Instead of military assaults, today’s adversaries hire coders to create attacks that can run autonomously for years, says Stephen Lawton.
History books tell us that the Cold War ended in roughly 1991 after the dissolution of the Soviet Union. But, today’s security practitioners say the Cold War has simply morphed from a threat of armed conflict among major world powers into a battle of computer-savvy “troops” fighting from the comfort of offices.
Instead of countries spending billions of dollars to create new weapons, supply massive armies and spend millions of dollars (or rubles, francs or yuan) fighting conventional attacks against political, economic, religious or commercial foes, today’s adversaries hire code-writers to create attacks that can run autonomously for years with little or no human intervention. By repurposing code to spawn new attacks, the cost of cyber warfare can be a fraction of the cost of a conventional war.
While China and Russia generally are considered by industry experts to be the leaders in state-sponsored cyber attacks against the United States, they are not the only countries to have sophisticated espionage infrastructures in place, says Richard Bejtlich, chief security officer at Alexandria, Va.-based Mandiant. Other nations with sophisticated capabilities include North Korea, Iran, France, Israel and, of course, the United States.
North Korea, Bejtlich says, uses technology against its neighbor, South Korea, and to make political statements against the West, generally resulting in attacks against the United States, he says. Iran primarily uses its cyber weaponry to suppress internal dissidents.
In the past, he says, U.S. politicians spoke in general terms about cyber attacks, choosing not to name those believed to be responsible. That all changed late last year when the Office of the National Counter Intelligence Executive released a report, “Foreign Spies Stealing U.S. Economic Secrets in Cyber space,” which specifically identified China and Russia as key participants. However, the report also said U.S. allies are actively involved.
“Certain allies and other countries that enjoy broad access to U.S. government agencies and the private sector conduct economic espionage to acquire sensitive U.S. information and technologies,” the report states. “Some of these states have advanced cyber capabilities.”
It cited four factors that will shape the cyber environment over the next three to five years. These are: A technological shift, including the use of smartphones, laptops and other internet-connected devices; an economic shift that changes the way corporations, government agencies and other organizations share storage, computing, networking and application resources; a cultural shift in the U.S. workforce, where younger employees mix personal and professional activities; and a geopolitical shift as globalization of the supply chain and worker access increase the ability for malicious individuals to compromise the integrity and security of computing devices.
Jared Carstensen, manager of enterprise risk services at Deloitte in Dublin, Ireland, likes to differentiate between cyber crime and cyber espionage because the end goals differ significantly. For an attack to be considered a cyber crime, he says, the adversary does so for financial gain. This typically includes attacks designed to obtain credit card or bank data. Cyber espionage, on the other hand, is designed to steal intellectual property, and/or disable or attack critical infrastructure. It often is performed for political purposes.
Spying has been around since the dawn of man, Carstensen says. Early tribes snooped on other tribes to learn where they found food. Today’s sleuths also are looking for the same competitive advantage over their enemies – and even their allies.
In some countries, such as North Korea, students believed to have a propensity for math or technology are trained at an early age as cyber warriors. These academies provide the students with respectability and good pay. In China, for example, the Communist Party codified cyber warfare in 2010, and President Hu Jintao deemed cyber war a priority. Author and retired U.S. Marine Corps Lt. Col. William Hagestad says in an upcoming book that China bases its policies on the Art of War, Sun Tzu’s doctrine written around 500 B.C., one of whose tenets is: Keep your friends close, but keep your enemies closer. Chinese officials, however, regularly deny they are involved in any cyber spying efforts.
In the United States, the military is also shifting its war strategy to further prioritize cyber efforts. The soldiers who pilot military drones over Pakistan and Afghanistan actually sit in control rooms at Creech Air Force Base in Nevada. This, Carstensen says, is not unlike cyber attackers who might work out of a hotel to conduct assaults.
However, the level of expertise of foreign cyber attackers varies widely from so-called script-kiddies, who download exploit software that is widely available on the internet, to experienced computer engineers who have either religious or political reasons for staging actions.
Some of these attacks are advanced persistent threats (APTs) that are designed to enter a computer system and perhaps sit dormant for a period of time. The intrusions are designed not to be noticed.
This tactic varies significantly from those of hacktivists, who attack websites with the expressed purpose of drawing attention to the site being breached. Some groups, such as Anonymous and LulzSec, have claimed credit for damage to sites they have compromised.
Unlike hacktivists, cyber spies are so concerned about flying under the radar that once they successfully enter a target system, they actually install security patches to ensure that other attackers are unable to access the system using the same vulnerability, says Daniel Teal, founder and chief technology officer of Austin, Texas-based CoreTrace and a former officer at the Air Force Information Warfare Center (AFIWC). By installing fixes, he says, the attacker will have the compromised systems all to themselves and will not have to worry about a sloppy rival alerting the IT manager that there has been a breach.
