Targeted attack: Spear phishing for intelligence
In early February, James R. Clapper, the U.S. director of national intelligence, told the House Select Intelligence Committee that threats to U.S.-based computer networks are one of the country’s most pressing security problems. The U.S., he said, is losing almost $300 billion annually to cyber-based corporate espionage while responding to a daily barrage of attacks against public systems responsible for everything from military to financial and critical infrastructure. In an environment where new technologies are often introduced before effective security can be established, he urged Congress to pass legislation that would force intelligence sharing between the government and the private sector.
Canada has seen its share of attacks on government systems over the past 18 months. Dean Turner, director of Symantec’s Global Intelligence Network and co-author of the company’s Internet Security Threat Report, spoke with Vanguard about the changing nature and challenge of cyber threats.
Start with the cyber threat landscape: How would you characterize it today?
Seven years ago we talked about network aware worms, mass mailers – the Nimbas, the Code Reds, the Slammers – big pieces of malware that would indiscriminately run through large swaths of IP space around the globe. Then we started to see more targeted types of threats. It was less about big pieces of malware that would scoop up everybody – the drift net approach to phishing for victims – and more like line phishing. Now we are seeing, for lack of a better word, spear phishing. We are seeing threats that maybe only five people will ever see. We have seen a massive increase in the volume of malicious code and threats, but in a sense it is highly unique. From a government and defence standpoint, we are likely to see things that are targeted to a specific government department or branch of the services. And that, in a way, has forced us to evaluate the way we look at things.
Is identification and targeting of individual executives in government defence and security agencies now widespread?
Absolutely. But it’s directly correlated to the value of the target and the value of the information the attacker places on the information they are going after. The more classified or sensitive a piece of information, the smaller the pool of individuals to target, which means you have to do more homework and gather more intelligence about that particular environment and those individuals. With Stuxnet, we don’t know the individuals involved or how it took place, all we know is the net result. But we can make certain assumptions based on the type of facility and the type of technology that was targeted. The same goes for the Nitro attacks. Because they were targeting the manufacturers of certain types of chemicals and armour, they had to know certain details about those companies. They sent out spread sheets and those types of things – and that’s all it takes to get someone to click on what they think is a harmless attachment from somebody in the organization they trust.
The effort is more sophisticated but the approach is not.
Never underestimate the ability to social engineer your way into a situation. Fairly low-tech techniques are still a big component of this. Much of what we associate with this – keystroke loggers and data theft – are usually Trojan horses. Trojans, unlike viruses and worms, cannot propagate on their own; they require some form of user interaction. What has changed is the level of sophistication behind these social engineering attempts. So malware threats from a code perspective, and even a process and operational perspective, are incredibly sophisticated; it’s the “I got this from a colleague, please open” approach.
If you need an individual to open the door and let you in, that suggests security is less about your firewalls and more about employee education.
It’s interesting you should say that. For at least 10 years, we’ve said we had to have lots of intrusion detection systems and firewalls and we had to protect the perimeter. That hasn’t changed in terms of best practices. But the perimeter has changed. It used to be the four walls of the organization, the location of the servers. Now your perimeter is your employees, and your employees go in and out of that secure environment. Individuals should not be working on classified material in their homes, but human nature being what it is people are prone to make mistakes, and in highly classified environments or government departments, all it takes is one little mistake. Education sounds like a relatively simple thing – if we just tell people what the issues are then we can solve the problem – but we’ve been talking about what the issues are for 10 years.
Part of the challenge is that policies need to flow from the top down. We look at things and design our policies from the bottom up. But if policy is not enforced from the top down, whether from key senior departmental or military folks, it’s pretty difficult to get everybody to buy in.
After so many years of repeating the message, is it not sinking in, especially for individuals in defence and security environments?
When you are dealing with thousands of documents or hundreds of emails a day, it doesn’t have to be that sophisticated. It can be a simple case of volume, letting your guard down in one moment. The attacker only has to find one entry point, and usually the path of least resistance is an individual. We’ve gotten pretty good over the years at hardening our environment. But when you start blurring the lines between private lives and work lives, blurring the technology between work and home with a growing emphasis on a mobile workforce, you increase the number of entry points into your network. That’s difficult to manage.
