Attacks/Breaches
4/24/2013
05:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Security Vendors In The Aftermath Of Targeted Attacks

RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things

It has been months now since any word of a security company getting hacked has surfaced, but security vendors are still getting targeted on a daily basis by attackers ultimately after their customers -- or their intellectual property.

"It certainly has not let up in any way," says RSA CSO Eddie Schwartz of attack attempts against the security company. "We're always seeing over some period of time ... offshoots or new adversaries related to some we've seen before, and we have to profile or understand them in some way. There's always something new we have to learn and understand."

Just ask Harry Sverdlove, CTO of Bit9, the most recent security vendor hit by attackers. Sverdlove says he locked himself in a hotel room for a few days to comb through forensics data after the attack earlier this year on his company to figure out what happened and how to disclose it without exposing its customers.

"At the end of the day, we all need to be not just security companies, but we need to be sharing more intelligence. Having to go through that, I learned it's easier to say that than to do it," Sverdlove says. With legal and PR teams also weighing in on the incident, as well as law enforcement on the case, it was a difficult balancing act, he admits.

One thing is certain: Things will never be the same for security vendors now that they, too, are considered fair game by cyberespionage actors and hacktivists -- the very adversaries security firms build products and services to detect and thwart. During the past two years, these vendors increasingly have become attractive targets of determined attackers, starting with LulzSec's doxing of HBGary in February 2011, and then the advanced persistent threat breach of RSA Security's SecurID server the following month, which rocked the industry as a major security company's technology was exposed. Then came an attack that pilfered digital certificates from certificate authority Comodo and two of its registration authorities; Barracuda Networks in April had its corporate website hacked via a SQL injection attack, with the attackers posting employee, partner, and customer names, emails, and some salted passwords; another CA, DigiNotar, suffered a major breach and ultimately went out of business.

Microsoft, too, was swept up in the security technology breachfest, as researchers last year discovered that the cyberespionage attack campaign Flame had abused one of Microsoft's digital certificates to help spread the malware within a targeted organization.

Then in February of this year, Bit9 said attackers gained access to one of its digital code-signing certificates to sign malware in attacks against three of its customers.

And these are only some of the attacks on security vendors that have come to light publicly. Security experts say there are other security companies that have suffered attacks and have kept the breaches hush-hush.

So how does getting "0wned" change life for a security company? That depends. Key security executives at RSA Security, Bit9, and Microsoft shared some insights into how the targeted attacks they suffered have shaped them in the aftermath. Comodo, HBGary, and Barracuda all either declined or were unavailable to be interviewed for this article.

Bit9 has been especially forthcoming with details of how it was hacked, starting by admitting that it hadn't completely been eating its own dog food. Attackers hit a handful of computers on the network that were not running Bit9's own security software -- an apparent oversight.

[Bit9's sharing of some details on the attack that turned its whitelisting technology against some of its customers while trying to keep them safe from further danger represents a new challenge for security firms. See Bit9's Delicate Disclosure Dance A Sign Of The Times .]

Sharing as much intelligence and detail as possible about the attack with the public, its customers, and other security companies as it can has been a key lesson learned for Bit9. And it comes with a price.

"One of the challenges when you're a security company ... sharing threat intelligence is great, but there's no way to share intelligence on the breach we got without getting some egg on your face. That was the trade-off the more we disclosed," Bit9's Sverdlove says. "But as a team, we decided it was the thing to do, so we shared as much as we could and a lot of information. But we were careful that none could identify our customers."

Sverdlove says Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," he says. He did note that the attackers were not after targeting critical infrastructure or after financial gain, however.

The cert theft was a big setback, but Bit9 was well-aware it was always in the bull's eye. "We knew even before this that we were always under attack," he says. "We knew that, so we always approached both our company and product that way. That certainly does mean for a startup that out of the gate, you have to assume that not only are you protecting your customers' systems, but you're also protecting your own software because you're going to be directly targeted."

And now, "We're on high alert. No question about it," Sverdlove says.

In the wake of the breach at RSA, the security division of EMC, Schwartz was named as RSA's first CSO. He was the former CSO at NetWitness, which EMC had acquired. "One of the things we had to do was assess what is the right approach relative to different aspects of our security program," Schwartz says.

Among other things, RSA had to pinpoint its most critical assets and the threats and risks to them. "How do they look from a security hygiene perspective?" Schwartz explains. "Is there a relationship between adversarial actions in the pipeline? We've groomed our processes to prioritize the most critical first."

Attackers aren't always going after a security firm's software or technology in order to reach one of its lucrative customers, though. Schwartz says he sees a combination of that and attackers going after intellectual property. He says some services or software RSA provides to its customers have an intellectual property component as well as a potential link to its customers -- "where services might be seen as a link in a supply chain somewhere that a critical adversary could get past," for instance, he says.

It's akin to a thief either picking locks one at a time or, instead, stealing the master key, says Robert Ackerman, a cybersecurity venture capitalist. "Security companies are coming to realize that they are in the food chain, and that makes them a particularly attractive target," Ackerman says. "They are having to redouble their efforts and build more secure infrastructures."

Microsoft found its technology embroiled in the Flame cyberespionage attack discovered last year. The software giant initially had to issue an emergency patch for all versions of Windows after learning that the Flame attackers had preyed on apparent weak encryption in Microsoft's Terminal Services -- specifically an older cryptographic algorithm used in Microsoft's Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services.

Microsoft later issued a security update to kill the rogue certs, halted issuing certificates for code-signing through Terminal Services, and issued a new automatic updater for Windows that vets digital certificates daily. Mike Reavey, senior director, Microsoft Trustworthy Computing, says Microsoft drew from its nearly decade-old incident response process to take action on Flame.

"For example, when the Blaster worm hit, we didn't have a coordination protocol in place yet, so initially, business groups were working in silos to protect customers. We learned from that experience so that for incidents that followed, one of the first steps we take is to identify the right stakeholders, and Flame was no exception," Reavey says. "At the end of the day, there is no silver bullet to security protection, but taking a holistic approach and working to identify clear roles and responsibilities ahead of time will help better prepare security response teams for a crisis."

There can be no silos in the response phase, he says, and key people -- including executives -- must be looped in during the process. "We were constantly talking to our executives during Flame, like Scott Charney and Craig Mundie, so that they were completely aware of our action plan and able to make quick decisions," Reavey says.

Teaming and sharing information among other industry partners is also key in a breach incident, he says. Microsoft was in regular contact with Kaspersky Lab and CrySyS Lab when Flame was found, and the firms shared information on the malware.

Being transparent helps quell speculation and fear, he says. "During Flame, Microsoft kept customers informed through multiple blog posts, letting people know what steps the company was taking to protect them. Additionally, this transparency helped separate fact from fiction and clearly outlined any actions that customers needed to take to help protect themselves from the Flame malware," Reavey says.

But sharing intelligence can also backfire a bit because attackers also use the information. Once Bit9 published details on the breach it suffered, the firm girded itself for more attacks. "We knew attacks would go up once the report went out ... so we were on even higher [alert]," Sverdlove says. "We have to be more vigilant all the time. Defenders have to be right all the time, and attackers, only once."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web