Asymmetric warfare is hell. Sure, you may have night-vision goggles, body armor, and air support, but you’re also working for a bureaucratic organization built to fight a war that doesn’t look much like the one you’re in. Your adversary, on the other hand, is poorly equipped, yet nimble, resourceful, and adept at spotting and exploiting the slightest weakness. So much so, you may not even know you’re under attack.
Take the U.S. Department of Commerce’s Bureau of Industry and Security, which just this month confirmed that intruders, traced to servers in China, had spread a massive rootkit infection that will result in the replacement of hundreds of desktop computers. The attack, first discovered in July, eventually forced the Department of Commerce to suspend employee Internet access. A Department of Commerce spokesman admitted that, at first, the Department didn’t recognize the extent of the problem.
The Department of Commerce hack is just the latest in a string of attacks of U.S. government agencies, including the State Department and the Department of Defense. The attacks, about which the government has said little, use phishing e-mails to get employees to open e-mail attachments or visit Web sites that download Trojans targeting “zero-day” vulnerabilities in common apps such as Microsoft Word or Internet Explorer. After they gain access to one system inside the network, the hackers fan out across the entire network, harvesting sensitive information and planting rootkit and backdoor programs to ensure they keep their foothold.
And government agencies aren’t alone. Security company WebSense reported this month that it recorded many instances of spear-phishing attacks on customers and employees of ISPs, e-commerce, and banking sites. The company also noted a 100 percent increase, in the first half of 2006, in the number of Web sites distributing “crimeware” such as keyloggers and screen scrapers, which capture images of victims’ desktops.
Cybercriminals are “more creative, organized, and business savvy” than ever before, WebSense found, noting that true “companies” have emerged, producing and selling toolkits and developing business partner programs that enable less technical criminals to steal data and make money.
The new wave of attacks is challenging conventional wisdom about the effectiveness of signature-based security products. An unknown number of low-intensity attacks from inside networks are often being missed.
So what’s an IT manager to do? Security experts tell InfoWorld that there’s no easy fix. Although traditional layered security is still the best defense, the coming years will demand investment in technologies and processes that might seem “out of the box” or that have often been overlooked, such as insider-threat detection and secure coding. For those on the front lines, new and more effective defenses can’t arrive soon enough.
Developing an infiltration profile
In his work for the National Intelligence Research and Applications Group at BBN Technologies, Peiter Zatko — aka Mudge — sees parallels between the new generation of attacks and the asymmetric warfare of Vietnam, Afghanistan, and Iraq: Attackers use a high volume of separate, targeted assaults that often prevent victims from seeing the larger threat profile.