Operation Aurora & Zeus – A wake up call?

February 20, 2010

How can Malicious Code Hide in Plain Sight in the year 2010?

I have been intentionally holding back on addressing the recent cyber breaches (Google China, etc.) in order to allow the situation to fully unfold. Also, I have been near the front lines on some of this with customers and partners, and therefore have been fairly busy.

The temptation for any blog author who has a product that can address some or all of the problems/symptoms is to write a self-serving blog to endorse THEIR products as the holy grail for these issues. I will resist that temptation here.

Rather, let me take the higher ground – again. We are in a world of hurt when, in this day and age where we clearly have the technologies to mitigate much of this risk, we are not applying and implementing the available technologies. One has to wonder why….

Here is the stark reality. Much like our mindset pre-September 11, 2001 – we are of the mistaken belief that we are in a symmetrical battle with a distinct perimeter/battle line, bad actor clearly identified, with some degree of residual respect for the sovereignty of nations. On September 11, 2001 we learned the hard way that it is NOT business as usual. The world has changed and there is no going back.

We now know that in the physical world, our adversaries are leveraging ASYMMETRICAL advantages. The perimeter is porous. The adversary is within and without. It is more than nation states that we must defend against. Fanatical individuals and small groups have shown that they are capable of exerting immense influence and damage. Thomas Freidman does a great job of illuminating these new threats in his book Longitude and Attitudes: Exploring the World after Sept 11.

Our continuing SYMMETRICAL mindset with regard cyber risk simply will not cut it. I believe we are repeating the mistakes of the physical threat environment with our cyber mindset, creating the same, or even greater, exposure to damage and loss that we faced on September 11, 2001.

Operation Aurora (thank you McAfee) and the emerging Zeus issue (thank you NetWitness) is a clear wakeup call. Are we going to press the snooze button and go back to sleep? Or are will we say, “whew, dodged that one” and go back to business as usual?

I sincerely hope not.

Here are some of the lessons we need to learn (again):

  • Cyber Security and Assurance methods cannot assume that there is a defined perimeter that we can effectively defend.
  • Bad Actors have the advantage in so many areas. They can be anywhere, are not clearly identifiable, and have the luxury of time.
  • The stakes have never been higher. This is about corporate intellectual property and national interests (including physical and economic security). This is a war in which Cyber Security is just one critical component.
  • We cannot assume our adversaries are dumb, or that we are so smart that we can stay ahead of them with our “old” tools and technologies.
  • The problem is more than just an “outside in” issue. Some believe that If we just create taller walls, or deeper moats we’ll be ok. Wrong.

Consider this when assessing this current situation:

  • We are learning that Operation Aurora and the Google China issue were just the tip of the iceberg.
  • At least 2,500 companies and government agencies have been compromised.
  • At least 75,000 computers were (many likely still are) armed with a control botnets.
  • Our adversaries have clearly penetrated our defenses and have been comfortably hanging out IN OUR CYBER HOUSES eating from our CYBER REFRIGERATORS for 18 months in some cases. And they are likely STILL in our house. And they made copies of our house keys so they know how to get BACK IN.
  • They have had the luxury of being able to spy on us from the inside out. To observe our documents AND our behavior.
  • There is NO WAY to determine what they took, looked at, or what they have learned while squatting in our cyber houses. We will NEVER know the full extent or breadth of our loss.

How did this happen? (the simple technical primer):

  • They exploited one or more software flaws to penetrate and gain control of the systems and domains (the penetration).
  • Once in, they could hang out largely undetected in order to look at things, take things, and to create control mechanisms and backdoors (with botnets and other mechanisms).

How did this happen? (the simple social primer):

  • We were naive and underestimated our adversaries.
  • We relied on old tools and had (have!) a symmetrical mindset.

Net-net: We had a false sense of cyber security.

What do we do now?

We must learn from this. We must be able to at least detect (if not stop) these zero day threats and develop/use more effective Advanced Persistent Threat (APT) detection methods. Without revealing protected projects, SignaCert is working in cooperation with other entities on APT methods utilizing our configuration image management and whitelist capabilities.

But here is the biggest issue in my opinion:

We must be able to *actively detect* when and what has been compromised in our systems more rapidly. The fact is that we largely “stumbled” into the discovery of Aurora and Zeus.

We MUST be able to continuously monitor whether the “good and deployed” software environment is STILL good. Precise modeling of the state of system components used to create the IT infrastructure is necessary so that ANY change can be detected. Think of this as a very sensitive “motion detector” that is watching everything from “power on to cursor move”. Only prescriptive and approved changes are allowed in this environment. Advanced methods to minimize false alarms (false positive and negative detections) are crucial.

Let’s face it: Precision and continuous IT device change detection is no longer a NICE TO HAVE in this challenging IT world. It is a MUST HAVE. Coupling software supply chain integrity to these advanced methods creates even stronger intrinsic and closed-loop trust attestation.

Methods to address these challenges are available now, and must be deployed if we are going to stand a chance of keeping up with the army of bad actors (trying to wreak havoc) as well as the good actors that make mistakes (that can inadvertently wreak havoc).

We must wake up NOW, and address this risk. While it’s late, it is not too late. In the future I hope we look back at these recent incidents as “near misses” and that we take real action before we collide head on with our complacency.