Knowledge of what’s really happening on your network is critical if you are responsible for the protection of your organization’s information assets.  Depending upon where you work and what you believe about both the capabilities of your security team and those of the adversary, you live somewhere on the spectrum of “really concerned about advanced threats” to feeling that “things are just about A-OK. ‘

NetWitness recently sponsored a study by the Ponemon Institute regarding the prevalence and awareness of advanced threats by security practitioners.  There have been many studies and reports over the last two years claiming that most successful data breaches result from “advanced threats” or “sophisticated attacks,” so we wanted to understand exactly what security people believed was happening in their organizations today and how they were coping with it.

A security blogger tweeted people to stay away from the study because it did not “hit the mark.”  Reason?  In a moment or two of weakness, the study used the revered term “advanced persistent threat (APT)” versus “advanced threat.”  Unfortunately, many security practitioners today cannot precisely define the difference.  Use of terminology within the study should not reduce the utility of the paper, however, especially if the end result of either advanced threat vector contains tangible risk to the corporation or government agency that might be mitigated through a better understanding of the network traffic.  Security people and vendors will get the terminology right at some point.

The other issue raised regarding the study concerned the number of respondents who would include terms such as “SQL Injection” in their definition of an advanced threat (“What other terms are used to describe an advanced threat?”).  Actually, the blogger missed the point of this question – the point was not to claim each response actually was an advanced threat, but to illustrate the relationship between common problems that security practitioners believe to be advanced in nature, and those that are simply evading their detection or mitigation capabilities.  Other questions in the study go down this path of lack of awareness.

Compared to other risk-based industries, the security industry is bereft of adequate pan-industry historical data, meaningful metrics, and comparative information.  Although imperfect as a first survey instrument, rather than ignore professional surveys such as the Ponemon Institute study, it should be used by security practitioners in an appropriate context:

1.  Prepare a non-FUD-based discussion for senior management regarding the characteristics of the current state of the threat environment.

2.  Bring forward studies from reputable national/international-level firms that illustrate the costs of data breaches, the sources and methods of these threat vectors, and now with Ponemon data, the opinions of 600 fellow security practitioners regarding the technical and administrative readiness of peer organizations to cope with the threats they are facing.

3.  Develop real evidence of what’s really happening in your world using your own corporate data.  For example, conduct a proof of concept of NetWitness and get definitive answers to some of the nagging questions you may have about advanced threat prevalence or insider threat concerns within your own I/T environment.

4.  Present a people, process and technology plan for reducing the uncertainty around advanced threats (and even APTs depending upon where you work).

This is a significant percentage of the related government activity we mentioned with the release of the report.  Much of this is ongoing, and there are dozens of similar operations.  Credit where credit is due, Nart Villeneuve, from SecDev.cyber has a great write up on the targeted government attacks here:

www.infowar-monitor.net

If you have recently heard of the North Korean nuclear spear phish…  same guys.

While the world took pause to consider the implications of Operation Aurora, and Google lent considerable voice to the concept of Advanced and Persistent Threats (APT), we can ill-afford to believe even for a moment that they are alone in their sophistication or capability.   According to the FBI more than 100 nations have offensive cyber operations as part of their intelligence or national security fabric.  And the same attributes that make the Internet ideal for covert intelligence gathering make it attractive for corporate espionage and organized criminal activity.  The IT security industry commonly refers to the online activities of Eastern European and Asian organized crime as “cyber criminals” or “gangs”, which in many ways only serves to minimize the attention they deserve.  In truth the online operations of some organized crime syndicates are every bit as sophisticated, advanced and persistent as their nation-state counterparts.  They are truly expert at gaining footholds and siphoning off critical information.  And they are FAR more pervasive than Operation Aurora.

In late January, NetWitness security research were able to gain visibility into a large scale ZeuS-based botnet, taking user credentials and confidential information from thousands of organizations around the world (See The Wall Street Journal article).  Some of the information collected has been synthesized in the Kneber Bot whitepaper that you can dowload from the NetWitness website.

