Espionage goes high-tech

Cyber espionage is nothing new. For years, companies have been losing hundreds of billions of dollars to cyber espionage and cyber crime, and spending fortunes trying to prevent them.

What we are seeing now is more of the same. The problem is, it is much, much more, and the technologies used to perpetrate these crimes are becoming far sneakier and more sophisticated.

So, while the ongoing theft of technology, intellectual property, trade secrets and proprietary information might sound like just more of the same, the question remains on whether there is any cohesive strategy to tackle the problem, and whether governments have a larger role to play.

<a href=

Uri Rivner, BioCatch" />Uri Rivner, VP business development and cyber strategy at BioCatch, describes cyber espionage as the digital equivalent of James Bond-style cloak and dagger operations – the ability of nations to spy, subvert and gain an unfair advantage over their rivals.

Cyber terrorism is where terrorism meets cyber space. Essentially, it is unlawful attacks on networks and systems, targeted at the information contained within these systems in order to intimidate or “cripple” governments, groups, organisations or people, adds Symantec security practices expert Grant Brown.

He quotes the latest James Bond film, Skyfall, where Q says to Bond, “I can do more damage on my laptop in my pyjamas before my first cup of Earl Grey than you do in a whole year in the field.”

Rivner says tradisionally, cyber espionage has been limited to military or government networks, or, at most, civilian critical infrastructure. However, in the last three years, the focus has shifted to industrial espionage, when a nation penetrates a corporation in order to steal trade secrets and intellectual property in order to gain an unfair competitive edge.

The US openly accused China of doing exactly that, and reports accuse its Red Army of penetrating into hundreds of enterprise networks in any possible vertical and geography, he explains.

According to Rivner, in order to prevent these attacks, we need to understand the difficulty at hand. “Since 2010, the list of known cyber attacks grew to hundreds of mega-corporations, each armed to the teeth with any possible mix of perimeter security. Yet none of the current security controls managed to prevent the attackers from roaming free inside the corporate network and siphoning out terabytes of intellectual property.”

In March 2012, he says Mandiant, a US-based incident response company, testified to a governmental enquiry board that the chances of detecting a cyber attack originating out of China is a mere 6%.

With this in mind, it’s clear why the industry is now looking for a new defence doctrine, Rivner explains. “The best companies can do today is to look inside: invest in technologies that try to find anomalous behaviour inside their network. Then, if something triggered an alert, use quick and effective investigation tools that will help determine whether it’s a false alarm (far more likely) or an actual breach. Finally, big corporations hire folks who specialise in cyber intelligence. These professionals can look at an anomaly and immediately say ‘yeah, we’ve seen it before. It’s group X operating out of county Y’. They know who to talk to in the government, where to find more specific intelligence, and eventually determine what the motivation for the attack is. Who is attacking, what are they after, and what methods they often use is extremely important in today’s cyber era.”

In addition, Rivner says there are many promising innovations that in future will change the game and give organisations a real chance to detect and deflect attacks. “Big data techniques are commonly discussed in this context: the ability to profile normal behaviour and spot irregularities.”

Grant Brown, Symantec

Also, he says cognitive and behavioural biometric controls based on how employees behave inside an application will allow continuous authentication and prevent attempts to hijack their computers and operate them remotely by a cyber attacker. “Sandboxing, virtualisation and similar techniques will seamlessly segregate sensitive data from the main corporate network. And there are many innovations no one can even imagine at this point, but will emerge as the need to think out of the box and defend organisations grows.”

Vitaly Kamluk, malware expert at Kaspersky Lab" rel=tag>Kaspersky Lab, says most cyber espionage attacks are executed via a targeted attack, when attack instruments are designed specifically for the victim organisation. “If your company has never suffered an attack, it’s easy to tell yourself that ‘It won’t happen to me’, or even to imagine that most of what we hear about malware is just hype. This is especially true for targeted attacks. It’s easy to read the headlines in the computer press and draw the conclusion that targeted attacks are a problem only for large organisations, particularly those who maintain ‘critical infrastructure’ systems within a country.”

However, Kamluk says this is not the case, and any organisation can become a victim. “All organisations hold data that could be of value to cybercriminals; and they can also be used as a ‘stepping-stones’ to reach other companies.”

According to him, the starting-point for a targeted attack is often to trick individuals in the company into doing something that puts the company’s security at risk. “Cyber criminals also gather information from social networks and other public resources that allow them to tailor their attack to bypass the company’s security. People are susceptible to social engineering tricks for various reasons. Sometimes they simply don’t realise the danger. Sometimes they’re taken in by the lure of ‘something for nothing’. Sometimes they cut corners to make their lives easier – for example, using the same password for all online accounts.”

Unfortunately, he says, businesses often ignore the perils of the human dimension. “Even if the need for staff awareness is acknowledged, the methods used don’t achieve positive results. So it’s important for organisations to make security awareness part of their security strategy.”

