Address Your Compromised Networks Now

Sunday, July 11, 2010

Richard Stiennon


It is increasingly evident that even the most secure environments are compromised. While the successful penetrations might not be targeted in all cases there are enough incidents now public to indicate the extent of the present danger.

Every organization should revisit their security plans based on a new assumption: that their enterprise is already compromised and that their data is being exfiltrated.

Consider just these few incidents taken from a Heritage Foundation report published in 2008. I am not stressing the China factor here only the loss of data and the methods used:

Titan Rain

In 2004 Shawn Carpenter discovered significant amounts of data from government research labs, NASA, and defense organizations residing on servers outside the United States.

United Kingdom. Throughout December 2005, British Parliament offices were surreptitiously penetrated, also from computers using the Guangdong network.

Britain's National infrastructure Security Coordination Center investigators told reporters, "These were not normal hackers.... The degree of sophistication was extremely high. They were very clever programmers."

Some of the attacks targeted files in British government offices that deal with human rights issues.

The Trojan e-mail attacks targeted specific victims. "One email was targeted at one company in aviation. It was a Word document that had a Math/ cad component. If you did not have math/cad on your computer it would not open," said one expert. "The point was to find documents that had been written in that particular program and then send them back. (McAfee whitepaper )


According to an official of Taiwan's Ministry of National Defense, in 2006, Taiwan detected 13 PLA zero-day attacks launched within Microsoft applications and experienced a total of 178 days of vulnerability between notifying Microsoft of the attacks and receiving the appropriate patches.

One PowerPoint-based attack was so sophisticated that it took Microsoft engineers over two months to construct a patch.

Spring 2007 

A program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro

And more recently we have seen the extent of the network of infiltrated machines specifically targeting organizations that impact Tibet-China relations as documented by research teams at the University of Toronto and SecDev in their GhostNet report.   Techniques that look remarkably like those used to traget Rio-Tinto, the Autralian mining giant.

The methodologies employed in these wide spread attacks is typically the combination of new  vulnerabilities and custom Trojan horses delivered over the web or through email.

This January’s revelation that Google and dozens of other companies had succumbed to such attacks was a wakeup call for industry, the US State Department, and now Congress, which is responding with  legislation to address the issue.

What should you be doing to address the presence of compromised internal resources?  

While Data Leak Prevention attempts to provide an overlay of classification, network monitoring, and end point management (for USB devices), there is another approach that uses advanced agents on the desktop that continuously check for abnormal behavior that is indicative of root kits and custom Trojans. 

I just posted a white paper on such a technology that is coupled with forensics tools from Guidance Software.  By identifying, disabling, and repairing infected machines you will engage in a constant battle against the enemy within. 

But at least you will have a weapon for that battle instead of flying blind and trusting to ineffective AV, IDS, and firewalls. 

Cross posted from ThreatChaos

Possibly Related Articles:
Network Access Control
Enterprise Security Network Access Control
Post Rating I Like this!
Mister Reiner Interesting white paper.

While stepping up forensics capabilities certainly helps with identifying compromise, it doesn't address the problem of outsider data exfiltration. Organizations need to stop storing confidential and proprietary information on systems connected to the Internet whenever possible. Organizations also need to plan for compromise, meaning their infrastructure and architecture need to be tailored accordingly.

There is a lot to be said for changing one's security paradigm from "security measures are effective" to "security measures are not effective in every situation." This should cause a fundamental change in thinking from reactionary to anticipatory. But if all someone does is change their thinking, they've missed the boat. Try this exercise with your own network:
Tom Caldwell Mister Reiner/Readers,

Being from company which performs forensic identification (data level mining and predictive analysis some of the data) I can say you are correct in that the most secure DLP solution is to cut the networking cable, however this still doesn't prevent "human error" or external devices (thumb drives, media) with pre-installed malware or other bots from getting into the machine. In most cases it inevitably WILL have to connect to other systems for updates or operations. Very few environments can run a closed loop setup and still have full functionality, since so many product reply on a client-server approach.

To mitigate the influx of infections on systems which must be connected, additional layers of 3rd party security must be placed on the perimeter and even end user. Marketing never tells the complete truth in a "boxed suite one 'solution' for all product" but I'll tell additional augmentation services can and will drop the infection rate and ability for data to leak considerably. (the effect caused by a botnet infection(s))

The implementation isn't something that's going to be "out of one box" per se, since each network is different and will require some custom global configurations and end user customization (all centralized) in the software service per their network or asset setup. In order to prevent data loss (proactively, not reactive via traditional methods like most DLP implementations) the bigger problem must be prevented or managed, that being the network penetration, botnet trojan infection which LEADS to data loss.

A large majority percentage of these infections CAN be prevented where they currently are not via "comprehension" aka not relying on just one "product" or set of data services. They can then be remedied via methods relying on forensic data and identification (fixing what's broke) but only because the existing issues haven't had the additional layer implemented yet.

One problem causes another, so the most obvious and effective solution is to better manage the cause, not the symptoms. Only then can you reduce exposure and risk associated with data loss or other network theft.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.