Stealthy, sometime long-term cyber-espionage attacks to steal sensitive proprietary information -- what some now call "advanced persistent threats" (APT) -- have become a top worry for businesses.
Last week the Security for Business Innovation Council, a group of 16 security leaders from companies that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson, and Northrop Grumman, summed up their thoughts on APT in a report, saying this type of attack is forcing IT to rethink network security. "Tackling advanced persistent threats means giving up the idea it's possible to protect everything. This is no longer realistic."
"Focusing on fortifying the perimeter is a losing battle," bluntly states the report, which was published by RSA -- itself the well-known victim of a successful APT attack. "Today's organizations are inherently porous. Change the perspective to protecting data throughout the lifecycle across the enterprise and the entire supply chain."
The report adds: "The definition of a successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage.' Assume your organization might already be compromised and go from there."
The focus, it says, now has to be on working with business managers to identify the "crown jewels" of the organization and protect these "core assets," while "also moving away from a perimeter-centric view."
Dave Cullinane, chief information security officer at eBay, says there's no doubt that the APT problem, which often may be financially motivated, is at the top of everyone's list of concerns right now. Spear-phishing, which involves tricking an individual into opening an email with malware to gain control of a computer, is one way an attacker gains a foothold inside a network, as happened at RSA last spring. But Cullinane says there are insufficient protective anti-phishing products available.
"Adversaries know what works in spam filtering," he points out. He says some companies, including banks, have devised their own custom-made defenses that combine email information with threat-monitoring tools like FireEye and Damballa.
Cyber-espionage attacks are basically an infiltration that could come from nation-states, their hired-hand attackers as well as industrial competitors, perpetrators of organized crime, or "hactivists" like Anonymous.
Last week, security researcher Joe Stewart, director of malware research at Dell SecureWorks, offered his own evidence that the March break-in at RSA, in which sensitive information related to SecurID was stolen, originated in mainland China.
Stewart says his conclusion is based on analysis of two malware components that were used to conceal the attack on RSA. The malware, called HTran, which was originally written by Chinese hackers, was found to leak error-message information showing specific network IP addresses at ISPs in China, where hackers likely directed stolen data. The report on this from SecureWorks notes that without the cooperation of the government of the People's Republic of China, further attribution of the hacking activity is "difficult or impossible."