Reprinted with permission from HB Litigation.
Fire alarms sounded at the waterfront luxury hotel in Southern California, bringing an early end to the speaker’s presentation. He was addressing a 200-person audience assembled to learn about avoiding, mitigating and insuring the risks of cyber attacks. The hotel sirens turned out to be a false alarm, but the message he delivered was not.
Mandiant Vice President Grady Summers, who delivered the keynote address at the NetDiligence Cyber Risk & Privacy Liability Forum, a twice-annual event produced by HB Litigation Conferences, said it is getting pretty bad in cyberspace when nations are able to take out power grids and water supplies from the other side of the world. The Mandiant executive, part of the company’s team of highly-sophisticated incident responders who handle many of the higher profile breaches we hear about, said only a small percentage of companies are truly prepared for a cross-functional, cross-departmental response to data breaches — which is exactly what is required.
Many do not even know who is interested in hacking their systems or how they will do it, he said. With increasing interest in data from U.S. companies by state-sponsored hackers, and ever-improving levels of sophistication, you do not want to be one of those companies.
What motivates a cyber attacker is important to understand because their end-game will determine the seriousness of the threats they present. Preferring the phrase “threat actors” over characterizations such as “the bad guys,” Summers took the audience through five categories of attacks, from the merely irritating to the terribly damaging variety.
1. Nuisance attacks. These are largely automated attacks executed by people with low skills. After sustain such an attack an organization is typically up and running in no time.
2. Data theft. These attackers are often state-sponsored, advanced persistent threats, or APTs. These folks want intellectual property to save their R&D teams from troubling themselves with coming up with inventions of their own. It has been estimated, Summers said, that attacks on U.S. companies from China have netted its government and companies $250 billion’s worth of U.S. intellectual property.
3. Cyber crime. These hackers are motivated to steal money, and they are getting better at it, Summers said. Gone are the good old days when mere “sequel injection” was employed. Now they are stealing with the help of advanced persistent threat concepts, meaning companies are discovering malicious software that has been kicking around in their systems for years. “We found instances where emails from executives had been forwarded outside the company for four years,” Summers said. “What used to be ‘smash and grab’ attacks have evolved into complex schemes against payment card processors. These guys are there for six months and can take $10 million dollars a day.”
Cyber crime — and the business of fighting it — is going to continue to grow, and grow rapidly, Summers said. This is not something you would know if you only relied on corporate reports to the Securities & Exchange Commission. Last year a mere 27 companies disclosed the occurrence of cyber events to the SEC. Mandiant gets thousands of calls about cyber events, the vast majority of which, obviously, are not being reported. “As events become more visible things will be more public and therefore there will be more reporting,” Summers said. “As for public companies that don’t choose to report — they are going to have to eventually.”
4. Hacktivists. Organizations such as Anonymous and LulzSec claim they hack to support various social causes. Summers said this category of hacks continues to some extent, but the hackers are not always as sophisticated as they want us to believe. For example, Anonymous took credit for hacking the Rural Sheriffs Association, ostensibly to protest the association’s alleged mistreatment of immigrants. But, Summers explained, the group merely grabbed whatever data they could, then crafted a cause to match the data. They effectively use social media for this purpose, however, Summers said.
5. Cyber War. “This completely changes things,” Summers said. Unlike crime and theft — where it is not in the best interest of the hackers to damage the network housing the very data they want to steal — "state-sponsored cyber war combines the desire to destroy with high-levels of technical sophistication," he said.
Five Nations Cyber Armies
Nation states are very active in cyber attacks, Summers said. Whereas a government simply looks away when cyber crime is taking place, he said five countries lead the pack in actually sanctioning and supporting cyber attacks.
1. China is most active, he said, pointing to APT1, which Mandiant says is a state-sponsored and prolific cyber espionage group that has been in operation since at least 2006, stealing more than 100 terabytes of compressed data — millions of documents — from 141 companies. They are a cyber espionage factory, with more than 700 servers from which they control their activity, Summers said. “We tied them back to an army unit and proved actual state involvement,” he said. For example, when APT1 needed a better internet connection, a communist government official made it happen. The 76-page Mandiant report can be downloaded at intelreport.mandiant.com.
