The New York Times' description of a cyber espionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible.
On Wednesday, The Times disclosed that hackers had persistently attacked its computer systems for four months, and had stolen passwords for reporters and employees. Rather than boot the hackers immediately, The Times chose to study their movements in order to build better defenses against them.
[ Also on InfoWorld: Unseen, all-out cyber war on the U.S. has begun. | Pentagon to add thousands of new cyber security jobs. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The attacks coincided with an investigative piece the newspaper published Oct. 25 on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China's prime minister.
The lessons learned from the attack applies to any organization targeted by hackers with a level of sophistication often financed by a nation-state. Potential victims typically include defense contractors, multinational corporations, the military, think tanks and government agencies.
Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware.
One important step the company took in September, when it learned it might be targeted by hackers in China, was to notify its Internet service provider to watch for unusual activity in outbound traffic from the network, experts said Thursday. AT&T eventually did report seeing anomalies, which started The Times investigation and led to its hiring of security firm Mandiant to help it monitor and eventually remove the hackers.
The newspaper believes the hackers initially broke in Sept. 13 through a spear-phishing attack, which is when carefully crafted emails are sent to specific people within an organization to trick them into opening a malware-carrying attachment or visit a malicious website. The break-in occurred while The Times was completing its reporting for the Wen family story.
Besides employee education, ways to combat spear phishing includes technology on the laptop that only allows pre-approved applications to run. Called whitelisting, the technology is difficult to manage, because employees will constantly seek permission to run other software.
"There's a lot of management overhead with it, but I think from a security standpoint, it's the right way to go," George Tubin, senior security strategist for Trusteer, said.