Most Businesses Don't Spot Hack AttacksCongress hears testimony that most businesses are told by government agencies and law enforcement that they've been hacked, and that better security data sharing is needed.
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Out of the last 50 forensic investigations that information security company Mandiant has conducted, 48 of the businesses involved didn't know they'd been breached until informed by law enforcement agencies, Mandiant CEO Kevin Mandia told the House Intelligence Committee on Tuesday.
How could so many businesses not know when they'd been hacked? According to Mandia, advanced attacks--once reserved for use against government agencies--are now being used with greater frequency against businesses. Attackers have also become expert at using malware to compromise legitimate networks, then using them to launch botnet-driven attacks against other targets.
Furthermore, attackers are getting better at routing around known security defenses. "We routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches," Mandia told legislators. "Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon--oftentimes exclusively--for their defense."
[ Once you do discover that you've breached, do you know how to respond? Read Data Breach Response Plans: Is Yours Ready? ]
That combination of factors helps explain why businesses have been getting worse at detecting breaches. "I've been tracking how organizations detect that they've had a breach since 1998," said Mandia in an interview. Initially, many businesses spotted when they'd been attacked. But by 2004, he said attack-detection rates had declined, with only 20% of businesses spotting when they'd been hacked. Based on recent breaches, the detection rate has fallen to just 4%.
Why are law enforcement agencies spotting so many breaches, while businesses remain in the dark? "During normal law enforcement tradecraft, the FBI in particular is learning so much about the adversary that they're seeing downstream victims. And each military branch is doing it as well. The Air Force, Army, and Navy are also learning a lot more about the threats than the private sector is," said Mandia. Primarily, he sees the FBI, as well as the Defense Criminal Investigative Service (DCIS) and the Naval Criminal Investigative Service (NCIS), reaching out to inform businesses they've been hacked.
The extent to which law enforcement agencies alert businesses that they've been breached was likewise highlighted earlier this year by Steven Chabinsky, deputy assistant director of the FBI's cyber division. "It's often the case now that the FBI is informing people that they've been victimized, rather than victims coming to the FBI," he said in an interview.
For businesses to better resist these attacks, they'd ideally have access to the threat intelligence being produced by government agencies--and that was the theme of Tuesday's committee hearing. But such information-sharing today is virtually nonexistent. "Let me be clear: This stuff is overprotected. It is far easier to learn about physical threats to the U.S. from U.S. government agencies than it is to learn about cyber threats," Michael Hayden, a former director of both the CIA and NSA, told the committee.
"In the popular culture, the availability of 200,000 applications for my smartphone is viewed as an unalloyed good. It is not--since each represents a potential vulnerability," he said. "But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat."
According to Mandia, "basically the private sector is hemorrhaging intellectual property now based on a series of online intrusions, and they can't do anything about it."
But one overriding question is, how might the government usefully go about sharing cyber attack intelligence, for starters with businesses? "It's tough, and it's kind of a nerdy thing to say, but I think it starts with the standardization of how you share the information. It needs to be like a file that you just input and hit the 'go' button," he said.
"The minute that's codified, the private sector can pretty much start to safeguard themselves," he said. "The knowledge gleaned from the premier information security program in your industry will be shared on down throughout the industry. So the minute we can share intelligence through technology, you'll see the private sector begin to respond to these attacks much more quickly."
Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.