01:15 PM

Most Businesses Don't Spot Hack Attacks

Congress hears testimony that most businesses are told by government agencies and law enforcement that they've been hacked, and that better security data sharing is needed.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Out of the last 50 forensic investigations that information security company Mandiant has conducted, 48 of the businesses involved didn't know they'd been breached until informed by law enforcement agencies, Mandiant CEO Kevin Mandia told the House Intelligence Committee on Tuesday.

How could so many businesses not know when they'd been hacked? According to Mandia, advanced attacks--once reserved for use against government agencies--are now being used with greater frequency against businesses. Attackers have also become expert at using malware to compromise legitimate networks, then using them to launch botnet-driven attacks against other targets.

Furthermore, attackers are getting better at routing around known security defenses. "We routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches," Mandia told legislators. "Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon--oftentimes exclusively--for their defense."

[ Once you do discover that you've breached, do you know how to respond? Read Data Breach Response Plans: Is Yours Ready? ]

That combination of factors helps explain why businesses have been getting worse at detecting breaches. "I've been tracking how organizations detect that they've had a breach since 1998," said Mandia in an interview. Initially, many businesses spotted when they'd been attacked. But by 2004, he said attack-detection rates had declined, with only 20% of businesses spotting when they'd been hacked. Based on recent breaches, the detection rate has fallen to just 4%.

Why are law enforcement agencies spotting so many breaches, while businesses remain in the dark? "During normal law enforcement tradecraft, the FBI in particular is learning so much about the adversary that they're seeing downstream victims. And each military branch is doing it as well. The Air Force, Army, and Navy are also learning a lot more about the threats than the private sector is," said Mandia. Primarily, he sees the FBI, as well as the Defense Criminal Investigative Service (DCIS) and the Naval Criminal Investigative Service (NCIS), reaching out to inform businesses they've been hacked.

The extent to which law enforcement agencies alert businesses that they've been breached was likewise highlighted earlier this year by Steven Chabinsky, deputy assistant director of the FBI's cyber division. "It's often the case now that the FBI is informing people that they've been victimized, rather than victims coming to the FBI," he said in an interview.

For businesses to better resist these attacks, they'd ideally have access to the threat intelligence being produced by government agencies--and that was the theme of Tuesday's committee hearing. But such information-sharing today is virtually nonexistent. "Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats to the U.S. from U.S. government agencies than it is to learn about cyber threats," Michael Hayden, a former director of both the CIA and NSA, told the committee.

"In the popular culture, the availability of 200,000 applications for my smartphone is viewed as an unalloyed good. It is not--since each represents a potential vulnerability," he said. "But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat."

According to Mandia, "basically the private sector is hemorrhaging intellectual property now based on a series of online intrusions, and they can't do anything about it."

But one overriding question is, how might the government usefully go about sharing cyber attack intelligence, for starters with businesses? "It's tough, and it's kind of a nerdy thing to say, but I think it starts with the standardization of how you share the information. It needs to be like a file that you just input and hit the 'go' button," he said.

"The minute that's codified, the private sector can pretty much start to safeguard themselves," he said. "The knowledge gleaned from the premier information security program in your industry will be shared on down throughout the industry. So the minute we can share intelligence through technology, you'll see the private sector begin to respond to these attacks much more quickly."

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/17/2011 | 4:17:29 PM
re: Most Businesses Don't Spot Hack Attacks
I have to agree with jrapoza. Corperations need to take IT security a little more seriously. Also the IT staff could use more training so they can be better prepared in case of an attack. Just having AV software is not enough, most can be easily hijacked using kidde-scripts. Also if they are doing security audits they should listen to the experts advice and implement a plan. Penetration testing helps too, it shows you your weeknesses. It seems far fetched that companies will invest much more money into security but we can always hope.
User Rank: Apprentice
10/6/2011 | 4:26:12 PM
re: Most Businesses Don't Spot Hack Attacks
I think to a large degree this is due to many companies not investing in security and also, many that do don't go much further than the basic features of their products and don't get into deep analysis and monitoring.
There's also a part of me that thinks there are more than a few companies who don't want to find out about breaches because then they can claim ignorance.

Jim Rapoza, Contributing Editor, InformationWeek
User Rank: Ninja
10/6/2011 | 12:50:30 PM
re: Most Businesses Don't Spot Hack Attacks
That's pretty amazing. I wonder what the two companies that did know were doing from a security perspective the other 48 weren't. Or if they were just lucky.
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?