IT Security: Assume You're CompromisedPracticing Network Resiliency
"Instead of assuming that we can prevent attacks, we focus very carefully on how we ... maintain a steady state assuming that we could be attacked if somebody wants something from our network," says Phyllis Schneck, chief technology officer for the public sector at security provider McAfee.
Organizations are placing more emphasis on network resiliency. They need to be prepared 24/7 for when the next attack comes, and organizations need to assume they are compromised. "And most companies and agencies in the world that argue, already have been compromised," Scheck says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
In the edited interview, Schneck also discusses:
- A McAfee analysis of a March distributed denial of service attack against 40 South Korean websites, and explains why that matters to government and business information security managers in the United States.
- The forensics used to help analyze security breaches.
- Mistakes made by hackers.
Last fall, in another interview (see Linking Machines, Humans to Secure IT), Schneck addressed how human brainpower and ingenuity will play a role in the evolution of technology to secure IT in the future.
Before being named CTO/public sector at McAfee, Schneck was the company's vice president of threat intelligence. Schneck served as a commissioner and working group co-chair for the Commission on Cybersecurity for the 44th Presidency and for eight years as chair of the National Board of Directors of the FBI's InfraGard program.
Schneck holds three patents in high-performance and adaptive information security, and has six research publications in the areas of information security, real-time systems, telecom and software engineering. Before joining McAfee, she served as vice president of research integration at Secure Computing. Schneck holds a Ph.D. in computer science from Georgia Tech, where she pioneered the field of information security and security-based high-performance computing.
Cyberattacks in South Korea and the U.S.ERIC CHABROW: A distributed denial of service attack in March against 40 sites affiliated with the South Korean government had similar characteristics to the 2009 Independence Day cyberattack against the U.S. federal government. Before we get into the lessons an IT security manager should take from these attacks, please take a few moments to remind us about them and how and why they differed from one another.
PHYLLIS SCHNECK: I think what we're looking at is a couple of things. There's a different landscape on the policy side and there's a different landscape on the technology side today. On the policy side in the past couple of years we've focused a lot of attention now on network resiliency. Instead of assuming that we can prevent attacks, we focus very carefully on how we maintain running and maintain a steady state assuming that we could be attacked if somebody wants something from our network, wants to take us down or wants to pull property. The other big difference in the past couple of years is that we've seen some targeted threats from other nations exfiltrate intellectual property and cause other damage across the world, from any country to any country, to any kinds of systems. The key difference in my mind between now and then is not so much the anatomy of an attack but it's more of what is the landscape. And a botnet to me right now is somewhat less serious in the threat spectrum than it might have been perceived in 2009.
CHABROW: Did it seem that the South Korean attacks were masking other types of intrusions?
SCHNECK: It's hard to identify. Just like attribution is hard, it's hard to say what's masking what. But often we see in our data that these large-scaled bot attacks do cause noise in the network. It does tend to hide the smaller footprint but much more targeted egregious threats.
CHABROW: Do we have any idea who initiated these attacks?
SCHNECK: I can't provide attribution on this call so again what's in the data is in the data. But this kind of thing is much more carefully studied as a symptom of what is happening now from many countries and targeting many countries and enterprises. Today we're seeing attacks used to pull information out or to cause damage to physical systems much more than we saw just a few years ago, in which case it was just to create noise. It's gone from network vandalism or disruption if you will, to actually causing something to happen or causing the attacker to get information that they shouldn't have, creating an outcome.
I will add though when you use a botnet, really the motivation there is to prevent your target from being able to do business or run. A botnet is very much about many, many devices attacking you with traffic and you can cause a backlog either in the pipes, in the bandwidth or you can actually cause a backlog at the end where the machines can't handle all the traffic that's coming to it. But either way, the word distributed denial-of-service means just that - distributed. You can have tens of thousands of machines pouring traffic at a much smaller source. Imagine all that converging. The idea there is either to cause noise or disruption, to send a message like we saw a few years ago in Estonia. Those attacks are typically not the very egregious, surgical, well-reasoned, often nicely hidden attacks that have been used to exfiltrate intellectual property or, in the case of Stuxnet, to show that damage to a physical site could actually be caused.