2. Syria is a more recent entrant, featuring the Syrian Electronic Army (SEA). The SEA breaks into media outlets, like the Associated Press Twitter account, the Washington Post, and the New York Times. Syria is getting more serious attention, but primarily it hacks with the intention of spreading propaganda as it did when it hacked the U.S. Marine Corps website. They say they are 10,000 strong but in fact they are a very small group. Despite their small numbers, they are “getting a big return with headlines.”
3. Russia harbors the Russian Business Network, Summers said, characterizing it as an “extensive operation” that is enabling Russia to put cyber operations together in support of conventional military operations. He noted Russia’s attack on Estonia in 2007 during which it took the smaller nation off the Internet so it could not conduct business or financial transactions. In its attack on Georgia, Russia knocked out news outlets and then sent in tanks, again coupling cyber war techniques with kinetic war tactics. “Russia is demonstrating the model for what cyber warfare will look like going forward.”
4. Iran is new to cyber hacking, Summers said, and their intrusions so far have been very quite. Iran is emulating China, he said, “but they still have their training wheels on.” He said Mandiant responded to an attack on a U.S. government agency that had all the fingerprints of an attack from China. It turned out that it was an attack from Iran, which spent days looking for U.S. defense information. The Iranian hackers downloaded data, but instead of U.S. defense secrets they captured a treasure trove of data on mounting a legal defense for indigent immigrants in the U.S. “We might laugh at them now,” he said, “but we shouldn’t for long since they surely will have a more destructive intent.”
5. United States, unfortunately, has to be included in discussion of cyber warfare, he said. The government likes to say what the U.S. does is very different from what China or Russia does, that is, "we hack for democracy." But when the curtains were pulled back on Stuxnet — the U.S./Israel cyber worm created to attack Iran’s nuclear facilities, “that sort of blew the doors off” how our activities differ, or do not, from that of other nations. Summers said people and nations soon will have a tough time seeing the distinctions between U.S. cyber activity and that of other nations.
When discussing the revelations of the National Security Administration’s (NSA) “prying eyes,” he tells companies to move on and pay attention to other threats. If you want to guard your data from agencies like the NSA, then encrypt your data and don’t use a public cloud. If you want to fight with the NSA you need a lawyer, not a data security company, he said.
As far as fighting back against cyber attacks, Summers came out against retaliation. Some clients want to launch counter-attacks or plant the equivalent of cyber grenades in data that is being stolen. “Any retaliation is foolish because we have an attribution problem in cyberspace. It was only after seven years we knew APT1 was hacking. The opportunity for collateral damage is too great," he said. The APT1 building, for example, was attached to a day care center. You could launch a cyber attack against an organization and kill a life support device, he said. Some non-U.S. companies will do this kind of thing for you, but Summers opposes the activity which, among other things, is illegal.
Summers predicts that, as with actual war, the solution will be a diplomatic one, not a technical one. “We have to develop norms like we do for human espionage where, for example, spies are not permitted to kill government officials."
Policies for Companies
Summers advocates that companies adopt the FUD approach — one of Fear, Uncertainty and Doubt. "Organizations are being targeted more broadly than ever. Compromise is inevitable. If Syria, Iran or China want your data, they are going to get in. The logical conclusion is that detection and response are critical. And it is a smart practice to assess your risk posture." Are your systems patched? Are your people trained? How many times have you been compromised? How long did it take you to respond? Are you examining empirical data that is more output based? Do you have a response team or detection system in place? Do you possess "situational awareness"? What threats would target your company? Spear fishing? Do you have a cross-functional incident response team, including expertise from IT to legal? "Because that is what you will actually do in the event of a breach," Summers said.
It was at about that point that the fire alarm sounded and Summers wrapped up his address.
This article was written by Tom Hagy, Managing Director of HB Litigation Conferences, co-producer of the conference referenced in the article. Hagy is a former Vice President at LexisNexis and former publisher of Mealey’s Litigation Reports. Click here to see the original article.