The massive cyber attack that has unfolded in the United States over the last two weeks is hugely damaging, both to the lives of many millions of current and former US government employees whose personal information was stolen and to their nation’s interests.
It now appears that basic personal details as well as more intimate and detailed information gleaned from security clearance applications going back 30 years has been stolen by the one group, in a serious of attacks that began in March, 2014. The attackers targeted the federal Office of Personnel Management and health insurance firms with government workers on their books, as well as two companies doing background checks for the Department of Homeland Security, first one and then its replacement.
All two million US government staff were affected and up to 12 million more who have worked for the government at some point, according to various reports. Other attacks in the same campaign could yet be launched, building on the previously stolen information, or could be underway already. But this is not some sort of unlikely, worst-case scenario that doesn’t come around very often, and it’s certainly not an isolated event. There are far more cyber attacks than most of us realise happening all the time, and a whole world of unwitting victims.“It’s not just enterprises … also government organisations that are relatively trivially broken into, for the most part.”
Network security firm FireEye has a better view than most, thanks to real-time data that many of its clients around the world agree to share with it, but even this is only a small sample of the full picture. To illustrate the point, FireEye’s Asia-Pacific chief technology officer, Bryce Boland, feels the need to confirm the “big data breach in the US” we’re referring to is the one he thinks it is. “There’s been a lot of them; there are a lot of them on a regular basis,” he says, speaking to The Mandarin from his Singapore office.
Boland says from what FireEye has seen, it’s clear most companies are being breached by some sort of malware and don’t realise, and a substantial number are subject to more advanced attacks they aren’t aware of.
“And we did an assessment last year of more than 1200 organisations around the world that had not implemented any advanced direct protection capabilities; more than a third of those organisations were actively compromised,” he explained. “There was someone sitting at a keyboard somewhere else in the world in control of computers inside their network and they had no idea.”
Holding back the barbarian hordes
Those fighting the good fight in the largely concealed global arena of cyber security are on the back foot, partly due to the widespread ignorance that leads many organisations to have their systems unknowingly targeted, or compromised and used to target others.
“And it’s not just enterprises. It’s also government organisations that are relatively trivially broken into, for the most part,” said Boland.
“The reality has become that if you want to break in, it’s relatively straightforward. You use a targeted spearphising email with a malicious attachment or with a link to a weaponised website under your control, and that causes the victim — unknowingly — to execute a malicious code and that malicious code will then download some malware to give the attacker command and control of the computer.
“Once they have achieved that they will then be able to conduct additional steps to maintain their presence over the long term, to compromise additional machines and to hunt around in that environment for the data they’re after.”
Victims in most jurisdictions are less forthcoming than in the US, too, which has strong laws requiring disclosure of data breaches involving personally identifiable information. Don’t be fooled. Similar attacks are happening in Australia. According to Boland, the capability to detect them is rare and you probably won’t hear about those that are uncovered.
“So, chances are similar attacks are probably continually happening against the Australian government, and I can only hope that the appropriate authorities are detecting these attacks and taking measures to reduce their impact,” he added. “I’m not particularly hopeful that that’s the case, to be honest.”
And even the most advanced measures to prevent, detect and remediate breaches are still fallible.“Eventually the attackers will find a way past. The challenge is how to find out that’s happened.”
“Attackers are humans; they’re not just going to try one thing, they’re going to keep trying until they get in,” Boland said. “They’ll change up their tactics according to the defences that they find.
“So you can put in place all the detection capabilities in the world but it doesn’t matter. Eventually the attackers will find a way past. The challenge is how to find out that’s happened. How to actually hunt for attackers who have bypassed defences against all the known threats, and be able to detect the unknown threats so you can then respond to them, because that’s when the damage actually happens to organisations.”
Even organisations with the most secure systems still get breached, but they have the capability and the expertise on hand to detect the problem quickly and respond effectively, hopefully within minutes, at any time of the day. That is probably the best you can aim for, says Boland: “Keeping everything out is nice but it doesn’t actually work in practice; the attackers always find a way in.”
It is also difficult even for the best in the game to be sure they have the full picture of everything an apparently successful attack has accomplished — witness the gradual realisation in the US of just how extensive the OPM attack had been. Finding and deleting a piece of malware is often not enough these days, and you might not even find anything obvious at all.
“The attackers are very, very effective at taking an initial infected machine and compromising the credentials on it, using additional malware to install backdoors on other machines,” Boland continued. “What we see very commonly now are organisations being breached and when we do the investigation, we find no malware … because the attackers steal the credentials that are necessary to come in over the VPN connections into that organisation.
“And because they then come in looking like legitimate users, they can delete the malware they used to break in and they have full access in the environment.”
That was the case in 46% of FireEye’s investigations last year.
Ryan Gillis, vice-president of cybersecurity and global policy at Palo Alto Networks, another leading network security firm, puts it differently:
“There are two types of networks: those that have experienced attacks, and those that don’t realise they have experienced attacks.”
