Attacks/Breaches
12/22/2010
04:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Targeted, Skilled Attacks Shaped 2010 Threats

While high-profile breaches like that of Google and the Stuxnet worm served as a wake-up call for many organizations, attackers continue to 'mow through' enterprises' systems and networks

Even with the intense investigations and research in the wake of targeted attacks against Google, Adobe, Intel, and more than 20 other U.S. firms, then later this year with the Stuxnet worm, little progress has been made in thwarting or decreasing highly targeted attacks, including so-called advanced persistent threat (APT) attacks.

The Operation Aurora attacks, which appeared to have originated out of China, as well as the Stuxnet worm, which was aimed at disrupting Iran's nuclear facilities by sabotaging its PLC equipment, were indeed game-changers this year. Google's public disclosure that it had been attacked and its intellectual property stolen was unprecedented in the emerging age of customer data breach disclosures. And Stuxnet appeared to be the work of a well-oiled machine made up of various players with different areas of expertise from zero-days to the intricacies of PLCs.

But even with all of the forensics work undertaken in the wake of Aurora, Stuxnet, and other skilled targeted attacks, plus the attention and awareness they have raised, these attacks represent only a small fraction of attacks that go undetected every day, security experts say.

"My guess only is that we only have 10 to 15 percent visibility into what these bad guys are doing," says Kevin Mandia, CEO of Mandiant, a forensics firm that investigates APTs for mostly Fortune 100 and other large clients.

"Aurora was nothing. It didn't put a dent in these attacks. Everyone says it raised awareness, but with all we saw prior to [Aurora] and after, there's been no dent in the activity. They keep mowing through people's networks like a tank in a cornfield," Mandia says.

Plenty of misconceptions about APTs exist as well, including the theory that one group of attackers is typically behind this type of targeted intrusion. In fact, most APT victims have been infiltrated by multiple different attackers, most of whom aren't aware of the others, according to Mandiant. "We find multiple attack groups within an environment," says Christopher Glyer, a director at Mandiant.

In one case, Mandiant found eight different APT attacks from eight different groups going on in one victim's network. "There were eight concurrent ones in an environment. They don't appear to know about the other groups there [either]," Glyer says.

Aurora was revealed when Google decided to go public and considered closing its doors in China and no longer censor search results there after the attack pilfered source code from the search giant. The Aurora attack on Google, Adobe, Intel, and others began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.

Stuxnet, meanwhile, is the first-known malware attack to target power plant and factory floor systems, and it also opened the door to a whole new level of attack that could execute the unthinkable: manipulating and sabotaging power plants and other critical infrastructure systems. It's technically not considered an APT, but it does come with some similar characteristics, such as special tactics and intelligence. Experts point to some nation-state link due to its many layers of expertise and the sophistication of the attack.

"Stuxnet was cool," Mandia says. "We got our hands on it immediately ... You don't place four zero-days" in an attack without being well-funded, he says. "This was a real significant event."

Eddie Schwartz, chief security officer at NetWitness, says Stuxnet is an APT. "Many would certainly disagree with me, but I do consider Stuxnet an APT. It's not really an APT by the classic definition pushed by many security pundits, but it's definitely an advanced attack that required the use by the adversary of multiple tactics and intelligence sources, and it's specifically targeted, so it needs to be treated with the same sort of defensive approach and cyberdoctrine as an APT," he says.

Meanwhile, forensics experts say when companies come forward voluntarily and disclose that they've been victimized by these types of attacks, it can go a long way to help connect the dots with related attacks within other organizations, and possibly get investigators closer to the source. But voluntary disclosure, versus legally mandated disclosure, is rare and most experts say it will remain the exception.

NetWitness' Schwartz says he wishes more organizations would go public with their APT experiences. "Then many victim organizations would have a lot more evidence, which could bring to light ... the true source and intent of the attackers," Schwartz says.

But sharing also requires some analysis to put it into perspective. "Even if organizations share that data, there has to be a trusted entity in the middle of all of that that has the technology and people to review that information," he says. "They can then come to some conclusions that they can pass down to organizations."

Google's revelations about Aurora basically exposed the dirty, little secret that's been ongoing against federal agencies, defense contractors, and, in recent years, corporations. "When a new company gets compromised [by an APT], the joke is, 'Welcome to the club, and what took you so long to join?'" Mandiant's Glyer says. "One big shift was Google publicly talking about what happened to them, which was very good for the industry … But I don't see a lot of other companies coming and talking about it even though they are being attacked all the time."

And you can't just patch to protect against an APT. Social engineering is a big weapon in the APT attacker's toolkit, Mandiant's Mandia notes. "It's tough to stop these guys. They don't always use exploits," he says. "To patch every system doesn't mean you won't be compromised by these guys if they are targeting you. Humans are exploiting their own networks" via socially engineered attacks, he says.

Since September, Mandiant has seen 42 percent of APT victims from commercial firms, including cryptography and communications, automotive, space/satellite/imagery, mining, energy, law, investment banking, chemical, hospitality, law, technology, and media industries. Around 31 percent of the victims were defense contractors; 13 percent, nonprofits/think-tanks/nongovernment organizations; 7 percent, foreign governments; 5 percent, U.S. government agencies; and 2 percent, military.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web