Many security pundits persist in calling the latest celebrity malware, Duqu, the “Son of Stuxnet”. However, Duqu seems to resist that tag at every turn even while showing the designer-like qualities characteristic of nation-state adversaries. While security pundits debate in conspiratorial tones over who’s responsible for the latest threat against critical infrastructure, Duqu is quietly and efficiently siphoning off reams of data, much like other well-known exfiltration agents used by advanced persistent threats.
People are searching for definitive signs that we are on the brink of Cyber War with a faceless enemy, warning of critical infrastructure weakness and looming cyber-to-physical terrorism — and perhaps that is one eventuality.
However, in many ways the war already is, and has been, raging for some time. This particular brand of war is less about catastrophic attacks against critical infrastructure and more about competitive and economic domination, ultimately accelerating Thomas Friedman’s flattening of the world. The real goal of this Cyber War, if you choose to call it that, is the theft of national secrets, intellectual property from corporate R&D labs, corporate M&A deal documents, government policy, plans, negotiating terms and the ultimate concession of our nation’s competitiveness to other countries. It is cyber espionage and theft akin to the spy vs. spy efforts of the Cold War, but on a massive and pervasive scale.
Easily forgotten are spectacular breaches across every major industrial sector this year, including “Operation Shady RAT”, which was disclosed by McAfee in August. This disclosure identified over 70 companies in 6 different sectors targeted in a single campaign.Similarly, the “Nitro” campaign,disclosed bySymantec, targeted chemical companies and industrial manufacturing concerns. The year 2011 will be remembered as the year that the fundamental underpinnings of Internet security fell. Secure Sockets Layer (SSL), Certificate Authorities, and two-factor authentication were all compromised. SSL, long considered the bastion of online secure protocols, was broken by a couple of researchers with a prototype called BEAST. The SSL protocol is today the most widely used Web-based protocol for securing online transactions, including banking and e-commerce. Certificate Authorities (CAs) have been the subject of repeated compromise this year, mainly for the purpose of forging legitimate certificates subsequently used in attacks on both SSL sessions and also software authentication. Ironically, since CAs are the very entities to which trust is delegated to establish authenticity, by compromising CAs, trust in the system of authenticating parties is fundamentally undermined.
When RSA Security, the manufacturer of SecureID two-factor authentication tokens, was compromised earlier this year by sophisticated nation-state hackers, they lost the secrets used to generate the one-time passwords that SecureID produces. Armed with these secrets, it is believed that nation-state sponsored hackers launched cyber attacks against major U.S. defense contractors to access their networks remotely.
If the RSA attack wasn’t enough of a wake-up call, evidence has since emerged that over 700 other organizations were targeted by the same perpetrators who hacked RSA using the same command and control networks and methods dating back to November 2010, including 20% of the Fortune 100. As the author of the “Shady RAT” McAfee study noted, in the Fortune 2000 there are two types of companies – those who know they have been breached, and those who do not. Underscoring the magnitude of the breaches, CNET created a chart, Keeping Up with the Hackers, to try and stay on top of the exploits, but eventually gave up.
Experts in the cyber intelligence community have long known that sophisticated computer network intrusions have been coming from China and Eastern Europe, sometimes at the behest of their governments. Most sophisticated attackers easily evade existing cyber defenses and leave little trace of their activity. The lack of innovation in cyber security over the last decade has provided a sizable window of opportunity for hackers to fly in under the radar, collect the data they are after and leak the data to foreign networks without being detected.
While the nation-sponsored cyber threat has been looting and pillaging the networks of every major sector with impunity, a new highly capable adversary has emerged this year as a serious threat to corporations – the Hacktivist. Originally leveraging outrage over the persecution of WikiLeaks founderJulian Assange, the group called Anonymous began launching Distributed Denial of Service (DDoS) attacks against sites participating in U.S. sanctions against WikiLeaks using publicly available tools with colorful names such as Low Orbit Ion Canon (LOIC). Anonymous describes itself as more of a cultural movement than a specific group of individuals. As a result, with loose organizational control and no concrete agenda, a number of hacker enclaves, including LulzSec and AntiSec, have launched attacks against corporations, governments, and law enforcement organizations to whom they have any kind of political or other objection with ease and a terrifying amount of publicity.
The Anonymous hacks against public companies like Sony have put information security concerns on the agenda of board meetings in major corporations now. While Sony took a significant hit with the hack of Sony PlayStation Network, others have had internal e-mail archives, customer contact lists, and personnel records published in public forums to the great embarrassment of the firms involved, incurring public anger as well as legal action holding them potentially culpable for liability.
Business leaders are waking up to the new reality that cyber adversaries, from hacktivists to nation-state adversaries, can gain almost unlimited access to their networks. Corporate boards are now demanding answers from befuddled Chief Information Security Officer who frequently only have their compliance lists instead of real solutions to counter the threat.
The reality is we have all collectively been too complacent in the face of a determined adversary for too long. We have let our technology stagnate for a decade using reactive defenses developed in the 2oth century against a 21st century threat that produces over 70,000 new attacks every day. All the while there is a constant, methodical, silent, systemic hoovering of our nation’s secrets and our corporations’ intellectual property, eroding our ability to compete against emerging economies. The intellectual wealth of our nation is being stolen out from underneath us, hastening the flattening of the world faster than even Thomas Friedman predicted. For the nation that invented the Internet and built billion dollar businesses like Google and Facebook, it’s time to re-invent security for the digital economy.
No comments:
Post a Comment
Thank you for your Commenting...