Cyber Security: US Approaches to Cyber Security | ADM November 2011

John Hilvert, with additional reporting by Gregor Ferguson | Sydney and Canberra

Raytheon’s Jeff Snyder explained the significance of the US’s Comprehensive National Cybersecurity Initiative (CNCI), announced recently by President Obama: this is one of three factors driving the growth of a market for cyber capabilities. The others are DARPA’s recent doubling, to US$500 million a year, of its cyber search budget, and the general growth in both cyber-related training and (possibly a causal factor) a growing incidence of intrusion detection.

These factors, and especially the CNCI, are driving demand for skills, capabilities and services that industry must provide, and he echoed calls for more trained and experienced cyber warriors.

The CNCI’s three main goals focus US investment in skills, expertise and, crucially, capacity. They also serve as a template for coalition (including Australian) organisations and private sector firms:

• To establish a front line of defence against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
• To defend against the full spectrum of threats by enhancing US counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
• To strengthen the future cyber security environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

Allan Carey, Director RSA of Netwitness discussed a range of US case studies, exploring how companies and agencies failed to prevent a cyber attack or intrusion. His presentation classified a range of well-known attacks against the scales of their complexity, from simple to innovative, and the damage inflicted, from low impact to high.

For example he identifies the Stuxnet attack of Siemens machine controllers as very high impact and very innovative. Whereas hacking Sarah Palin’s emails involved simply gaming a password reminder and exploiting available information and impacting only slightly on Ms Palin’s reputation at the time.

Carey stressed that a simple technique of attack did not mean it was easily detected or caused little harm, citing LulzSec’s substantial attack on Sony, which saw the public release of nearly 140,000 records using a  single SQL Injection flaw within a promotional page for its movie Ghostbusters. 

Just because you are not seeing anything wrong, does not imply you are not under attack, he warned.

He counselled the importance of having agility to respond to any incident, the situational awareness required to identify and combat any threat and the capability to identify and analyse the cause and extent of any harmful events. He echoed an alert from Graham Ingram that the game was favouring the bad guys that had a clear business or strategic incentive to do harm or conduct covert espionage.

Some 54 per cent of breaches involved customised malware; 87 per cent of stolen records were a result of highly sophisticated attacks; and 91 per cent of US organisations believe mischievous exploits were bypassing their intrusion detection and anti-virus systems. Collectively US organisation have spent billions of dollars on security solutions but still can’t curb these threats, he said.

Carey argued there was a need to reassess the received wisdoms and to consider far more complex questions such as:

• Why are packed or obfuscated executables being used on our systems?
• What critical threats are my Anti-Virus and IDS missing?
• I am worried about targeted malware and APTs – how can  I fingerprint and analyse these activities in my environment?
• We need to better understand and manage the risks  associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behaviour
• On our high value assets, how can we have certainty that our security controls are functioning exactly as  implemented?
• How can I detect new variants of Zeus or other zero day malware on my network?
• We need to examine critical incidents as if we had an HD video camera recording it all… 

Carey proposes a more active approach to managing these particular threats which he dubs “offense (sic) in depth”. This proposes urgent immediate time to identifying system intrusion more rapidly with the view collapsing an attacker’s free time to cover up its tracks.

This implies a 24/7 tracking of networks, drawing on what he terms the science of network forensics, and equiping security teams with a view to treating network traffic as conversations instead of individual packets or groups of IP addresses.

He reports that with an advanced persistent threat, adversaries are often well entrenched in the system and have been there for a while. They have a range of techniques to control and overcome many standard tools and may have already hidden commands pre-scheduled to execute on individual Windows machines. They have text files of lists of target files and can compress bunches of targeted files from the network and download them to various communication pathways.

Their targeted phishing attacks often use bogus mailboxes created on an agency’s own mail system. They may disguise their operations by positioning their rogue command and control systems within less sensitive automated control networks for heating, ventilation and air conditioning (HVAC) systems rather than the more obvious file servers that regularly run anti-malware or intrusion detection systems. Moreover their drop locations are in the US rather than the more suspect China or Belarus.

He concludes current security diagrams are “completely broken.” It is best to assume that your organisation is already compromised to some extent and to act accordingly. The real objective should be to get the best intelligence through a combination of more regular and comprehensive monitoring of the critical security controls and developing a narrative of how, where why and when and how the security was compromised  and focusing hard and improving timing.”  

Subject: Cyber Security