Attacks/Breaches
3/7/2013
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Using Intelligence Against Companies That Benefit From Cyberspionage

'Naming and shaming' the ultimate beneficiaries of stolen trade secrets can work

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Identifying the human or actor behind a targeted attack -- a.k.a. attribution -- has been hotly debated over its relevance. But knowing and confirming your attacker could be a key element of ultimately making cyberespionage more costly for nation-states like China, some security experts say.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says it's "mindboggling" to him when people say attribution of the attacker doesn't matter. "It's fundamentally critical who your enemy is," Alperovitch said here in an interview last week. "Don't you want to know if it's a murderer that's inside your house or a guy who stole your TV? You have to know what to protect."

RSA Conference 2013
Click here for more articles.

The industry has evolved over the past year or so from focusing only on blocking attackers from getting in to a more pragmatic acceptance that these determined and well-funded attackers can't really be stopped and are likely already inside your network. The focus now is on how to stop them from stealing and exfiltrating sensitive information. Alperovitch said that requires a good understanding of who the people and groups are behind the attacks, so you can make it more expensive and risky for them to attack.

And the ultimate solution would be to go after the actual beneficiaries of the stolen information, such as some Chinese businesses. "It's helpful to know exactly which building, unit, affiliation, and ... yes, their faces," Alperovitch said. "But it's also helpful to understand the trade craft of that group. The strategic level of attribution is useful ... [they are] passing it to local and state-owned companies. Understanding who these companies are is important."

Many Chinese businesses also are trying to branch out globally and do business outside China, he said. "If [Chinese companies] are using stolen information, you can bring that leverage ... for trade sanctions. It may not be against China or the PLA [Peoples Liberation Army], but you could take criminal action against [the companies'] executives," for instance, he said.

The Obama administration's newly announced strategy on fighting the theft of intellectual property could help here. "We're going in that direction with the strategy the administration is trying to lay out with trade sanctions that are not specific to cyber. We need to expand that to cyber," Alperovitch said.

[The U.S. government will be slow to act against aggressors who attack through the Internet, predict policy and China experts at RSA. See China's Cyberespionage Will Continue Unabated, Say Experts.]

Alperovitch said raising the cost of doing business for Chinese firms capitalizing on stolen U.S. intellectual property is key. And "naming and shaming" firms under suspicion of spying or being agents of the Chinese government, as with the case of Chinese telecommunications company Huawei, can help, he said.

Take Huawei, which, along with Chinese company ZTE, was called out by Congress recently as risky to do business with here in the U.S. A congressional intelligence committee warned of potential security risks to U.S. infrastructure with the Chinese companies as suppliers. The fallout has made an impact on Huawei's business aspirations in the U.S., he said. "It has made an impact on their business," Alperovitch says. "There's no question that naming and shaming can be very effective."

But what about the U.S.'s own use of cyberespionage? James Lewis, director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies, in a paper published today explains the differences in how the U.S. and China each employ cyberespionage.

"The US government does not engage in economic espionage and intellectual property laws are more strongly enforced in the United Sates than in many other countries, including China. Nor are American political 'hacktivists' encouraged by the US government. The US approach to cyber conflict treats cyber techniques as traditional tool of statecraft, providing advantage in military and political intelligence, and as a new weapon to strike opponents," Lewis wrote.

"The US uses cyber techniques to monitor and assess Chinese capabilities and intentions, and to gain battlefield advantage in the event of conflict. US cyber actions, unlike Chinese cyber actions, are focused on their competitor’s official government activities and not on economic espionage. US laws effectively preclude economic espionage by government agencies and punish private individuals who breach intellectual property laws," Lewis writes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web