Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/20/2019
02:30 PM
Andy Ellis
Andy Ellis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

9 Years After: From Operation Aurora to Zero Trust

How the first documented nation-state cyberattack is changing security today.

It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.

Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.

No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.

Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.

Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.

Target: Domain Admins
Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.

All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.

We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.

When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.

Lessons Learned
It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.

Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.

We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.

Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Andy Ellis is Akamai's chief security officer and his mission is "making the Internet suck less." Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai's IT ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
brightlord@hotmail.com
50%
50%
[email protected],
User Rank: Apprentice
2/22/2019 | 2:31:16 PM
Nortel pre-dates this attack by 10 years
Nortel Networks was breached by China, as a nation-state attack, some speculate as early as 2000.  There is a ton of written pieces on-line about the Nortel incident - which was so bad it led to the company's bankruptcy.  I remember when they filed for bankruptcy someone said something along the lines of "It is hard to compete when you spend (X dollars) on R&D only to have it stolen and used to make a cheaper product."
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4873
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
CVE-2020-4881
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID...
CVE-2021-22498
PUBLISHED: 2021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML Exte...
CVE-2021-25323
PUBLISHED: 2021-01-19
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
CVE-2021-25324
PUBLISHED: 2021-01-19
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.