Co-operation and co-ordination
Speaking on the ABC’s 7.30 on Monday, the head of the Australian Federal Police’s high tech crime unit David McLean confirmed it is not easy to recruit people with the necessary skills to the government agencies with primary responsibility for advanced information security.
But the task of protecting against unwanted intrusions can’t be left up to the experts.
There’s a lot of global co-operation and co-ordination going on between security companies which form corporate alliances to share threat information. And both Boland and Gillis say public, private and nonprofit organisations all need to contribute to turning the tide against cybercrime, firstly by picking the low-hanging fruit to drive the cost up for the baddies.
Palo Alto Networks has sent Gillis — who was former director of cyber security policy on Barack Obama’s National Security Council and held various positions with Homeland Security — on a world tour to spread the word. This included a seminar last week hosted by Institute for Public Administration Australia’s Victorian branch, where he made the point that the cost of mounting successful cyberattacks is far too low.“One of the best weapons … is to share intelligence across commercial organisations.”
“I think that comes from a number of things,” he told The Mandarin. “One: people don’t have enough preventative capability — the people, process and technology — in place to stop unsophisticated inbound attacks. … Even if you’re a bad guy who doesn’t have the capability to develop malware, you’ve got tremendous access to things that can be used to launch malicious attacks and be successful.”
More advanced attackers also use this kind of run-of-the-mill malware that manages to do the job far too often.
“The most sophisticated actors — be it nation states or highly evolved criminal groups — they’re not going to use their highly evolved, never-seen-before techniques that they had to expend their own manpower and resources to develop,” Gillis explained. “They could go online, use something that’s freely available or spend 30 bucks to get a tool, and not only does that preserve their own malicious intellectual property, it also makes it harder to identify who the bad guys are.”
Boland points out there is a limited window of opportunity after a new breach is discovered for useful intelligence to be shared with other organisations so they can protect against similar attacks. “One of the best weapons in our arsenal for defending against criminals and nation states conducting these attacks is to share intelligence across commercial organisations, and to share it both to and from the government,” he added. “So disclosure leads to better intelligence sharing, and that’s actually really critical for defending against these types of attacks.”
There are various theories as to who is behind the Office of Personnel Management data breach and how they will use the stolen data, with the Chinese government the prime suspect in the US media. But most security experts agree the focus should be on defending a system against all comers, rather than worrying about who to blame.
“Who should you be most concerned about? I think you should be most concerned about reducing the noise and the low-level attacks … so that you drive the cost up to launch a successful attack, and that comes through successful prevention,” said Gillis. “Then, network defenders can focus just on the things that matter the most.”
He advises to start at the executive level and look at what matters most, with a risk-oriented approach.
“So, how do I interface with my technology guys — my CIO, my CISO, my network operators that are buying technology? And, how do I ensure that they are investing in the things that matter most to the core business? Have we identified where the things are that matter the most? Have we identified the functionality that we need from our network, and are we applying preventative technology to ensure that we’re securing what matters most on our network?”“If you can’t detect the attacks then you should assume you’re breached, because you probably are.”
Another reason there might seem to be more attacks now than ten or even five years ago, according to Gillis, is that the prevention and detection technology being employed was not advanced or widespread enough to know about as many of them.
“I think that’s something that as people become more aware of what’s on their network and how they’re stopping attacks on their network, you’re going to see this huge growth curve [in reported attacks] that I think is due not just necessarily to an increasing number of attacks, but an increasing awareness of the attacks that are going on.”
Knowing who exactly is behind an attack is very hard, in any case, due to the use of vast chains of compromised machines all over the world used by cyberspies and cybercriminals alike to disguise themselves. Law enforcement investigations are hampered when these botnets cross multiple jurisdictions as well.
“Soon as something goes across a country’s jurisdiction, getting access to the machines and the logs and so on becomes an extremely tedious, time-consuming administrative process,” said Boland. “It can take months and months, if not years.”
Boland backs the Australian Signals Directorate’s top four mitigation strategies, which were oddly rejected earlier this year by a couple of agency heads in the Tasmanian government who felt the state’s auditor-general was holding them to an unnecessarily high standard. Best of luck to them in their next audit, which will include actual penetration testing.
Even following the ASD’s counsel, FireEye’s New Zealand-born CTO says most organisations simply aren’t investing enough in the newest technologies, intelligence and expertise.
“It starts with the first piece; if you can’t detect the attacks then you should assume you’re breached, because you probably are,” Boland stressed once again.
“Secondly, if you can’t detect the breaches that are happening, it’s almost impossible to believe that you can withstand those attacks. The most successful, highly resourced security organisations in the world still get breached by attackers and it’s impossible to believe that a company or government organisation that can’t detect those attacks would somehow not be breached.”
Read more at The Mandarin: Kevin Andrews: work together to build cyber security