Warwick Ashford is chief reporter at Computer Weekly. He joined the CW team in June 2007 and is focused on IT security, business continuity, IT law and issues relating to regulation, compliance and governance. Before joining CW, he spent four years working in various roles including technology editor for ITWeb, an IT news publisher based in Johannesburg, South Africa. In addition to news and feature writing for ITWeb’s print publications, he was involved in liaising with sponsors of specialist news areas on the ITWeb site and developing new sponsorship opportunities. He came to IT journalism after three years as a course developer and technical writer for an IT training organisation and eight years working in radio news as a writer and presenter at the South African Broadcasting Corporation (SABC).
[email protected] 020 8652 8505
RSA Conference Europe 2011 has provided a useful working definition of the term advanced persistent threats, or APTs, as military-grade cyber attacks on commercial entities.
The term is a military one and points specifically to the fact that these attacks are backed by nation states, which means non-military IT professionals have never had to deal with the like before.
But why are nation states suddenly going after commercial organisations?
The answer is simply that nation states are backing attacks that either directly or indirectly achieve commercial advantage for domestic industries in an increasingly competitive global market.
Around 40 nation states are believed to be targeting commercial entities using military-grade tactics, said Sam Curry, chief technologist at RSA.
"It's not just the usual suspects, but includes smaller countries that have specific industries they want to help, typically mining, pharmaceutical and defence," he said.
But, because these attackers are going up and down the supply chain to achieve their objectives, any supplier to targeted industries could easily be in the firing line.
RSA under attack
RSA claimed it was the target of an APT-style attack when its systems were breached in March because attackers were after specific information that would enable them to target defence firms.
The only known use of the information stolen from RSA was an attempted breach of data systems at defence firm Lockheed-Martin in May.
This shows that the attack on RSA was merely the means to an end, which appears to have been the theft of intellectual property from RSA's defence customers.
Apart from the likely backing of a nation state for two groups acting in concert that have never worked together before, the attack on RSA bore all of the hallmarks of a military-grade incursion.
The attack was specialised, sophisticated and highly targeted, using social engineering and freshly compiled malware that was highly tailored to RSA, mimicking RSA naming conventions in an attempt to avoid detection.
Such attacks are typically based on expert intelligence gathering to identify exactly what information is required, who has access to it, and where it is to be found on the breached network.
These incursions are not easy to detect, said RSA executive chairman Art Coviello, as they will exploit zero-day vulnerabilities where possible and aim to get in and stay in without being detected.
"Attackers will even monitor responses to security incidents to gauge an organisation's security capabilities and enable them to remain on the network for long periods without trace," he said.
Commercial entities targeted in this way are unlikely to have seen anything like it before, said Uri Rivner, head of new technologies, identity protection and verification at RSA.
"We are talking about a different class of attacker. Never before have corporate networks faced this level of co-ordinated expertise that enables penetration capabilities that corporates are ill-equipped to handle," he said.
Most business organisations do not have the forensic tools or skills at their disposal required to analyse and understand what is going on in their networks, said Rivner.
Defending against APTs
So where does this leave most business organisations?
In the face of APTs, businesses need a new defence doctrine, which is under discussion by an increasing number of corporate chief information security officers, Rivner said.
APTs demand a new kind of strategy that accepts attackers will gain access to corporate networks, but is designed to detect, resist, investigate and recover from such attacks.
This understanding was one of the main reasons for RSA's acquisition of NetWitness this year, and although the RSA breach was ahead of the acquisition, Coviello said RSA was already using the technology and was consequently able to detect the intrusion immediately and limit the impact.
Security dogmas and technologies of the past are no longer adequate and offer diminished value, Coviello told attendees of RSA Conference Europe 2011.
"Security professionals need to start thinking differently about data protection and move from static point products to systems that have integrated elements that add value to each other," he said.
Using NetWitness in combination with other controls to deliver defence-in-depth, Coviello said RSA was able to determine forensically what was taken very quickly and formulate effective remediation actions and advice.
"The fact is that anyone can be infiltrated, but that incursion need not be successful. Our adversaries were able to get only a piece of information, but without the right tools the damage could have been more extreme," said Coviello.
The situation is not hopeless, he said, as there are technologies that can help commercial organisations aggregate, correlate and analyse information from a variety of systems that can be translated into something actionable.
In addition to the usual intrusion detection and prevention, malware protection, log management and packet capture systems, organisations need to build intelligence-gathering capability through analysis and continual intelligence-driven monitoring that will identify interesting anomalies that may point to emerging threats, said Eddie Schwartz, chief information security officer at RSA.
This is not easily achieved and there is no single anti-APT system yet, he said, but businesses can and must make a start by implementing processes that analyse protocols, tap into external intelligence sources to monitor networks, and carry out malware analysis to improve their detection capability and reduce risk.
Businesses are starting to understand that they need to look at anomalies over a long period of time and carry out deep data analysis, said Paul Dorey, founder and director of security and risk management firm, CSO Confidential.
"We are seeing a trend emerging of organisations increasing their technological capabilities and expanding their information security teams to do this kind of monitoring and analysis," he said.
Limit data breach impact
All this will take time, however, so what can businesses do in the short term?
According to RSA president Tom Heiser, there are five things businesses can do to limit the loss or damage if their systems are breached.
1. They should start by re-evaluating their risk, which involves asking what could make them a target, what information they hold that could be valuable to attackers, how vulnerable they are to attack, and how they fit into the supply chain.
2. Organisations should rethink their protection against zero-day vulnerabilities. "Do not rely on signature-based detection, but also use behaviour-based detection systems," said Heiser.
3. Organisations should start deploying security and network analysis capabilities. "Situational awareness is crucial in the face of contemporary threats," he said.
4. Hardening authentication systems and tightening access control is important, and should include multi-authentication methods and restricted number of logins.
5. Education about security issues across the organisation is important to ensure these are discussed and understood at board level.
User awareness is also very important, said Heiser, as in many senses "people" have become the new perimeter of defence.
For this reason, he said organisations should review the access they allow to social media sites and block access to high-risk sites, as well as increase training about APTs and phishing attacks.
At RSA Conference Europe 2011, Heiser called on the security community to come together to share information to innovate and evolve defences. "Our adversaries are doing this well. We need to do it better," he said.
More news from RSA Conference Europe 2011: