Cyberespionage At A Crossroads

Aurora and Stuxnet-type attacks are here to stay, so organizations need a new defense strategy
It has been a milestone week in cyberespionage developments that smacked of a spy movie, with a confession, a killing, and a leaked intelligence cable: Iranian President Mahmoud Ahmadinejad issued a statement that "enemies" of Iran had successfully used software to disrupt centrifuges in Iran's nuclear facility, Iran's top nuclear scientist was assassinated, and a U.S. State Department cable obtained by WikiLeaks suggested the Chinese government had ordered the Aurora attack against Google.

While these events and disclosures fell short of providing actual proof about the success or even who was really behind these high-profile breaches, they punctuated what has been a game-changer of a year for cyberattacks.

"It used to be that you got on the front page of Time or were on CNN because you lost 20 million Social Security numbers. No one cares about that anymore," says Nick Selby, managing director of Trident Risk Management. "When a company loses a bunch of information about the company and how it does business, that's the new 'CNN moment.'"

While the attacks on Google, Adobe, Intel, and other U.S. companies earlier this year served as a big wake-up call to Corporate America, the Stuxnet worm shook the SCADA and critical infrastructure industry with a reality check that even physical equipment without Internet access isn't immune to attack.

Speculation that the Chinese government was somehow behind the Aurora attacks has been rampant since Google in January first revealed it had been hacked. And while Stuxnet was aimed specifically at Siemens' SIMATIC WinCC and PCS 7 systems and appeared to be focused on Iran's nuclear facility, there had been no solid indication whether Stuxnet had successfully executed its mission.

But both cases hit the headlines again this week in a big way: Ahmadinejad acknowledged publicly that "enemy" code disrupted a "limited" number of Iran's centrifuges. He didn't reference Stuxnet by name, but security experts believe he was referring to the now-infamous worm: "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," he said in a press briefing. "They did a bad thing. Fortunately our experts discovered that and today they are not able [to do that] anymore."

Operation Aurora also re-emerged in the news, with reports that among the State Department cables leaked by WikiLeaks was one that implicates the Chinese government in the attacks on Google. According to a report in The New York Times, "China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."

And adding to the intrigue of the possible Iranian nuclear plant incident, a scientist described as Iran's top Stuxnet expert was killed this week either by a targeted bombing attack or a shooting ambush, according to news reports.

Of course, plenty of unanswered questions still remain, and experts say these developments could ultimately be dead ends that can't easily be confirmed.

But either way, the Aurora and Stuxnet attacks are classic espionage with a twist, says Marc Maiffret, CTO and co-founder of eEye Security. "While in a lot of cases there's not exactly a smoking gun, without a doubt, whether it's China or [another] country there are people doing this stuff and in the U.S., too -- anywhere in the world that has the power [to conduct cyberespionage]," Maiffret says. "[Countries] are heavily focused and investing in this. They are not just thinking, but doing it [because they are finding] it's better to do espionage through networks. It's a natural progression."

Trouble is, the terms cyberespionage and cyberwar are often used interchangeably, confusing the issue for enterprises and leaving them unprepared and unaware of what's really going on out there, experts say.

Because Stuxnet, for instance, appears to have targeted Iran's nuclear facility, many companies assume they aren't at risk of similar types of attacks. "They assume this is something done by a country and the obvious target is Iran, so, 'Why would they ever come after me?'" Maiffret says. "It would be a bigger wake-up call if a big mainstream American car manufacturer or medical research company lost intellectual property that's then used by a foreign country to outdo us ... Stuxnet is still kind of [James] Bond-ish, with enterprises not really relating to it."

Operation Aurora, however, hit home more for some organizations, especially in the high-tech industry, he says. "It was different because it wasn't just customer information that was stolen, but intellectual properly, the heart of most businesses," he says.

And mashing cyberwar, cyberespionage, and cybercrime into one category confuses the issue on how to defend against these attacks, says Gary McGraw, CTO with Cigital. "This entanglement [of terms] is confusing for policymakers, CEOs, and people at home. If we confuse them all, it's easier to justify sending all resources to cyberwarriors," McGraw says. "And a good offense is not defense."

Cybercrime is the biggest problem, followed by espionage, he says. "And cyberwar is way off in the possibility world," McGraw says.

McGraw argues that the key is building more hardened software that makes these types of attacks harder and more expensive to deploy. "Right now our systems are so riddled with security problems, and we're so highly dependent on them that we're at risk," he says. "This week says we can't leave cyberdefense up to the DoD ... the way they set up the CyberCommand [says] the answer is a better offense. But obviously that didn't work in the WikiLeaks nor Aurora case. It didn't work with Stuxnet."

It's about focusing on the real risks without getting lost in all of the "noise" of vulnerabilities and false positives, experts say. "You need to home in on the noise that's truly threatening you," Trident's Selby says.

An intelligence-led defensive strategy is key, he says. That's when you take actionable information, such as new alerts about a specific malware or botnet attack, and combine and correlate that with information gathered about your internal systems in logs, SIEM, or other systems. "You start looking for weird behavior, such as what else was weird like that was weird, and you can get to a handful of events" that are relevant, he says.

Meantime, targeted, cyberespionage-driven attacks will continue, some detected and some not. "These kind of attacks work in the face of the decade-old regime of IDS, IPS, anti-malware, and the like. What is clear is that enterprises and governments simply must stop viewing mitigation and defense as an exercise in risk management, and start viewing their very survival in terms of intelligence-led defensive strategy," Selby says. "Now that's harder to articulate and doesn't fit as nicely with the current paradigm of budgetary suck-and-blow that consumes the political life of most CISOs, but it's a fact. Unless your mitigation strategy is, 'Stop using the Internet for communication and sales and marketing and research,' then you're going to have to come to terms with the fact that we've moved quickly from the era in which effective defensive tactics were reactionary."

Next page: Sharing incident experiences and information The Stuxnet worm itself is less likely to be repurposed for other attacks, but the method it used to get to the Siemens controllers could well be duplicated, experts say. "We need to worry about conceptual copycats," Cigital's McGraw says. "The problem with Stuxnet was its delivery" to its target, he says.

In the end, companies are going to have to share more incident information among one another, anonymously or otherwise, to gather better intelligence on attacks and attackers. "We need to start sharing more with each other," Trident's Selby says. "People are owned already and don't even recognize it. They're not understanding that it has already happened."

But many companies are hesitant to share for fear of a PR nightmare. There are anonymous-sharing options, such as Verizon Business' new VERIS website, where organizations can anonymously share details about their security breaches in an effort to get a broader perspective of attack trends. VERIS also offers them a picture of the cause and severity of a breach, as well as a way to measure their incidents against others that have been reported on the site.

Selby says organizations "simply must" do more information-sharing about their security incidents, especially in light of the targeted attacks in Aurora and threats such as Stuxnet. "The value to each organization of information-sharing about attacks they are experiencing far outweighs the competitive disadvantage they put themselves in my sharing information about their architectures," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.