The work of protecting information is becoming more difficult with time. The recently discovered attacks on Google, Adobe, Marathon Oil, ExxonMobil, and ConocoPhillips illustrate an alarming trend. The attacks even gave rise to a new attack model, the Advanced Persistent Threat (APT).
Some of the most disturbing aspects of APT attacks are:
1. Suspicion of government sanction or sponsorship.
2. Blended attacks that utilized multiple vectors making them difficult to eradicate.
3. The attackers wanted to gain a foothold on the network, maintain access, and quietly harvest the information they were after for as long as possible.
4. The malware utilized was able to evade detection by anti-virus and anti-malware software.
5. The attackers are most likely highly educated and trained.
6. There is a focus on specific information within the victim entity.
7. Even large organizations with sophisticated information security infrastructures are vicitimized.
Other traits that may be found in an Advanced Persistent Threat attack are spear phishing "C" level executives and others to gain access to their systems, and employing zero-day exploits. The command and control (C&C) for these exploits may utilize encrypted channels making them hard to detect.
In the oil company incursion, the attackers targeted bid data. The bid data indicates where the oil companies believe likely reserves to be. It costs the organizations hundreds of millions of dollars in research to determine where oil may be found. They weren't aware of the infiltration until they were told of it by the FBI. It had been going on for months, possibly over a year.
In the Google attack, information regarding dissidents in China, and source code were the targets. Adobe was also a victim. In fact, 34 technology, finance, and defense organizations fell prey to Operation Aurora.
What can we do to protect our resources?
1. Train employees from "C" level down. If people know that Anti-virus and Anti-malware won't protect them, and that spear-phishing does occur, perhaps they will think twice about clicking on that link about a new golf course opening in town. Further, if they do make a mistake, they will be more likely to notify the security department.
2. Watch for traffic at odd hours. Many attacks are perpetrated from countries outside of North America. If your company is in New York and is mainly a daytime operation, there should be very little traffic at 2:00 am.
3. Press protection companies to protect you. In the never ending arms race surrounding information security, the Black Hats have gained a significant advantage. The major players in the network, end-point, and host security game have to step up to the plate and offer immediate solutions.
4. Press vendors to review their code. Doing a security audit on a large code base can be a daunting task but if the vendors don't discover and patch the flaws, attackers will. Security must be built into the Software Development Life Cycle (SDLC) from the start.
Remember, it can happen to you!