“Know your enemy,” says Sun Tzu in the Art of War, simplistically speaking. And, simplistically speaking, in the current cyberwar the enemy are the bots, the trojans, the worms and viruses and all the other malware that seek to breach our cyber defences. The clear implication is a need to monitor and understand these threats.But the threats are continuously evolving, changing and increasing; so the solution would appear to be ‘continuous threat monitoring’.
There are many ways this can be done: by signing up to the ‘alerts’ RSS feeds almost always provided by the major systems and software providers; by monitoring the national CERT pages and in particular the one hosted by Carnegie Mellon university in the USA; or by subscribing to one or more of the alert providers such as Secunia. An alternative or additional approach is to monitor the blogs of leading security researchers, such as David Harley (ESET), Luis Corrons (PandaLabs), Rik Ferguson (Trend Micro) and Graham Cluley (Sophos); all of whom provide insight and commentary on the current threat environment.
But we said at the beginning: ‘simplistically speaking’. The enemy isn’t just the threats: it includes time, your time to do all of this. Amanda Finch, general manager at the Institute of Information Security Professionals, suggests a risk management approach to ease the burden. Continuous threat management should depend on the business and the risks it faces. “For example,” she says, “in manufacturing this is probably not necessary or cost-effective; but for utilities or banks, or high security situations, it may be. With the sophistication of the cyber threat and the techniques, methods and tools available to attackers, the days of retrospectively checking configuration, incident and event logs is wholly inadequate for most business, certainly where monetary value, IP, or sensitive personal information is involved.”
But still this is too simplistic. The enemy isn’t merely the malware, or the time to monitor all the threats – the real enemies are the vulnerabilities that allow the malware into the system; and the user. Microsoft research shows that the vast majority of breaches depend upon the user doing something he or she should not; and that a statistically insignificant number of breaches are caused by the infamous 0-day threat. Further research shows that the bulk of detected exploit threats appear after the vulnerability is patched by the vendor.
Stuart Aston, chief security advisor at Microsoft, takes up the story. “You have to start from a thorough understanding of the risk. If you understand your risk, it will help you understand how to monitor the threats. For example, a large percentage of breaches come from end users actively doing something they shouldn’t. Similarly, 99% of breaches occur via patched vulnerabilities. It follows that improving your users’ security awareness together with religious patching will defend against the majority of security attacks. This, coupled with a good defence in depth, is the best way to not merely monitor threats, but to defeat them.” In other words, it is an effective use of time to let the vendors and security researchers monitor and alleviate the threats, provided the company then acts on the findings, and patches its software.
Continuous threat monitoring, then, should be a combination of watching the industry, using risk management techniques to concentrate on the most pertinent areas and, perhaps most importantly, keeping all systems and software fully upgraded and patched.
Understanding the threat
If we look at security today there is one conclusion we simply cannot avoid: it is not working. Despite the $20bn invested in IT security in 2010 (FireEye Advanced Threat Report – 1H 2011), the cost of cyber crime to the UK economy alone is estimated to be £27bn per annum (The Cost of Cyber Crime: a Detica report in partnership with the Office of Cyber Security and Information Security in the Cabinet Office). We need to understand what is going wrong in order to reverse this. And to understand that, we need to examine the evolving threat landscape.
It is tempting to blame the emergence of the advanced persistent threat (APT), a highly targeted, sophisticated attack aimed at large corporates. Hardly a week passes without news of a new APT attack on a household name: Google, Sony, Nintendo, RSA, Mitsubishi. And it is easy to support this idea with current statistics. FireEye divides current threats into two primary categories: ‘wide and shallow’, and ‘narrow but deep’. The first is the traditional approach: a wide net is thrown to catch as many targets as possible; but the actual loss is relatively small. The second is the specifically aimed attack on an individual organization that goes deeper and steals more – the APT.
It’s a description that is recognised by Detica’s Henry Harrison. “Of the £27bn annual loss to the UK economy,” he comments, “£17bn comes from theft of intellectual property and espionage – the typical narrow but deep targets of APT attacks.”
But while we must be aware of the threat of APT, we should not be diverted by it. The exploits and methodologies used are not new. Only the manner in which they are combined; the targets at which they are aimed; and, it has to be said, the almost military intelligence and precision with which they are controlled, is new. (It’s worth noting that ‘APT’ is a military term first coined by the US Air Force.)
Successful security should stop APT just as much as it should stop common-or-garden malware. Consider the banking trojan Zeus. Worldwide, RSA’s security and fraud expert Uri Rivner told me, “there are some five million PCs infected with Zeus”. Clearly our security defences stop neither wide and shallow nor narrow but deep attacks; and we need to understand the reason.
One clue can be found in PricewaterhouseCoopers’ 2012 Global State of Information Security Survey. “A clear majority of [9,600 CEOs, CFOs, CIOs, CISOs, CSOs worldwide],” it states, “are confident that their organization’s information security activities are effective.” This is despite the unambiguous empirical evidence to the contrary.
