Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/20/2019
02:30 PM
Andy Ellis
Andy Ellis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

9 Years After: From Operation Aurora to Zero Trust

How the first documented nation-state cyberattack is changing security today.

It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.

Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.

No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.

Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.

Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.

Target: Domain Admins
Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.

All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.

We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.

When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.

Lessons Learned
It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.

Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.

We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.

Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Andy Ellis is Akamai's chief security officer and his mission is "making the Internet suck less." Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai's IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
brightlord@hotmail.com
50%
50%
[email protected],
User Rank: Apprentice
2/22/2019 | 2:31:16 PM
Nortel pre-dates this attack by 10 years
Nortel Networks was breached by China, as a nation-state attack, some speculate as early as 2000.  There is a ton of written pieces on-line about the Nortel incident - which was so bad it led to the company's bankruptcy.  I remember when they filed for bankruptcy someone said something along the lines of "It is hard to compete when you spend (X dollars) on R&D only to have it stolen and used to make a cheaper product."
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.
CVE-2012-6071
PUBLISHED: 2019-11-19
nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.
CVE-2012-6135
PUBLISHED: 2019-11-19
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.
CVE-2016-10002
PUBLISHED: 2019-11-19
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.