, get your arms around it, and then do a Mike Tyson uppercut to clear it all out."
Even then, SANS' Paller says that companies should assume the arrival of the APT hackers means that cybersecurity will require constant vigilance, updates and spy-hunting. "It's a matter of constantly cleaning house," says Paller. "You'll be doing this for the rest of your days--or until they re-engineer the Internet."

No comments:

Post a Comment