It seems that the whole world has changed in the month since Google Inc. and a number of other high-profile IT firms revealed that they were the targets of high-profile Chinese hacker attacks.
Enterprises should de-emphasize reactive, signature-based threat detection and siloed, single-function security appliances.
One obvious question that enterprise chief information security officers (CISO) are asking in the wake of the Aurora attacks is, "Could we be next?" The answer is undoubtedly "yes." If nothing else, the lesson of the attacks on Google and other IT firms is that private companies -- not just the U.S. government and its contractors -- can find themselves in the crosshairs of nation-states with unlimited resources and time to obtain valuable intellectual property, competitive data or trade secrets.
The hack, which was initially disclosed in a blog post titled "A new approach to China", from Google's chief legal officer, has been attributed to hackers based in China and possibly affiliated with the People's Liberation Army (PLA). No culprit has been definitively identified, but unnamed intelligence officials have been quoted in the media attributing the attacks to Chinese schools with close ties to the military.
Both the focus on valuable intellectual property and, in the case of Google, the spying on the email communications of Chinese human rights activists suggest motives that go beyond mere profit. The details that have come out since it was first disclosed in mid-January suggest that the attack, dubbed "Google Aurora," is similar to others that have long been directed at government agencies, defense contractors and other high-profile targets. Attackers combined emails targeting high-value employees with custom malware. A previously unknown (or undisclosed) application vulnerability in the Internet Explorer Web browser was used to gain control of victims' machines.
What should enterprise security admins do?
The next logical question is, "What tools or technologies might be deployed to thwart these kinds of sophisticated attacks?" Beyond that, enterprises need to wonder whether such tools align with the requirements of federal, state and industry regulations like the PCI Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and other mandates. Here the answer is more complicated.
Exploring the attacks
SearchSecurity.com's editorial team discusses the attacks against Google and other corporate networks.
in Google attacks uses spaghetti code (Security Bytes blog)
Coding technique designed to tie up reverse engineers has been used in the past, Symantec says.
Clearly, the compromise of so many high-profile technology firms reveals deep flaws in the dominant multilayered defenses that enterprises have deployed from their network edge down to their desktops and datacenters. I, like other security analysts, have called attention to the continued difficulty of securing enterprise endpoints, where a reliance on obsolete, signature-based virus detection is an Achilles heel.
In the case of Google Aurora, attackers merely created a new Trojan downloader, subsequently dubbed Hydraq, to take control of compromised endpoints and siphon sensitive data from target networks. In fact, were it not for the high profile and overt protestations of its victims, antimalware firms might have taken a good deal longer to analyze and issue threat signatures for Hydraq, given the relative scarcity of the malware itself. One researcher at a leading antimalware firm confided to me that his labs receive 75,000 Tier 1 malware samples like Hydraq every single day. Enterprise reliance on flawed, insecure applications like Internet Explorer, and the opaqueness of most Web traffic also played a role in the Google Aurora attacks and many other unnamed attacks like it. These have been wellsprings of security woes and network compromises for more than a decade.
To defend themselves against such attacks, enterprises need to adopt a more risk-based (versus threat-based) approach to security. Advanced persistent threats, such as those from the PLA or from whatever the Russian Business Network calls itself now, demand that organizations realign their security investments and emphasize proactive protection through better patch and configuration management; obtain better, more timely threat intelligence that's specific to their company or industry vertical; implement signatureless, behavior-based threat detection; and use better identity and policy management and improved threat correlation capabilities. Enterprises should de-emphasize reactive, signature-based threat detection and siloed, single-function security appliances.
More on enterprise security
Schmidt: Apply risk management to the nation's cybersecurity threats
Melissa Hathaway onmanaging cybersecurity, FISMA compliance reforms
The problem, of course, is that CISOs serve two masters: the security needs of their employer, and the compliance demands of their auditors. And, as Joshua Corman, a 451 Group colleague, has pointed out, in a difficult budget and capital spending environment, the latter of those two tends to become the sole master. "Compliance," in other words, trumps "security" as the goal. As one CISO said, "I may get hacked, but I will get audited."
Of course, enterprise security regulations often just mirror security best practices. I've called the PCI DSS the most important security story of the last decade in recognition because of the ways that the industry-sponsored regulation has compelled real investment in such core enterprise security functions as network firewalls, patch and configuration management, log management, vulnerability scanning, and endpoint security. Still, regulators are rarely -- if ever -- in front of threats and the machinations of the "bad guys," and the drive for compliance -- check box or otherwise -- is likely to divert precious dollars from areas where they might be better spent, or cement in technologies -- such as antivirus software -- that might reasonably be replaced with more effective alternatives.
Will the Aurora attacks change this dynamic? Not a chance. Might the attacks get enterprises to direct their gaze higher than the very low security bar set by PCI DSS and similar regulations? We can only hope.
This was first published in February 2010