As an industry we spend a lot of time and effort trying to do more with less, especially in the malware field. We try to develop generic signatures that will be able to detect 500 threats. We have to come up with new ways to respond. It sounds cliché, but there are no silver bullet solutions. We have to accept that there is a certain amount of inherent risk in everything we do. The truth is, not all information is worth protecting. Our default position is always to protect it all, and that’s a losing battle, I’m afraid.
Does that mean rethinking the value of information and how it is shared?
I think so. Value is contextual. One guy’s classified is another guy’s sensitive but not classified. But even if you can’t come to an agreement on what is sensitive, the fact that you have gone through the exercise of understanding your data and how it is accessed, you can then start talking about putting the appropriate security solutions in the appropriate places.
Is cloud computing going to force the matter?
Attackers love cloud computing. If an attack comes from site X, it’s one thing to be able to block access to site X. But what if the attacker’s site is housed on a larger cloud service provider? Are you going to block access to the whole thing? Talk about your needles in a pile of needles in a big giant global haystack.
We are very eager to adopt technologies that allow us to do more in less time. But we tend to get them out there and then see what the problems are – security is an afterthought. I think that is starting to change, certainly in the military space, and more attention is being paid to that in the government space, especially when you consider specific instances this past year in the Canadian federal government. Sometimes people don’t buy insurance until after the house burns down. Let’s be honest, security is difficult. It’s tough to understand. I think from an education standpoint we need to do a little better and part of it is demystifying security.
Government agencies from DND to the RCMP are currently defining their cyber roles. From your standpoint, are there gaps they need to be addressing?
Yes, but I don’t think the gaps are unique to those particular organizations. They are common across all organizations. Again, it’s the identification of assets: what are the crown jewels? Who has access to data, when and how? Those three things are huge. And that gap exists in many organizations. In today’s economic environment, where nobody has unlimited IT security budgets, those three things are even more critical, because then you can refine what you are watching.
Another significant gap I see: organizations like CSE or Leitrim have responsibility for not only DND but also other areas of the federal government. However, there are huge sections that they are not responsible for. So when you have limited budgets, do you have interagency cooperation? Is everybody talking to each other? Are you sharing information about specific threats? I don’t think that happens nearly as much as it should. Often, information in a government or military sense gets compartmentalized and classified, and then cannot be shared.
Timeliness is everything when we are talking about attacks. So when you overburden the system with process, by the time you figure out a response it is too late. Which is why we need to be able to work together, not just within services in the military or between government departments, but between the government and the military and the private sector. How do we share information in a timely manner? That is one of the huge issues we’ve been faced with for a number of years now. For the most part, information travels one way, from the private sector into government, but it doesn’t come back the other way.
Espionage is obviously top of mind in Canadian military circles these days. Do we have a better sense of where these attacks are coming from?
There is more finger pointing than there has ever been before. You can find bogeymen anywhere you look. There is a tendency to point at a particular nation state and say it is responsible for the majority of cyber attacks. It would be disingenuous to suggest that nation states don’t engage in that type of activity, but I don’t think there is anything new there. All that has changed is the tools. In some instances, information is now easier to get at and the damage done in the short term is much higher. But the reasons why have not changed. I don’t think it has necessarily brought new state actors into play, but the advances in technology have certainly opened this to a wider group of players – non-nation state actors and the Anonymous of the world – who can theoretically launch a successfully attack against you. There have been numerous reports where various U.S. government officials have accused China of launching attacks against government systems both in Canada and the United States. But I don’t think that’s all that much different than at any point in history. In the classic le Carré spy novel sense, instead of turning a person into an asset – the military attaché or the admin assistant at an embassy – to get information, you just use that person to access their computer. The asset now is the computer as opposed to the individual.
How do executives avoid becoming victims?
They have to ask the question: how do I handle what I think is sensitive information within this company, department or branch of the service? Taking necessary precautions, using encryption, virtual private networks, all of that stuff. All of that should be hammered home on a daily basis. Unfortunately, this if often a very closed community, so wider awareness is not where it needs to be. It’s not science fiction anymore; it’s real. That’s a challenge we face as an industry. People don’t want to accept the fact that it is as bad as it really is.