The sheer volume of information gathered and has forced us to reconsider the common belief that this very successful botnet is simply “financial services” related.  In fact, this particular botnet was much more concerned with culling account and network access credentials, as well as collecting as much detail about victim identities as possible.  In effect, they were less concerned with accessing any particular account, than being able to access ALL accounts related to a victim.

As we began analyzing victim information, we rapidly formed a picture of thousands of corporate compromises around the globe.  As with Aurora, many of the largest most technology savvy companies had internal compromised hosts, which had culled various corporate user level and administrative credentials.

We may attempt to broadly classify threats in the security industry, in hopes that we can make the complex more digestible to management.  However, classifying threats like this as “banking trojans” may do a large disservice to the victim companies.  Indeed, there are many that broadly dismiss threats such as these as “unsophisticated”, or less advanced than a pinpoint attack like Operation Aurora.  Rest assured, these adversaries could not care less how we classify their work.  They are well organized, have demonstrated technical sophistication on par with many intelligence services and do not forgo the opportunity for financial gain with the the information they collect.  If they are collecting network credentials, it means they are using or selling them in an active underground economy – which may include sponsoring foreign intelligence services. What is easier? Designing a campaign like Operation Aurora, or simply purchasing access to your target companies?

We are working with federal law enforcement, and continue in our efforts to notify victim organizations.  Please feel free to download our white paper and I am confident we will discuss great detail in future blog posts.

I was helping a fortune customer yesterday determine if they were targeted by Operation Aurora. From everything we know to date, they were not. How do we know this? We looked. In 15 minutes or so, we looked back over the last 6 months of every bit and byte that has left that company, and compared every hostname, IP address, and HTTP URL that have been associated with these attacks. This is the power of full network surveillance, and this is why you MUST be performing real-time continual deep analysis of your network activities.

There is a discussion today of some of the malware, and zero day exploits out of McAfee. They are now calling this Operation “Aurora”. In the post, George Kurtz discusses how APT, or Advanced Persistent Threats is changing the security landscape once again. It is a message, and the discussion we at NetWitness have been pushing for years. While this attack has gone largely unnoticed for months, NetWitness customers have all the historic evidence necessary to assess damage. For some, this means gaining rapid confidence that they were not compromised. For some, it means rapid damage assessment, capturing evidence, and using everything they learn to increase their security today. As I watch the best security teams in the world struggle to collect evidence of this attack over the course of days or weeks, I cannot help but wonder how much easier it would have been had we been in place.

In early December, we were called into one of the affected companies, in partnership with a large service provider. Within days, we had NetWitness gear recording at every major gateway in the country, and were scheduling international deployments. While it appears that the damage was already done to this company long before we arrived, we were instrumental in shutting down many other infestations, as well as identifying hundreds of systems that were displaying abnormal or concerning communication patterns. Had this company been a NetWitness client only 30 or 60 days before, I am absolutely confident we would have been able to bring this particular activity to light weeks earlier.

We have been reaching out to our customers, providing them details of the communication that Operation Aurora utilized, along with very simple instructions that allow them to look back over time and reassess their security. One thing is certain, while we may not know the vector of a specific attack until after the fact, it is imperative that we have the ability to quickly assess the damage and retain evidence.

This is why we must begin recording our network activity NOW. Giving your network some form of memory is an absolute imperative, and the foremost defense against APT. Furthermore, simple recording is not enough. Good luck if your recording architecture is IP based. Customers of NetWitness can search the URLs, hostnames, and other application level beaconing activities in seconds. Try doing this by scanning over 50 terabytes of packet data manually. Had this attack employed more sophisticated hosting or resolution techniques like fast flux, and even the IP addresses would have been useless.

George is absolutely correct in his assessment that the landscape has changed. These types of organized, sponsored attacks are here to stay. I am sure those in the financial community, used to dealing with advanced ACH fraud and highly targeted attacks by the Russian Business Network are sitting back this morning and saying “Welcome to the party, pal!”

Welcome to the party, pal!