Cryptographic AlgorithmsCHABROW: The analysis is the South Korean attack employed different cryptographic algorithms than used in the 2009 incident, such as terror analysis. How so? And what was the end result of that?
SCHNECK: That's an analysis tactic that's often used to figure out where the attack came from, and there are two reasons that we would look at that. One is to better protect customers. If you could understand the source ... of an actual event you can better protect them because you can understand what to look for and even reach out to individual customers within even a certain sector or certain geography and say we've been seeing this happen to others that are like you so watch for this.
Another way you can look at those algorithms is first of all who has that technology and secondly are we seeing the same patterns. We can look at things like crypto or even the same language choice, for example, that web browsers might have been set to. A lot of this is forensic symptoms, almost like you collect evidence at a crime site and you might find and liken that evidence to a crime site you saw a couple of weeks ago and track it to the same potential criminals. That's very much the analysis of these here.
Hacker MistakesCHABROW: The analysis also said there were interesting mistakes made by the actors involved. Can you explain that?
SCHNECK: At a high level there's that old saying that crooks are stupid. You remember the old TV ads or the comedy acts where they would talk about crooks that left too much behind in their tracks; or they did it right in front of a video camera; or they tried to rob a policeman. Many times with these attacks they will leave a lot of evidence behind them and whether inadvertently or not it lets us know who they are. In some cases maybe because they wanted us to know who they are and in other cases it was just a mistake in execution. But either way they've caused an event, they've pulled back information and at the very least they have gone to the fundamental that we've talked about before. They have enabled another system that they don't own to execute their will or an obstruction on that system and therefore allowed them to cause an action on a system that they don't own.
CHABROW: So did the latest attack have these kinds of mistakes?
SCHNECK: When they leave evidence behind for us to find, that's a mistake.
CHABROW: And you're saying that they did leave evidence behind?
SCHNECK: I'm not going to comment beyond the report.
Takeaway for Infosec ProfessionalsCHABROW: Why should an information security officer at a government agency, bank or a hospital care about this South Korean attack?
SCHNECK: There are a number of reasons we all need to care about the many things that go across the Internet. First and foremost, when you're an officer of an enterprise where you're holding people's money, or you're a large part of the infrastructure or a large piece of government operations, your inability to execute your mission can cause harm to others, whether economic at a high-end or destruction all the way to the low-end of the spectrum from inconvenience and because of our ... dependency you want to be certain that those networks are able to run and be resilient.
An attack like this says a couple of things. One, it says bots are alive and well and there are people out there that are still enjoying the idea that they can be targeted at a certain sector or a certain group on a certain day of the year that seems to be a desirable day for the attackers to do this. If you're a security officer, you want to be watching for that. You want to have things like equipment that's tied to a cyber-immune system. For example, we've talked about McAfee's equipment in our global threat intelligence and these bots. Imagine looking at the entire weather map and seeing hot air, and all of the sudden being under cold air. You know when a storm is going to form and you can put a big, red storm watch box around an entire part of the country or the world where you're seeing that. But you also want to be able to take that notion of risk and look at the time of the year, the political atmosphere and understand that atmosphere and be able to take that risk and portray that to the executive side or the financial side that really looks at the corporate risk or the agency risk and elevate the notion of cyber risk to a corporate risk, even in an agency, so that you can get more buy-in to investments in protecting that.
Any attack is another clue as to what's out there and every network needs to be ready to run whether you're under attack or not. We have to be resilient. Just like we have run-flat tires on certain cars, and airplanes that can run on some fraction of the engines with which they're manufactured, our networks need to be able to run well under attack because this is not going away. And most companies and agencies in the world that argue, already have been compromised.