A Q&A with Marshall Heilman of Mandiant
IP espionage is a real and growing concern for business, and a recent report from Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, details the malicious activity coming out of China from one organization. To find out more about the specific attacks and what companies can do to protect their data, we spoke to Mandiant director of consulting Marshall Heilman.
What are some key themes from your recent report, APT1: Exposing One of China’s Cyber Espionage Units?
Most important is that this type of activity is real, and it’s a real threat. Almost any company out there that makes any technology of interest should pay attention—and the line I say jokingly is that if you’re not making anything that makes you a target, then you should probably pack it up and go home. The report focused on one specific group that targets the Fortune 500 companies we work with, but this threat is also real for smaller companies as well.
One of the most common espionage attack methods is low sophistication spear phishing. How can we mitigate this exposure, beyond employee training?
The basic concept behind spear phishing is that the user receives a legitimate-looking email that asks them to do something that reveals data, such as opening a link. Preventing spear phishing comes down to preventing the user from opening any links or preventing that email in the first place. There are a lot of antispam solutions out there but I would argue that emails can and will get through those solutions, so we have to focus on making sure the user doesn’t compromise data security when it happens. One way is to make certain that all of the applications on a system are patched—not just things like Microsoft Windows but also Shockwave, Quicktime and Java. Another solution, which is extremely difficult for most companies, is to limit what users can install on the system, usually by reducing privileges, and thus reduce exposure to malware. Another option is to run application whitelisting on critical servers, so that attackers that gain access to an environment cannot execute malicious code on those servers.. Finally, using an internal web proxy for users, and denying access to “uncategorized” web sites, is also effective against stopping malware.
What tactics would you recommend for guarding a highly valuable trade secret, such as 10 years of R&D for a pharmaceutical drug?
Because I’m in the security business my recommendations would be far more draconian than most people’s. I would take all the research and make certain it was housed in a certain part of the server environment with good controls and segmentation that would disallow anyone from touching the data outside of that environment. I would use software such as Citrix Solutions, which requires two-factor identification for anyone who wants to interact with the data and only exposes data that is authorized for use. The important thing is to put the sensitive information in one location that ensures extremely limited access. However, many firms balk at this sort of solution and I have only implemented it at smaller organizations because it can be very frustrating for users. I find that companies that have already suffered a breach are more amenable to implementing stricter measures. Companies that haven’t often say “we will add that to our road map” but likely won’t get around to it. Honestly, I think it’s just an awareness issue. Five years ago, no one in the mainstream recognized this problem. This is slowly changing but the more aware we are, the better we can protect ourselves from these threats and the more willing companies will be to adopt measures to do so.
Many companies, brokers and insurers are focused on the privacy liability and class action lawsuits associated with cyber risk (which, granted, are major reasons for concern).What Mr. Heilman highlights here is often THE biggest liability for businesses that own and depend upon their intellectual property assets. Theft of this property can be catastrophic, and this cyber risk exposure may only increase with the use of outside business partner systems, or third party (cloud) infrastructure or apps. Moreover, studies such as Mandiant’s have shown that bad guys still revert to exploiting human error and tricking employees into helping them gain unauthorized access to private networks that might house IP. Comparatively low-tech attack methods like phishing can nevertheless pose a significant risk unless companies are properly educating their employees and anticipating this tactic.