Admins might actually see their network performance improve while the attacker ensures that others are unable to infect the environment, Teal says. Because the attacker does not want to draw attention, they simply can leave a back door open so that the malware payload is not accidentally identified by the target network.
Toney Jennings, CEO of CoreTrace, adds that companies might have the equivalent of a “cyber atomic bomb” in the server that “is not doing anything bad today.” That bomb could be set off by an intruder at a later date, well after the initial breach took place. Additionally, he says companies purchasing mission-critical hardware should spot check the “guts” of the new systems, including all device drivers, for malicious code before putting them into production.
Most hardware and software today is developed outside U.S controls, so ensuring it is safe is a good business practice. “It’s a valid bit of paranoia,” Jennings says.
Underscoring this concern, an FBI presentation last year detailed how counterfeit Cisco Systems networking equipment originating in China – including network routers, switches, gigabit interface converters and WAN interface cards – was being sold in the United States. “Operation Cisco Raider” resulted in the recovery of 3,500 pirated network devices valued at $3.5 million, James Finch, assistant director of the FBI’s cyber division, has said.
Teal says he once discovered, by accident, a malicious device driver for a keyboard he purchased for his daughter’s computer. The driver was sending personal information off his home network. He contacted the system manufacturer, Hewlett-Packard, and discovered that the kernel driver was written by a third party. Further investigations by Teal and HP determined that the manufacturer was sending data off the network simply to ensure an internet connection – a task that easily could have been accomplished by sending random data bits without using personal information.
When Bejtlich was the director of incident response at General Electric, the company had an estimated half-million computers, and no shortage of defensive technologies and staff. Even still, he says, with the full resources of a sophisticated IT team and a corporate leader who recognized the need for IT security, the company still was unable to maintain 100 percent effectiveness against intruders or persistent threats.
And now, mobile and cloud
Mandiant’s Bejtlich says that despite the best intentions of CISOs and IT staffs, it is nearly impossible to keep a network of a 1,000 or more endpoints safe from outside attacks.
Today, Bejtlich says, IT staffs need to address not only the needs of a company’s primary computer systems, but also non-standard systems, such as smartphones and other mobile devices. While cyber espionage is normally thought of as an attack against a large computer system, many corporate executives and engineers have confidential data on their devices that might be useful to attackers.
Companies that believe they are too small or insignificant to be targeted are wrong, and do not necessarily understand how and why attacks work, says Erin Nealy Cox, managing director and deputy general counsel at Stroz Friedberg LLC and a former federal prosecutor and assistant U.S. attorney. While technology firms are obvious targets for attackers after intellectual property, small companies may be considered stepping stones.
Cox says security education is essential in companies of all sizes. Large organizations with established policies and procedures need to educate their employees on a regular basis not only about sound computing practices, but also about data and office security policies. For example, she says employees need to be reminded not to insert thumb drives they find in the parking lot or those handed to them at a trade show into a company computer. Such devices could be plants with malware on them.
“Typically,” she says, “security comes at the price of convenience.”
Even data security companies can fall prey to sophisticated attacks, she says. Within the past year, there have been several online raids on companies that specialize in data security. The reasons for the success vary, she says, but it generally falls into the category of an exploit that was allowed because someone was not paying attention to details. It might have been faulty website code or a misconfigured network, but generally the vulnerabilities could have been caught.
Scott Crawford, research director for security and risk management at Enterprise Management Associates, with corporate headquarters in Boulder, Colo., agrees that companies of all sizes could be targets. While smaller entities might not provide the breadth of information that a multinational corporation offers, it still could have secrets worth stealing, he says.
Crawford views this kind of cyber theft, be it from a state-sponsored or industrial source, to be similar to espionage conducted during the Cold War. There could be value in stealing information, he says, but “you don’t want to kill the market.” One purpose for this type of espionage is to build a country’s or company’s own ability to compete against existing players in the field.
If it costs $50 million to develop a product, but only $2 million to steal it, some will opt for the less costly approach. This is particularly true for emerging nations that might have technical resources, but are not necessarily competitive enough to develop their own intellectual property.
Defense is all about managing a company’s or a country’s risk, Crawford says. Some organizations look for fast fixes to potential weaknesses without fully understanding their risk profile or the impact of their actions. A layered approach to security is necessary.
Crawford also blames guidance or regulations that do not match the threat. The Payment Card Industry Data Security Standard (PCI DSS), for example, is prescriptive and specifies to security officers how to maintain compliance, but this is only a point in time, he says. A company’s compliance “can be passé or irrelevant” immediately after passing the audit.
This article originally appeared as an SC Magazine ebook. For more information about ebooks from SC Magazine, contact Illena Armstrong, vice president, editorial director, at [email protected]