Attacks on IMF, Lockheed, others highlight need for defenses against targeted attacks

More focuses is needed on network monitoring, outbound filtering, and whitelisting, security experts say

The recent spate of successful cyber attacks against high-profile organizations has focused fresh attention on the need for enterprises to implement new defenses against targeted threats.

Over the last few months several supposedly secure organizations, including RSA, Lockheed Martin, and the Oak Ridge National Laboratory have been victims of major attacks.

[ Also on InfoWorld: Spear phishers sharpen skills, craft 'incredible' attacks. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Last week the International Monetary Fund joined the list when it admitted to a similar intrusion.

An anonymous IMF source quoted in a story in The New York Times described the incident as a "very major breach" that likely resulted from so-called spear phishing.

All of the recent attacks have appeared to be very targeted and persistent, and carried out by adversaries using a combination of social engineering techniques and sophisticated malware programs.

Dealing with such threats requires companies to look beyond security strategies that are focused purely on dealing with traditional network threats analysts said.

Increasingly, companies also need to focus on approaches such as continuous monitoring of networks, databases, applications and users, outbound traffic filtering and white listing.

"Time and again, as details of these attacks are made clear, we find that attackers are not behaving like stereotypical burglars, smashing a window, grabbing what they want, then walking off with a big bag marked "swag" while the alarms ring," said Mike Lloyd, chief scientist with Redseal.

Instead "a common thread through many damaging incidents is targeted executables getting installed on critical servers or high value employee PCs," said John Pescatore, an analyst with Gartner.

The goal behind many of these attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on and steal information.

One way of dealing with such threats is by constantly monitoring for configuration changes on important assets, he said. Network forensics and database activity monitoring products such as those from FireEye and Damballa are useful in detecting and blocking targeted threats which conventional signature-based tools let through, he said.

Moving to application aware firewalls that can limit unknown application traffic over port 80 is another step forward in protection, Pescatore said.

The key to remember though is that monitoring alone is not a panacea, he said. "For most of these incidents, monitoring the right things is more important than how often you check. And protecting the right things is even more important than monitoring," Pescatore said.

Continuous network monitoring using intrusion detection systems alone is "useless" against targeted attacks, said Richard Stiennon, an analyst with IT-Harvest.

"Attackers may still engage in old-fashioned network scanning and attempts to exploit vulnerabilities but most of the successful attacks recently have involved custom Trojans delivered by socially enriched emails," he said.

As a result, companies need to also be continuously keeping an eye on authorized user activity on applications and databases, he said.

Applying white lists on end points is also another very effective way of defending against custom Trojans he said. With whitelising, only a narrow-set of previously approved applications are allowed to run on a computer, while everything else is automatically blocked from running. "Whitelisting means that no new software can execute," including malware, Stiennon said.

Whitelisting products from companies such as Bit9, CoreTrace, and Savant Protection are all enterprise ready and companies should consider running them alongside their AV tools, he said.

In addition, enterprises should also be looking at implementing tools for monitoring beaconing activity on their networks, Stiennon said. "Beaconing is the communication between an infected host and its command and control server. This should be blocked or at least detected through continuous monitoring of outward bound traffic," he said.

Products that help companies do this are available from vendors such as EMC's Netwitness, FireEye, Damballa, Guidance Software, and Trend Micro, he said.

Constantly monitoring the logs of users with particularly sensitive access is also crucial to detecting and mitigating targeted attacks, said Alan Paller, research director at the SANS Institute.

Instead of relying on tools alone, companies should consider using trained personnel with a deep understanding of attacks to comb through the logs. "The tools people buy just don't solve the problem," Paller said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His email address is

Read more about data security in Computerworld's Data Security Topic Center.

This story, "Attacks on IMF, Lockheed, others highlight need for defenses against targeted attacks" was originally published by Computerworld.