Plenty has been written this month about attack attribution, but, really, if your network is under siege, how often does the “who” matter as much as the “how,” “what,” and “where”? It seems that knowing who the actor is behind a network intrusion matters little to a bank, restaurant or retail chain. You just want them off your gear, and you want your stuff put back where it belongs.
It’s easy to be cynical about the onslaught of accusations against the Chinese for hacking their way into the New York Times, Facebook, Apple et al. The Chinese are everywhere, and confirming that fact is neat. But unless you’re the military, or a rogue actor in your own right and want to try some hacking back, does it really advance the conversation to know that Unit 61398 of the PLA General Staff Department’s (GSD) 3rd Department is to blame?
The only conversations that seems to get advanced are those that happen in certain Beltway circles where reports such as Mandiant’s can be held up as the cause célèbre to score some Federal budget money, push through some onerous legislation, or if you’re a vendor in the Valley, market some new Anti-APT1 gear at next week’s RSA Conference.
In the meantime, while China’s activity merits concern and it’s worth watching how this impacts the U.S. economy, it can also be a distraction to businesses needing to maintain uptime, continuity and integrity of their data and business.
“Understanding who is doing it? I don’t see too much value in it,” said Michael J. Keith, security associate with Stach & Liu, a security consultancy based in Phoenix. “It’s not like you can recover losses from that person. If their profession is theft, they don’t have legitimate resources to go after.”
Keith said some of his clients rarely want to preserve a chain of evidence to be used in prosecution; instead they want to understand what was lost, clean up the damage and understand how to prevent it from happening again. And usually, it has little to do with zero-day exploits against unreported vulnerabilities.
“The average attacker focuses on known bugs that have not been patched yet, or one-off holes in in-house developed Web applications,” Keith said. “There is no patch for SQL injection; if you develop a new app, you run the risk of introducing one of those types of vulnerabilities. The trend is multilayered security and patching.”
That’s the plague hitting small and midmarket companies with small IT staffs that are losing their shirts to commodity, automated attacks. Sniffing out “who” matters little to them, and they are the large majority of victims. And even for the higher end of the Fortune 1000 that can afford to invest in IT security, it’s still not about “who.”
Steve Adegbite, director of cybersecurity strategies at defense contractor and aerospace manufacturer Lockheed Martin, sees more than his share of sophisticated attacks cross his company’s wires. Yet, his efforts aren’t necessarily about breach prevention or identifying attackers. Like many other large enterprises, Lockheed has made the concession that attackers may get onto their network, but they’re not necessarily going to get stolen data off the network. He focuses on where they are, what they’re doing, and how to cut them off before core business data is lost.
“A lot of high-assurance networks and companies are making significant investments to stop them from coming in, but that’s too high a cost. If you can flip that on its head, it’s beneficial and cost effective,” said Adegbite, director of cyber security strategies at Lockheed. “If you can deny them the ability to pull that information out, you have won.”
Adegbite added that targeted attacks against targets less strategic than Lockheed Martin such as the New York Times, the Wall Street Journal, Apple, Facebook, and Twitter, for example, indicate that some attacker tactics such as persistence and advanced malware are also being used against those targets for surveillance, credential harvesting and more. APT is moving down the strategic chain.
Regardless, Lockheed’s business model and massive network (3 million IP addresses, 145,000 managed desktops, 200 terabytes of full packet capture storage, 300 million daily Web requests, 1.2 million web proxy connections blocked daily) make it an “interesting” target for nation states and competitors alike. The company is not without its share of incidents; it was one of the ultimate targets in the RSA SecurID compromise, for example. And for a long time, Adegbite said Lockheed’s security investments looked like a lot of other large enterprises—i.e., significant perimeter defense investments—but it quickly realized that attackers were ahead of the game. He said Lockheed moved to intelligence-driven security, understanding attacker behavior and applying that to its defenses in addition to applying pressure on its vendors to adapt products accordingly.
“We pushed them for more heuristics and to have an understanding of good traffic coming in, anomalous traffic out and run analytics against it; we started to think like attackers and their objectives,” Adegbite said. “We turned the problem on its head.”
Lockheed’s home-brewed kill chain methodology focuses on understanding how attackers plan their campaigns, starting with reconnaissance and getting an understanding of the target network, then moving on to weaponization and delivery of the malware, followed by exploitation, establishing command and control communication with the attacker-controlled machines, then taking action on objectives.
“The key goal of the kill chain is to make sure they don’t get action on their objectives,” Adegbite said. “With our defensive playbook, what we try to do is go through events and find where our defenses worked and where they didn’t in the kill chain.”
And the extent to which Lockheed strategizes against particular opponents? This takes on more of a human intelligence profile and understanding how attackers behave for example, learning when they’re most active and adjusting defenses to match.
“They’re human, they take holidays off,” Adegbite said. “You can use that information in the kill chain.”
So the TL;DR here is that the “who” behind attacks matters mostly to budget seekers and policy makers. The Chinese—and the Russians, the Iranians and, yes, the Americans—are on your networks. Focus, instead, on what they’re doing and how to keep them from moving your company’s secret sauce off your network. As Lockheed’s Adegbite so eloquently put it: “If they get inside your house, no problem; I’m going to be sitting in my shotgun stand, and they’re not getting out of my house. Breaching is not the problem. People getting out, that’s the interesting thing.”