The problem is that we are stuck in an old security paradigm when the paradigm itself is changing. We grew up with our servers in the computer room and our users in the same building. The concept of security was simple: we put a barrier around our IT infrastructure to keep the bad things on the outside and the good things on the inside. Since the good things were all in one building it was conceptually simple. And since the technology to achieve this barrier is mature and effective – firewalls, anti-malware, intrusion prevention, content filters – and since we have all installed this technology, we believe we are secure.
It is a false sense of security that leaves us terribly exposed. Computing is no longer that simple. Cloud computing means that our data could be anywhere. Mobile computing means that our users could be anywhere. Consumerization means that our access devices could be anything that has internet connectivity. Where now can we effectively place a barrier? It’s not impossible, it’s just different; and we’re not keeping pace. But all of this pales into comparative insignificance in the face of a major new weakness: us. The rise of social networking combined with the consumerization of devices and mobile computing means that we are as like to socialise at work as we are to work at home. There is no longer even a virtual boundary between work and home.
“There has been a seismic shift in the threat landscape,” explains Rivner. “The criminals are no longer attacking the IT infrastructure. They are attacking the users.” It is social networking that provides the information that allows the criminal to bypass our security defences and get into our networks via our users. We have become nonchalant over the amount of personal information we effectively broadcast to all and sundry: our likes, our dislikes, what we do, what we want, where we are, where we’re going…
Armed with this information and basic social engineering skills it is easy for the criminal to trick us into doing something we shouldn’t, like going to a compromised website or opening a poisoned attachment. The malware itself stays ahead of us by rapid and automatic changes designed to defeat, and is successful at defeating, signature-based defences. FireEye points out that 90% of malicious executables and malicious domains change in just a few hours, and that today’s criminals are almost 100% successful at breaking into our networks.
The criminal no longer seeks to find a way through our security defences; social engineering has shown him a way round them. The difference with APT is that the criminal will now try to hide his presence and will take his time to find and steal what he wants. Unless we change our approach, and adapt our security to the changing threat landscape, the cost of crime will continue to escalate.
Tackling the threat
As things stand today, any company targeted by APT or simple spear phishing will almost certainly succumb. But it doesn’t have to be that way. There are things we can do. Absolutely central to this is continuous staff security awareness training to defeat that initial social engineering. It would be best not to do this yourself – use an expert to test both your defences and your staff. “First,” says David Hobson, the sales director of Global Secure Systems, “we test/audit your security systems and bring them up to speed. Then we’ll test your staff – and bring them up to speed.”
But that’s not enough; security awareness will not prevent all people-hacking. This summer RSA and TechAmerica hosted an Advanced Persistent Threats Summit in Washington, D.C. One of the takeaways is this: Organizations should plan and act as though they have already been breached (APT Summit Findings, RSA). Statistically, you probably have. So if existing defences aren’t working, go back to basics and start again. Security is not an end in itself: it is the risk mitigation aspect of risk management. Use risk management techniques to understand what is of most value. David Hobson uses an analogy with medieval castles. “You take your crown jewels and keep them separate in the best defended part of your castle, in the Keep.”
One method of segregating your networks is to colocate, wholly or partially, with a specialist data centre provider. It’s a way of providing greater physical security for your servers than you could probably do alone. “We use 24-hour manned security and biometric authentication (palm readers) for access to our data centres and to individual client suites, cages or racks,” explains Brian Packer of provider BIS.
There’s a second implication from the APT Summit: if you are already breached, it would be good to know about it as soon as possible. You need to shine a light inside your network, to see what is happening, to look out for anomalies and recognise any intrusion before any data loss. There are several new and very advanced security products that can help you here from companies like Detica and FireEye.
Rivner believes that virtualization can also help. “A virtual desktop infrastructure (vdi) could prevent malware getting onto the desktop and from there to the server; and it certainly makes patching and upgrading the entire infrastructure an easy task.” Bear in mind that the Google Aurora hack would not have succeeded if the target were not still using an old and outdated version of Internet Explorer. ‘Patch your software’ should be a way of life.
But virtualization is only as good as its implementation and your understanding of its components. “An APT or any other security threat,” explains Mike Atkins of Orange IS Security Solutions, “is likely to focus on the weaknesses that can be found in the target systems and processes, and then seek to leverage 0-hour exploits. The key to protecting a virtualised environment is to similarly focus on the weaknesses of the system and then mitigate as fully as possible any attacker’s ability to leverage those weaknesses.”
There is, however, one weakness in all of these approaches. Necessary and good though they be, they effectively use the same old security paradigm: wait for, recognise and respond to an attack. And that might be too late. In this new security paradigm we need to accept that our attackers are more sophisticated, better resourced and organized, and more patient and persistent than are we. “We need,” says RSA’s Uri Rivner, “global information sharing. It will be difficult, coping with the different privacy requirements in multiple jurisdictions, but it can be done. The banks are already doing it. When we all do it, we will have the necessary intelligence to cope with today’s evolving threat landscape.”