As the APT1 report Mandiant recently released brings heightened attention to global, targeted hacking activity, two things are becoming increasingly clear. First, today's professional malware organizations operate at a far larger scale than many realized. And second, but equally importantly, the targets of these attacks are more numerous, and often larger, than had been publicly known. No one likes to talk about being hacked, and the last thing a major organization wants to do is discuss its own security failures -- but it's exactly this culture of silence that makes network defense all the more challenging.
What we really need is actionable information to help us better understand exactly how our current security tools and techniques are falling short.
Put simply, if we want to reduce the tremendous damage and expense hacking causes, companies that have been on the receiving end of these attacks have to be willing to talk about exactly what happened, and how -- openly and in depth.
The APT1 report is a step in the right direction -- more information sharing is almost always better -- but it's not nearly enough. The report's main value would seem to be in bringing greater attention to the issue, and perhaps bringing new pressure to bear against those who support groups like APT1. But did we really need a lengthy report to tell us that there are professional attackers working around the clock to break into corporate networks? The evidence of the Chinese government's backing of APT1's has grabbed headlines around the world, but how much does knowing the presumed origin of the attacks help us actually defend against them?
What we really need is actionable information to help us better understand exactly how our current security tools and techniques are falling short. The APT1 report's discussion of how these groups are penetrating our networks is all too reminiscent of the '80s and '90s: The specific technology may have changed, but we still see the same organizational inertia that allows security disasters to happen unnoticed. The types of organizations that should be on highest alert against attacks still have employees who open PDF documents while working at vulnerable systems that have neither so much as a sandbox or whitelist, nor system logging that collects the creation of new processes and the drop of new DLLs. Whether lapses like these stem from denial, complacency or simple lack of information, the surest antidote is to draw clear lines between specific vulnerabilities and the attacks they've allowed to succeed, and publicize them far and wide.
The chief security officers of companies like the New York Times, RSA and Google who've been targeted by APT1 should share with their peers the painful details of their experiences. How did it happen? What techniques were in place, which failed and which succeeded? How did they learn about the penetrations -- through their own security practices, from a third party, or by luck? Is there truth to reports I've heard that some of APT1's victims had built networks in which their corporate crown jewels were connected to the same systems people use to read email, or that their source code repositories were accessible from business departments? It's not the kind of thing anyone would be proud of -- but sharing valuable information that helps others avoid a similar fate, even at the cost of a little embarrassment, should be a point of pride.
That's the kind of information sharing that can make a real difference for organizations of all kinds: real in-the-trenches, detailed reports about what worked, what didn't, mistakes made, techniques overlooked -- and areas where new techniques may be needed.
Until we all start talking more openly and fearlessly about our experiences with hacking, we'll be unable to learn together from the past, and we'll be doomed to suffer the same kinds of attacks again and again. It's a problem we all share -- and the solutions will come through shared effort as well.
About the author:
Marcus J. Ranum, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.
This was first published in April 2013