2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties — JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.
The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.
Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure
underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.
The Sprawl of Cyberwarfare
The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.
For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.
The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination of resources for such a targeted attack: the technical talent to create zero-day exploits and stealthy implants; labs that duplicate the target environment (e.g. the Siemens centrifuges of a nuclear enrichment facility); the field agents to conduct on-site ops (e.g. monitoring wireless communications, finding USB ports, or gaining employment); and years of patience. As a result of these investments in “military grade” cyber attacks, the best of these teams can boast a mission success rate close to 100%.
But cyber weapons are even harder to contain than conventional ones. Cyberwar victories have inspired terrorists, hacktivists and criminals to follow suit, recruiting cyber veterans and investing in the military grade approach. (Plus, some nations have started targeting companies directly.) No longer content to publish malware and wait for whatever data pop up, criminals now identify the crown jewels of businesses and target them with what we call Advanced Persistent Threats (APTs). You want credit cards? Get 56 million of them from Home Depot. You want to compromise people with the most sensitive secrets? Go to straight to the FBI’s archive of security clearances. You want the design of a new aircraft? Get it from Boeing. You need data for committing online bank theft? Get it for 76 million households at JP Morgan Chase.
That’s why cyberspace exploded in 2014.
This is Not the Common Cold
But why are the crown jewels so exposed? Haven’t these companies all spent millions of dollars every year on firewalls, anti-virus software, and other security products? Don’t their IT departments have security engineers and analysts to detect and deflect these attacks?
The problem is that up until this year, corporate networks were instrumented to defend against generic malware attacks that cause minimal damage to each victim. Generic malware might redirect your search page, crash your hard drive, or install a bot to send spam or mine bitcoin. It’s not looking for your crown jewels because it doesn’t know who you are. It may worm its way to neighboring machines, but only in a singular, rudimentary way that jumps at most one or two hops. It’s automated and scalable – stealing pennies from all instead of fortunes from a few. If it compromises a few machines here and there, no big deal.
But with Advanced Persistent Threats, a human hacker directs the activity, carefully spreading the implant, so even the first point of infection can lead to devastation. These attacks are more like Ebola than the common cold, so what we today call state-of-the-art security is only slightly more effective than taking Airborne (and that’s a low bar
). As long as corporate networks are porous to any infection at all, hackers can launch stealth campaigns jumping from host to host as they map the network, steal passwords, spread their agents, and exfiltrate data. Doubling down on malware filters will help, but it can never be 100% effective. All it takes is one zero-day exploit, or a single imprudent click on a malicious email, tweet or search result, for the campaign to begin. Or the attacker can simply buy a point of entry from the multitudes of hackers who already have bots running on the Internet.
The dependence on malware filters is only half the problem. Ask any Chief Information Officer about his or her security infrastructure and you will hear all about the Secure Operation Center in which analysts pour over alerts and log files
(maybe even 24/7) identifying anomalies that may indicate security incidents. These analysts are tasked with investigating the incidents and rooting out any unauthorized activity inside the network. So even if someone can trespass the network, analysts will stop them. And indeed, thousands of security products today participate in the ecosystem by finding anomalies and generating alerts for the Security Information and Event Management (SIEM) system. Every week a new startup pops up, touting an innovative way to plow through log files, network stats, and other Big Data to identify anomalies.
But sometimes anomalies are just anomalies, and that’s why a human analyst has to investigate each alert before taking any pre-emptive action, such as locking a user out of the network or re-imaging a host. And with so many products producing so many anomalies, they are overwhelmed with too much data. They typically see a thousand incidents every day, with enough time to investigate twenty. (You can try to find more qualified analysts but only with diminishing returns, as each one sees less of the overall picture.)
That’s why, for example, when a FireEye system at Target spotted the malware used to exfiltrate 40 million credit cards, it generated an alert for the Secure Operations Center in Minneapolis, and nothing happened
. Similarly, a forensic review at Neiman Marcus revealed more than 60 days of uninvestigated alerts that pointed to exfiltrating malware. SONY knew they were under attack for two years leading up to their catastrophic breach, and still they couldn’t find the needles in the haystack.
And yet, the drumbeat marches on, as security vendors old and new continue to tout their abilities to find anomalies.
They pile more and more alerts into the SIEM, guaranteeing that most will drop on the floor. No wonder APTs are so successful.
A Three Step Program
“Know Thy Self, Know Thy Enemy” – Sun Tzu, The Art of War
We need to adapt to this new reality, and the cyber security industry needs to enable it. Simply put, businesses need to focus their time and capital on stopping the most devastating attacks.
The first step here is to figure out what those attacks look like. What are your crown jewels? What are the worst case scenarios? Do you have patient data, credit cards, stealth fighter designs, a billion dollars in the bank, damning emails, or a critical server that, if crippled by a Distributed Denial of Service attack, would cause your customers to instantly drop you? As you prioritize the threats, identify your adversaries. Is it a foreign competitor, Anonymous, disgruntled employees, or North Korea? Every business is different, and each has a different boogeyman. The good news is that even though most CEO’s have never thought about it, this first step is easy and nearly free. (Cyber experts like Good Harbor or the BVP-funded K2 Intelligence
can facilitate the process.)
Second, businesses need real-time threat intelligence that relate to their unique threatscapes. Almost every security technology depends upon a Black List that identifies malicious IP addresses, device fingerprints, host names, domains, executables or email addresses, but naturally they come with generic, one-size-fits-all data. Dozens of startups now sell specialized threat intel, such as BVP-funded Internet Identity
, which allows clusters of similar companies to pool their cyber intelligence, or BVP-funded iSight Partners
, whose global field force of over 100 analysts track and profile cyber adversaries and how to spot them in your network. What better way for your analysts to investigate the most important incidents, than to prioritize the ones associated with your most formidable adversaries?
“This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7″
– Tony Cole, FireEye VP on CNN
And finally, security analysts need fewer alerts, not more. Instead of finding more anomalies, startups would better spend their time finding ways to eliminate alerts that don’t matter, and highlighting the ones that do. They would provide the analysts with better tools for connecting the alerts into incidents and campaigns, tapping into the skills of experienced “military grade” hackers to profile the attack patterns.
The challenge of securing data today is obviously complex, with many other pressing opportunities for improvement such as cloud security, mobile security, application security and encryption. But as cyberwar spreads to the commercial Internet, re-orienting enterprise security to focus on Advanced Persistent Threats should be the single most important initiative for businesses and vendors alike. Of course, inertia is powerful, and it may take boards of directors, CISOs, product managers, entrepreneurs, and venture capitalists another tumultuous year in cyberspace to get the message.