Are you being spied on?
That’s not a figure of speech, either. Are you certain that agents of a hostile nation or a large corporation are not reading your email, stealing your files, and poking around on a corporate network disguised as you?
This sort of thing doesn’t just happen in spy novels. Cyberwarfare and cyberespionage are a reality. If you work in a government office (especially the ones with three-letter acronyms), you’re at high risk. The same is true if you work in a large company in the defense or technology industry, where stealing secrets can give one side an overwhelming advantage.
“But wait,” you say. “I work for a small company. Surely no one is targeting me.”
Don’t be so sure. A lot of small companies do business with larger ones. If a giant defense contractor (call them Yoyodyne) gives a smaller partner access to its internal network, an attacker might be able to exploit that connection to break into Yoyodyne’s servers. In the face of a persistent attacker, all it takes is one slip-up by the target to fall prey.
Symantec security researchers have been tracking one large group of attackers believed to have been exploiting this method lately against the defense industry:
The primary targets identified are within the defense supply chain, a majority of which are not top-tier defense organizations themselves. These are companies who manufacture electronic or mechanical components that are sold to top-tier defense companies. The attackers do so expecting weaker security postures in these lower tier organizations and may use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company.
Symantec’s researchers say this group, like others in this elite fraternity of black hat hackers, specializes in zero-day attacks specifically designed to evade detection by antivirus products.
The same types of attacks are being waged against the communications industry and at large oil and gas companies, according to experts at Mandiant, a security firm that’s based in Alexandria, Virginia, conveniently close to the NSA and CIA (and probably other organizations whose initials are classified).
And the odds that you’ll find a successful attacker on your own? Slim.
In a recent security presentation sponsored by the New Mexico Technology Council, Mandiant’s Carlos Carrillo laid out some sobering statistics:
- Only 6% of the organizations they were called in to help had found the attacker on their own. The remaining 94% were told of the intrusion by someone else, usually a law enforcement agency.
- Most attackers come in the front door, using valid credentials stolen from an employee via malware or a “spearphishing” attack that convinces the employee to enter his username and password on a compromised website.
- The average investigation time for this sort of attack is 5-8 weeks.
- And, most depressing of all: On average, a successful attacker is able to operate undetected for 416 days—nearly 14 months. Some big companies have had attackers inside their network for years before they’re detected.
Those are grim numbers. Still, you can take some consolation from the fact that the percentage of compromised systems is low—1 in 1000 or so, in three case studies that Carrillo laid out.
So how do you keep yourself from being one of those unlucky victims? And how do you increase the odds that you’ll detect a problem before it does extensive damage? Here are some guidelines to follow.
Be prepared. You and your IT specialists (in-house or external) should have a plan and a protocol for dealing with a network intrusion. At a minimum, you should have procedures for quarantining the infected system and capturing system logs and other evidence before the attacker can erase his traces. And you don’t want to learn this stuff when you’re panicking over an attack that’s happening right now.
Watch your network. System logs and alerts can allow you to spot unusual amounts of data being exchanged with unknown sites. You should pay special attention to remote logins, especially at unusual times of day or night. When in doubt, ask an employee if they logged in to the network on Tuesday at 2:00am. If they answer no, dig deeper.
Take seemingly routine alerts seriously. Youmight be tempted to dismiss routine detections from your antivirus software. It’s true that cleaning up garden-variety malware is usually easy, but those alerts indicate a machine that was vulnerable to other attacks during that time. If you have any doubt, look more closely.
Concentrate on your most valuable assets. Trying to lock down your entire network is an overwhelming job. So pay attention to the intellectual property—files, planning documents, legal correspondence, and so on—that’s most important to you. Check the permissions and access rights for those assets regularly. If an employee or contractor is taken off a project, revoke her access so an attacker can’t use it.
Expect the bad guys to return. In the security industry, these types of attacks are sometimes called Advanced Persistent Threats. That word persistent is key. As Carrillo explains, “Targeted attacks won’t go away. Skilled attackers are ready to respond to your countermeasures.”