Assume the Enemy is Already on Your Network and Look for Them
With little modification to their malicious code, Chinese hackers are back in business and U.S. companies need to assume this code is already on their IT networks.
As the information security industry is well aware, the cyber security company, Mandiant, published a paper in February detailing cyber-espionage involving the compromise and intellectual property theft of hundreds of U.S.-based companies.
Not only did the report disclose the origin of the attacks as originating from China, but actually pinpointed the Peoples Liberation Army (PLA), in detail, as the culprit. The Chinese government, with very careful wording, disputed these accusations.
Is there additional information supporting these claims of Chinese cyber-espionage on U.S. companies? As an organization that provides incident response services, our answer is, “Yes.”
When the Mandiant report was published on the heels of President Barack Obama’s executive order for “Improving Critical infrastructure Cybersecurity”,” incident responders applauded the disclosure of what was common knowledge in the incident response community.
This report brought to light to what incident response organizations have been reporting to their clients for years: China is infiltrating your computer networks for long durations of time and obtaining your valued intellectual property. The report also did a great job of simplifying the situation for the needed executive understanding from a business impact perspective.
Once the admiration of the needed disclosure was realized, the incident response community then became somewhat concerned. Over time, incident response organizations had developed successful tools and techniques for identifying this specific threat for our clients. Now that the adversary has been “ousted”, will they raise their game and change their methods making the identification more difficult?
The good news for incident response providers is that, according to the New York Times article, “the hackers now use the same malicious software they used to break into the same organizations in the past, only with minor modifications to the code.”
Why would these skilled hacking groups with such a valuable objective not do more to make their objectives more obscure? Because organizations were not successful in stopping them in the past and little modification is needed for their continued success.
While incident response organizations valued the indicators of compromise (IOC) signatures provided by the Mandiant report, only slight modifications are needed to make the detection of future compromises just as difficult to detect moving forward.
We have to ask why China is so successful in infiltrating our computer networks and stealing the intellectual property that makes our country superior.
The answer is simple: we are doing information security wrong.
Gartner reported that IT security spending in 2012 was $60 billion; half of this spending was the United States. We spend IT security budgets for building our high walls and wide moats to keep the adversaries out of our networks.
However a Verizon data breach report indicates that 72 percent of the time, our computer infrastructure is compromised within seconds or minutes. To bring insult to injury, the same report indicates that organizations are notified by a third party of a data breach 92 percent of the time.
So let’s get this straight – American based companies spend approximately $30 billion dollars a year in information security and we are compromised 72 percent of the time in seconds or minutes? In addition, we don’t detect it and have to be notified by a third party?
We must stop focusing our entire budgets, time, and energy on keeping the intruders out. We must shift some focus to looking for intruders that are already on our networks. Assume the adversaries are already on your network and start looking for them.