The phenomenon of hackers carrying out corporate espionage over the Internet is hardly new. But even the most hardened, cynical observer of information security would raise an eyebrow at the volume of data leaving corporate networks today. Researchers, experts and vendors report thousands of data loss incidents due to cyberespionage, and attacks are indiscriminate of industry. Hospitals, banks, government agencies and mom-and-pop stores are losing data to organized criminals and state-sponsored thieves operating online; the problem points a harsh light on the failure of signature-based defenses, difficulties in attributing attacks, and the lack of coordinated response.
It almost feels like they’re giving up, that they’re already hit. They’re scrambling to put defenses in place, and don’t know they’re hemorrhaging data.
Jeff Bardin, chief intelligence officer, Treadstone 71
“In most cases, organizations still operate in see-detect-and-arrest mode, meaning it’s still all about after-the-fact response,” said Jeff Bardin, chief intelligence officer for security consultancy Treadstone 71. “We are in such a mode that the past two years, most of the major [security] positions hired in organizations are incident response. It almost feels like they’re giving up, that they’re already hit. They’re scrambling to put defenses in place, and don’t know they’re hemorrhaging data.”
News of credit card and personal information breaches fail to shock any longer. The industry is fascinated with tales of China attacking major corporations with sophisticated, persistent attacks that exfiltrate intellectual property by the gigabyte. Nortel is the latest high-profile victim. The Wall Street Journal recently reported the company had been losing data to hackers using a server in Shanghai. The group had access to Nortel’s network for more than a decade, and one U.S. intelligence official told the Journal the attack was typical. “If I’m looking to get a jump on my R&D,” he said, “that’s a good way to do it.”
Nortel, once a giant in switch making and telecommunications, has been selling off parts of its business for the last few years, and is now essentially out of business. It’s not alone as a victim. RSA Security’s loss of the seed keys for its SecurID authentication tokens cost the company a reported $63 million to repair in terms of manufacturing upgrades and token replacements. The company has spent the better part of a year repairing its relationships with customers and next week hosts the security industry’s largest annual conference, RSA Conference 2012. While still a thriving business, RSA demonstrated that even what are supposed to be hardened targets can fall.
It’s easy to blame the technology companies, but it’s also your own fault for not testing what you buy and terminating the deal if it doesn’t work.
Dave Aitel, founder, CTO, Immunity
Experts continue to preach that companies should allocate security resources according to the latest threats and adversaries. Enterprises should classify their most sensitive assets and secure those to the hilt. Yet for too long, experts said, companies are stuck in an endless cycle of protecting perimeter machines, updating servers and endpoints with the latest Microsoft and Adobe patches, and largely hiding in the weeds praying they’re not the next Nortel or RSA.
“Companies have been in business a long time and have invested in infrastructure over the past 20 years. For them to change is an extremely long process and it has to be driven from the top,” said Dave Aitel, founder of security company Immunity, and a former NSA research scientist and @Stake consultant. “You don’t see companies on their own discovering things they need to invest in, unless they get hit. Are companies taking proactive strategies against current cyberespionage attacks and abandoning technology that doesn’t work? When they’re forced to, yes. It takes an incident to change a company.”
In the meantime, attackers are exploiting vulnerable systems and also exploiting security strategies reliant on signature-based defenses such as antimalware and intrusion detection that experts said cannot keep up with the dynamic nature of malware development.
“It’s easy to blame the technology companies, but it’s also your own fault for not testing what you buy and terminating the deal if it doesn’t work,” Aitel said. “Attacks are the test.”
And most times, attacks succeed. The situation is worsened because it’s difficult to attribute attacks to their source. Attackers are nimble at covering their tracks and aren’t noisy once inside corporate networks. While the Department of Defense would want to know the origin of an attack, a midmarket company losing data might be interested in just choking off a hacker’s access.
“If you can attribute back, how far back in the kill chain do you want to go? Do you want to move from active defense to offensive counter intelligence and cyberactivities?” Bardin asked. “You don’t want to stand in the ring and take punches any longer. You’re going to want to start throwing some. But how legally do you do this? Lots of organizations don’t have the stomach, capabilities or awareness to do such a thing. They have to change their behaviors if they want to survive.”
Bardin suggests that companies understand their own attack surface by monitoring social networks for details posted about the company or individuals that could be used against the organization in an attack. This reconnaissance is similar to what attackers do to prepare for a targeted strike against an enterprise or government agency. Eventually, Bardin said, the industry needs to move from defensive and detective technologies and services to preventative and predictive technologies that look at patterns and help figure out an attacker’s next move.
“You can take these nuances and build it into your defensive posture,” Bardin said. “You come to a point when everyone wants to evolve their security environment. In some cases, you have to take revolutionary steps. In some cases, you blow it up and rip out stuff that’s not working and ask: Are we getting enough bang for our buck? Or are there better solutions we can put in place?”
View all of our RSA 2012 Conference coverage.