Stephan le Roux, RSA Southern Africa’s district manager believes prevention is largely not attainable in the current threat landscape. “Attacker skill has developed to the point that the attackers are experts at intelligence collection, infrastructure mapping, targeting, infiltration and data extraction. RSA endorses ‘early detection’, where defenders use pervasive visibility and an intelligence-focused approach to detect attacks in progress, and then use the information gained to adjust their security posture as appropriate.”

Brown says it’s important to understand the process used by cyber criminals to gain access to an organisation. “Typically, it works along the stages of reconnaissance, incursion, discovery, capture and finally exfiltration. Just as an attack is comprised of layers, so too should a security strategy and the solutions that align with that strategy. These solutions are wide ranging and will stretch from education to traditional security products to solutions around risk management, information protection and compliance to name but a few. What is important, though, is that there is a solution that gives you a complete picture of what is happening in your estate from a security perspective.”

GOVERNMENT INVOLVEMENT

Governments are now beginning to understand that if their mission to date was protecting their own information and assets, now they have to think about their national private sectors, says Rivner.

“Take the mining sector as an example: some countries will pay billions to know why a certain corporation is digging in a specific location, why they just bought the rights of excavation in a remote piece of land, or what their expansion plans are in a certain region. But why pay billions, if you can just as easily steal this information?”

He says it’s simply a question of tricking certain employees into opening an interesting file or link to an interesting Web site, and within minutes the criminal has gained access into the corporate network.

Then you move inside until you fi nd the information you need. And maybe change some seismic reports while you’re inside. Now, say it happens to the top 10 mining companies in a country. The outcome to that country’s economy can be severe. Hard-earned intellectual property is siphoned off without a trace, billions are lost and thousands of jobs are cut.

Rivner says that’s why the National Security Agency (NSA), has been tasked with defending US cyber space, and is now not only protecting the government, military and defence contractors, but has recently started to share cyber intelligence – once considered highly classified information – with the private sector.

“The role of government is now to extend their cyber protection well beyond their immediate interests, because in the 21st century, national security includes the nation’s intellectual property as well.”

Real-time information sharing is one piece in a multi-tier strategy to prevent attacks, says Rivner. He recommends that governments invest in cyber defence research, to impose regulations on reporting data breaches to customers and authorities, to operate a national cyber command centre that monitors all critical infrastructure network, and to help educate a young generation of cyber fighters.

2012

The cyber attacks on NY Times and Washington Post are probably the most well-publicised cyber espionage attacks we’ve seen recently, says Rivner. He said other prominent companies include Morgan Stanley, Google, RSA, IMF and many more. However, Rivner says the most interesting event from the last year was that Mandiant released a specific report on unit 61398 of the Red Army. This cyber attack unit, one of 20 that Mandiant tracks in China, hit over 140 targets (including one in South Africa), and is one of the most active cyber industrial espionage efforts today.

Looking at the various pieces of malware used in recent attacks, Kamluk says Duqu, detected in September 2011, is worth the first mention. “This malicious spyware ceased to exist “in the wild” by late 2011. However, in late February 2012 Symantec’s experts discovered a new version of a driver in Iran, similar to the one used in Duqu but created on 23 February, 2012.”

In May 2012, he says Kaspersky Lab detected another very sophisticated toolkit for conducting attacks, called Flame. “After we discovered Flame we implemented several heuristic methods based on an analysis of similarities in the code. This approach soon brought us another breakthrough. In mid-July, a malicious program was detected that had been created on the Flame platform; however, it had a different payload and habitat.”

Kamluk says it would appear that the modules were named in honour of renowned mathematicians and philosophers – Kurt Gödel, Carl Friedrich Gauss and Joseph Louis Lagrange. “Based on the results of our analysis and the time-stamps in the malicious modules available to us, we concluded that Gauss started operating in August or September 2011.”

In early June 2012, he says Kaspersky Lab discovered a small yet interesting module created on the Flame platform. “This malicious program, dubbed miniFlame, is a miniature fully-fledged spyware module designed to steal information and gain access to an infected system.”

Finally, more recently in October 2012, Kaspersky Lab initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analysed during the investigation, which the company dubbed Red October, that has been stealing data from diplomatic, government, and scientific research computer networks for years.

THE BACKLASH

It is difficult to define the backlash as these sorts of incidents are very under reported by the victims, and even when they are reported, they are notoriously low on detail, says Le Roux. “Usually when large scale attacks are reported, it is by security vendors and researchers. Accused entities and nation-states typically deny any involvement in spite of huge amounts of evidence to the contrary.”

However, Rivner says the very open US outcry over China is a clear example of potential fallout. The attacks have been called one of the largest threats to national security, and the US is now using every possible diplomatic leverage it has on China in order to regain control of the situation.

