“RSA is fortunate to have a good EMC [its parent company] Critical Incident Response Center,” says Eddie Schwartz (left), who took the role of RSA's CISO shortly after the breach announcement. “So RSA was able to catch the event quickly and move with an aggressive program to replace tokens where needed.”Threats that affect more than one company can also lead to systemic improvements in entire vertical industries, such as what happened with Stuxnet. When the worm broke out of its bounds and spread from Iranian facilities to Indonesia, India, the United States and beyond, control system operators the world over began taking a close look at their networks, says Doug Powell, manager of security privacy and safety at BC Hydro in Canada, and chair of the critical infrastructure working group at ASIS, an organization for security professionals. “We were all concerned about the unintended damage Stuxnet would cause once it propagated outside of the Iranian nuclear environment with respect to its targeting Siemens controllers,” he says. “So control system operators started checking their systems to see if they could be impacted.”As a result of Stuxnet, vulnerabilities are being patched, awareness is being raised, and holistic changes are being made at infrastructure operators around the globe. For example, while BP Hydro had no such systems in place, they still used the experience to raise awareness, plug vulnerabilities, improve authentication and implement better management of its control systems.Mitigating new threats
Further, while a number of experts consider Stuxnet a form of cyber war due to its destructive capacity, the cold war part of the Stuxnet attack began with reconnaissance and information gathering. Harry Sverdlove (left), chief technology officer of Bit9, a Waltham, Mass.-based company that offers advanced threat protection, points to the Duqu malware and the Flame virus to emphasize how intelligence gathering is most often used for cyber espionage purposes. Sverdlove was able to track pieces of Flame dating back to last October and realized it included components that predate Stuxnet. Military data, patents, new paint formulas, negotiations contracts for the international Olympic committee – Sverdlove's research team has tracked a lot of this type of data leakage back to China, where the theft of IP is a common part of doing business. And, while breaches threaten companies and result in unwelcome expenses, sorting out how to mitigate the challenge is still a work in progress. “Espionage – or the act of spying to gather others' intellectual property – is not illegal under international law, although it violates a host of domestic laws,” Robert Clark, operational attorney for U.S. Army Cyber Command, told the crowd at the Black Hat conference in July. It may not be illegal by international standards, but espionage is expensive. According to a legal review of trade secret theft in the United States published in the Gonzaga Law Review in 2010, theft of trade secrets costs U.S. companies as much as $300 billion per year.Unfortunately, domestic law is not so easy on those taking action against cyber cold war actors. “Say you're a systems administrator and at 2 a.m. your IPS goes off,” Clark says. “An examination reveals large volumes of intellectual property data transferring out to an FTP server. So to save your job, you VPN from your home computer to the FTP server, elevate privileges and remove the files. You've just violated several counts of the Computer Fraud and Abuse Act.”Even tracking back an IP address can violate domestic espionage laws, as well as laws of armed conflict, he adds, citing the National Defense Authorization Act of 2011, which advocates using all means necessary to follow the law of armed conflict to prevent escalation to cyber war. Yet, numerous tools today offer retaliatory measures that can obfuscate and befuddle attackers, track them back to their origination and even break into their servers depending on how these tools are configured by their users.
Some experts call this process “intrusion deception,” while others refer to it as creating a hostile environment for the enemy. “The point is to confuse the enemy and provide them with false information and create operations that waste their resources,” says Shawn Henry (left), former executive assistant director of the FBI and now president of CrowdStrike, a computer security start-up that provides this type of service for its clients.But, before using any of these tools or tactics, the U.S. Army's Clark suggests consulting a lawyer knowledgeable in computer crime, trespass and espionage laws. He also points to the need to improve laws that inhibit the private sector from following forensic and track-back processes.However, even if there were better laws on the side of the private sector, a key concern of taking action against attackers is escalation into all-out cyber war, says Righard Zwienenberg, senior research fellow at security company ESET. He was the lead analyst on ESET's discovery in May of the Medre.A worm targeting industrial systems in South America. “We saw this huge spike in intellectual property leaking from Peru to a recipient account in China,” he says. “Tens of thousands of blueprints and AutoCAD [architectural] drawings were leaking to this recipient with a China-based email address. This was clearly an industrial espionage attack, but had the possibility to be state sponsored if there was a target in there, which would make the remaining infections collateral damage.”At last report, ESET received “some confirmation” from the Chinese National Computer Virus Emergency Response Center that the email addresses used for relay would be shut down. There were 63 email accounts the data could have used to relay and there was only one final recipient address.Center of operations: DHSAlong with diplomatic efforts, federal agencies have been working on a multi-sector approach to holistic response programs to protect against escalation and damage-causing cyber attacks.
“We can't pay as much as the private sector, but the DHS is a cool place to work,” says Mark Weatherford (left), deputy undersecretary for cyber security for the National Protection and Programs Directorate (NPPD), part of the DHS. “Give us three years out of college,” he says, “it'll look good on your résumé.”The DHS, with a mission to protect defense networks, is being positioned as the central clearinghouse of information between federal agencies and the public sector. This arrangement would be different than the vertically oriented Information Sharing and Analysis Centers (ISACs) that primarily share data to their memberships of sector-related organizations.With no technology that could to this today, and with privacy issues about the information being requested, it is no surprise that the White House-backed Cyber Security Act of 2012 failed so quickly in Congress last month. However, the writing is on the wall. Cyber war is upon us, and organizations need better means of protecting themselves and sharing threat information to protect the larger infrastructure.| Advice: From the front lines As cold war escalates to more confrontational activities, experts offer advice: Train, educate and raise awareness. With numerous efforts at primary, secondary and college level, federal agencies are asking for help raising awareness around these issues to all communities. “What's of utmost importance to us is training our military and civilian forces of cyber warriors,” says Gen. Keith Alexander, commander of USCYBERCOM and director of the NSA. Close vulnerabilities. The biggest single tactic for preventing intrusions is to patch and manage vulnerabilities, says Martin Libicki, senior management scientist for the government think tank RAND Corp. Build better prevention. At DefCon, Alexander also called for better tools to prevent attacks from occurring in the first place. Although there are legal issues to consider, some tools and techniques coming to market practice deception as a means to shuttle attackers to a secure zone, observe their behaviors and even track them to their origins. Improve visibility. SIEMs and other tools are also being used to sort through increasing volumes of log, security, vulnerability and operational information to detect threats faster and take action with more accuracy. “If someone gains access to aerospace machinery information, time to shut them down is critical in beating the criminals to market with the new design,” says Eddie Schwartz, CISO of RSA. Share attack and threat information in real-time. Federal agencies are clearly in need of more information to predict larger-scale attacks against the infrastructure and DoD networks. Currently, Carnegie Mellon's Computer Emergency Response Team (CERT) operates at this level, but not in real-time, and it's not free either. “Making this data actionable to different environments speaking different languages is where the challenge comes in,” says David Koretz, general manager of Mykenos Software. – DR |



