SAN FRANCISCO–It’s no secret that attackers have made Adobe’s products key targets for the last couple of years, routinely going after bugs in Reader, Flash and Acrobat in targeted attacks and widespread campaigns alike. But it’s not just the rank-and-file bad guys who are making Adobe a priority; it’s more often nation-states, the company’s top security official said.
Adobe, like many other large software companies, has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Since the company began its software security program several years ago, the sophistication level of the people finding and exploiting new bugs in Flash or Reader has gone up significantly.
Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it’s at a point where the company’s main adversaries are state-sponsored actors.
“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in his keynote speech at the United Security Summit here Tuesday. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”
Arkin said that when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.
From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.
“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it’s a very different cost.”
Perhaps the most famous example of this kind of targeted attack is the one that hit RSA Security earlier this year. In that case, the company was compromised through the use of a phishing email that contained an Excel file with a malicious SWF file embedded inside it. An employee opened the email and then the attachment and the attack was off and running from there. Arkin said that while his team didn’t get a sample of the malicious file from RSA, it did see others from organizations that likely were targeted by the same campaign.
“We have lots of friends in the places where people get attacked a lot and I don’t think that RSA was the only target in that campaign,” he said.