In addition, he says Australia banned one of China’s giant IT companies from competing for a massive communications infrastructure contract. “That was probably the most visible reaction we’ve seen to a cyber espionage campaign.”

THE GUILTY PARTIES

When it comes to pointing fingers, Brown says determining the exact source of an attack is a complex procedure and one that will not really provide a return on the time/resource investment. “Better value will be found in ensuring the organisations or countries critical service infrastructure is secure, monitoring and response processes are in place and concise up-todate security policy is in effect.”

The nature of the Internet allows attackers to make their attacks appear to originate from any place on the globe, they often used legitimate sites and computers that have been hacked as attack launching points, says Le Roux. “So, short of catching someone with their fingers on the keyboard, 100% attribution is often impossible. In some cases, near attribution has been put together by compiling information from various sources, but this is never 100% either.”

However, Rivner says governments and cyber intelligence companies have amassed a lot of indicators and know-how that help identify nation-state attackers, but as more actors enter the game – nations, ideological groups, hacktivists, organised crime and individual cybercriminals – it is getting more and more difficult to keep track of all players and have a highly reliable attribution.

He cites two good examples - the attacks on Estonia in 2007 and Georgia in 2008. “In both cases the entire country was digitally frozen for a week, and fingers were pointed to Russia. In both cases it turned out that the actual hacker was not affiliated with the Russian government: the first was a teenager from a Russian youth group who protested against the removal of a statue of Lenin from the main square in Talin, and the second was a fraudster who claimed to be a Russian patriot and organised a denial-of-service (DoS) attack against Georgian Web sites following the skirmish with Russia during the Olympic games, and later on was discovered to be someone who doesn’t even have a Russian citizenship.”

“Another good example,” says Rivner, “Is the fingers pointing to Iran during the DoS attacks targeting US banks in the last year. It turned to be a hacktivist group whose links to Iran were never proven.”

However, he says this does not mean that Iran is not staging cyber espionage campaigns against the US, Israel and other western countries - and vice versa.

INTERNATIONAL TREATIES

The line between cyber warfare and clandestine cyber espionage operations is thin, and an attempt to define what crosses the line was recently made by NATO, says Rivner. “Essentially, if things blow up and people’s lives are threatened, it’s an act of war. Two years ago the US drew similar lines.”

As for defending against cyber espionage, he says there’s a lot of informal collaboration between cyber defence organisations in the Western world. “In the future we should expect international law and multinational treaties to tackle the issue, just like non-proliferation of nuclear technology or reducing carbon dioxide emission. But these things take time, and by the time the world diplomacy catches up, most of the damage will have been done and most corporations will have equipped themselves with adequate protection based on new innovations that are now emerging.”

Kamluk agrees, and says the problem needs similar attention that the issues of chemical, biological and nuclear warfare received in the past. “What is needed is an international agreement on cooperation, non-proliferation and non-usage of cyber weapons. And such a project needs to be organised and coordinated by an independent international organisation - like a cyber IAEA, ideally under the aegis of something like the United Nations.”

Due to the complexity of determining the source of a cyber attack, governments can struggle with how to handle the growth in these attacks, adds Brown. “The proposed POPI bill will lay the foundation for improving data protection across business and government entities, and more importantly raise security awareness in general. The US has recently moved from a ‘defence approach’ to cyber-crime to an offensive tactic by creating 13 ‘strike teams’ to handle the influx of threats to their nation, and I see more countries taking this approach to protect themselves from these type of attacks.”

ATTRIBUTION

Compromised companies are not spending nearly enough time on attribution, says Rivner. “Understanding who is attacking you is extremely important. If you wake up at night and know there’s someone in your apartment, you’d better know if they are petty thieves or dangerous armed robbers. If someone attacks your network, you should know if they are fi nancially motivated cyber criminals going after your corporate bank account, or a foreign army that invaded your network to steal your trade secrets.”

He says it is important to know whether to call the intelligence community or company colleagues in another company to find out if they are also under attack. “Attribution as in ‘who dunnit’ is very important. It is less important to follow it up and try to accuse the attacker, because most evidence will not stand in a court of law and you’re now making it personal. But you should be able to have basic cyber intelligence capabilities and at least know which class of attack it is – nation state espionage? Hacktivism? A financially motivated attack?”

Le Roux has a different view: “Most compromised companies aren’t even aware that they have been compromised. Attribution is the last piece of the puzzle. Companies need to focus on processes and technology that they need to gain visibility into these attacks, and once they have a handle on that, they can move towards attempting attribution, or at least attribution to the point that they can identify tactics, techniques and procedures to help mature their processes. In my opinion, attribution is useful for defenders to a certain extent at a high level (legal action, lobbying for government help), but understanding attack methodologies on a large scale is probably more important for real defence in the long term.”