Security tools reveal cyberintruders' trickery
SEATTLE — There is a silver lining to the rash of revelations about cyberintruders cracking into the networks of marquee U.S. corporations.
Microsoft this week admitted to a major network breach, following in the footsteps of Apple, Facebook, Twitter, The New York Times, The Wall Street Journal and the Federal Reserve, all of which have made similar disclosures in February.
However, the mea culpas also show that with persistent network breaches continuing to escalate, some large organizations have begun proactively gathering intelligence about what the bad guys are up to. They are doing this by stepping up the use of cutting-edge tech security systems.
And by moving to advance public knowledge about the stealthy tactics of cyberintruders, companies under attack could be taking a crucial step toward gaining an advantage on the attackers, say security analysts and law enforcement officials.
"The one thing these disclosures have done is provide significant visibility into the latest attacks," says Lawrence Pingree, cybersecurity industry analyst at market researcher Gartner. "Without that, you're blind."
Data thieves, cyberspies and hacktivists, to be sure, continue to probe company networks as intensively as ever. An estimated 60% of companies globally reported a network security breach in the past year, including 34% that identified more than one penetration, according to a survey of 4,447 tech professionals in nine nations, conducted by Ponemon Institute and sponsored by Juniper Networks.
Those survey results were released on Monday at the giant RSA cybersecurity conference in San Francisco, where much of the buzz this week has been about the value of openness.
"Just a short time ago, companies and third-party service providers were extremely reluctant to share any information for fear of airing dirty laundry or revealing any potential weaknesses," says Kelly Bissell, a Deloitte security and privacy principal. "Now there is a grass-roots, band-of-brothers kind of approach with the good guys."
Underscoring the openness theme, former White House cybersecurity adviser Howard Schmidt on Monday was named executive director of the non-profit Software Assurance Forum for Excellence in Code. Schmidt's mission: to assemble leaders from tech, military, law enforcement and industry to collaborate on increasing the trust in tech products and services.
Meanwhile, Hewlett-Packard on Tuesday announced the formation of HP Security Research, a new division created to provide "actionable security intelligence" via published reports and threat briefings. Those moves follow President Obama's recent executive order directing the federal government and private companies to work more closely to protect the nation's critical infrastructure against cyberattacks.
"The best scenario for training new defenders is to get knowledge about defending current attacks out in the open," says Alan Paller, research director of security training organization The SANS Institute. "It's the only way to develop effective and up-to-date skills and build confidence."
"China nexus"
Cyber Squared, for one, has built openness into its business model. The security start-up recently launched ThreatConnect.com, an online exchange where some 150 security researchers and 45 organizations convene around the clock to share data and brainstorm.
"It's like a neighborhood watch," says Cyber Squared CEO Adam Vincent. "The power comes from the development of a common, globally shared perspective about sophisticated threats."
For the past three months, ThreatConnect participants have been scrutinizing the activities of what the consensus believes to be a China-based cybergang that has been sending messages carrying viral attachments to specific individuals at an array of companies. Their goal: to infect one employee's computer and use it to get deeper into the targeted company's network, says Rich Barger, Cyber Squared's chief intelligence officer.
One of the gang's chief targets is an international news service that has ties to the Falun Gong, a spiritual movement critical of China's human rights record. Other targets include a journal on the metals industry, as well as corporations in the U.S., Europe and Japan involved in mining, metals, aerospace, defense, manufacturing, fabrication, construction and engineering, Barger says.
The attackers are after authentication credentials that would get them deeper network access to ultimately steal research projects, industrial processes, financial records, business strategies and other intellectual property.
"This tells us that (China-based cybergang) APT6 has been given broad intelligence-collection requirements, including targeting news services that are critical of the Chinese Communist Party," Barger says. "After looking at patterns of activity and the targeting of specific victims around key geopolitical events, you can identify a common China nexus."
Quick profits
While the 3-month-old exchange is shedding fresh light on nation-state cyberespionage, other cutting-edge security systems are flushing out cybercriminals of another stripe: those motivated purely by quick profits.
Juniper Networks, for instance, this week rolled out Spotlight Secure, a new cloud-based security service designed to pay very close attention to the makeup of any PC or mobile device that tries to probe a company's website for security holes.
Cyberintruders often deploy armies of infected computers, or bots, under their control to repeatedly attempt to break into a targeted company's network through its public website.
Spotlight Secure watches for — and blocks — any PC or mobile device that attempts to make suspicious connections to a website, and records more than 200 unique attributes of the attacking machine — in essence, fingerprinting it, says David Koretz, Juniper security vice president. It then shares that information with companies and websites using Juniper's security services.
The service recently detected 3,000 separate PCs launching more than 20,000 attacks against the website of an Australian hotel chain during the course of a week.
"We were even able to detect a case of a single attacker who intentionally switched IP addresses to make it look like the attacking machines were coming from multiple parts of the world," Koretz says. "They were either trying to lock up hotel rooms to resell them for more money, or trying to steal company or customers' financial credentials."
Another kind of mass attack crafted to make quick cash involves directing thousands of infected PCs to deliver phishing e-mail messages carrying a viral attachment or corrupted Web link.
Security analysts at Cisco Systems were recently retained by a large payroll services firm to get to the bottom of a case in which numerous customers complained about a suspicious e-mail purporting to come from the firm, asking them to click to an anti-fraud alert service. Anyone unfortunate enough to have clicked on the tainted link had installed a sophisticated online banking theft program, called ZeuS, says Gavin Reid, Cisco's director of threat research.
Cisco's analysts pored through the data trove of e-mail spam it continually filters from the networks of thousands of organizations worldwide that use its security services. They found that a run of bogus e-mails with the firm's name represented 38% of all spam for that day.
The payroll firm thus was able to establish that the attackers had simply appropriated its brand to blast out the e-mail to a broad group of recipients, including some of its customers, using e-mail addresses obtained from an unknown source.
"Cisco provided hard evidence that the attackers behind the phishing campaign had not, in fact, obtained a list of customers, and the phishing attack was not specifically targeted in this manner," Reid says. "The company was relieved that we could prove that no customer data had been taken."
While that discovery did little for any of the firm's customers who happened to fall for the phishing ruse, security experts say any fresh insight that lends clarity to the tactics and patterns favored by cybercriminals represents ground gained.
Says Gartner's Pingree: "What you're seeing with the discovery of these attacks and breaches is the fact that we've raised the bar in security and increased its visibility to the extent that malware can be discovered, rooted out and removed."