Defense Department Partners With Industry To Stem Staggering Cybertheft Losses

By Stew Magnuson
The amount of intellectual property hackers are stealing from U.S. companies and sending to China is said to be staggering. The private sector’s crown jewels are being moved off nominally secure networks and transmitted to the Asian nation every day: usually from 9 to 5 — Beijing time.

Defense contractors, large and small, are prime targets. Despite owning proprietary designs for equipment and software that are vital to the U.S. military, the Defense Department has no authority to force vendors to tighten up their network security, or report losses.

One small Defense Department program is seeking to help contractors by asking them to voluntarily report network intrusions.

About 36 companies and federally funded research and development centers are participating in the Defense Industrial Base Cybersecurity and Info Assurance Program, which collects and analyzes data on attacks on individual companies, then pushes reports out to the other participants.

Steven D. Shirley, executive director of the Department of Defense Cyber Crime Center in Linthicum, Md., said he is looking to expand the program to any defense contractor willing to participate.

“For companies, the intellectual property that is at the heart of their success as a business resides not in file cabinets today, it resides in their networks,” Shirley told National Defense.
Cyberspies are looking for trade secrets: “The stuff that makes Acme company Acme company and enables it to compete in the marketplace,” Shirley added.

Army Gen. Keith Alexander, commander of U.S. Cyber Command, said the ex-filtration of data from U.S. companies continues on a massive scale. It is the “greatest raid on intellectual property” in history, he said at the Maneuvering in Cyberspace conference in Linthicum, Md. One company he did not name had lost $1 billion in technology it had taken more than 20 years to develop, he said.

Lockheed Martin and Booz Allen Hamilton announced that they were infiltrated this year, but the only reason they could do so is “because they are good.” They have the ability to detect intrusions. The bad companies, of which there are hundreds of times more than those two examples, have no idea that they have been compromised, Alexander said.

Two reports released recently illustrate how far-reaching hackers have become.

Computer security firm McAfee examined the logs of an infected server to determine who the victims were, and how long the intrusions lasted before the operation was detected. It found 30 different industries on the list. Many were indeed military contractors and information technology companies, but the list revealed a U.S. real estate firm that had its data laid bare for eight months, a U.S. agricultural trade organization for three months, a U.S. natural gas wholesaler for seven months, a German accounting firm for 20 months and a U.S. insurance association for three months.

“The primary lesson is … that small, large — whatever your industry is — you’re being targeted if you have something valuable, and it is something someone else in another country may be interested in,” Dmitri Alperovitch, vice president of threat research at McAfee, said in an interview.

Symantec, another computer security firm, released a report, “The Nitro Attacks: Stealing Secrets from the Chemical Industry,” which detailed targeted intrusions against U.S. firms. Among the victims were companies that develop advance materials primarily for military vehicles.

The investigators, Eric Chien and Gavin O’Gorman, traced the intrusions to a Chinese hacker and managed to contact him. “Covert Grove,” as they called him, used a readily available Trojan horse called PoisonIvy, and composed two kinds of emails: one was an invitation appearing to be from a real business associate that asked the victim in an email to link to confirm a proposed meeting. Another was an email purporting to be a security update. That one, which was published in the report, was written in perfect English.

Covert Grove’s tactics were successful. He managed to penetrate 29 companies between July and September in the chemical sector and another 19, primarily in the defense sector, according to the report.

The Symantec investigators were unable to determine whether Covert Grove acted alone. They did note that “the purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage.”

Military and other U.S. officials studiously avoid laying the blame for the massive number of intrusions on China, and the government there routinely denies involvement. Security experts in the private sector aren’t as diplomatic.

“We can say very confidently that every piece of activity that we observe in these kinds of persistent target threats is correlated to the business activity of China. That may be the business activity of government. That may be the business activity of commerce. It kind of doesn’t matter,” Michael Graven, a director at the network security firm Mandiant, said at the conference.

Winning the cyber-espionage game no longer means preventing the attack, he said. The attempts to infiltrate a company will be relentless and it only takes one person to slip up and inadvertently download malware.

“Winning in the world we live in today is being able to detect the attacker,” he said.
Firms need to make the hackers work harder and make themselves better at detecting what the spies are trying to accomplish, Graven said.

The Defense Department’s Cyber Crime Center — when receiving a report from one of the program’s participants — first does a triage on the intrusion and pushes out a quick report to the victim. The center’s forensics lab has been investigating malware since 1998 and has a significant amount of data to draw upon.

“If a company gets hit today, it may be something that another company got hit with three years ago. We do those correlations,” said Jeffery Stutzman, director of the program. After further analysis, threat activity reports are generated. One is classified and sent out on a stand-alone, secure network. A second unclassified version is more widely distributed to participants and tells them what preventative measures can be put in place to ward off similar attempted intrusions.

A third report goes to the targeted company or research center and lets it know what exactly the hacker was trying to steal. It can then take steps to safeguard the intellectual property. If the forensics lab can do so, it also lets the participants know who exactly is trying to steal their information.

The center scrubs all the reports to ensure that the target’s identity and trade secrets are protected. It also does not reveal the names of the companies and research centers that have agreed to participate.  

Shirley said the center has the capacity to expand the program beyond the three dozen or so participants. It is awaiting approval from the Defense Department to do so, and the publication of a rule in the federal register.

“The more data and inputs we have will allow us to do a richer and deeper contextual analysis for the partners who will participate,” Shirley said.

Timothy McNight, vice president of Northrop Grumman’s cyber intelligence division, said his company gathers its own intelligence on those who are trying to steal its intellectual property. The group focuses on developing threat models, understanding attacks, what might be coming down the road, and what information hackers are targeting in the classified and unclassified realms, he said at the conference.

Northrop Grumman has identified 12 organizations it calls the “dirty dozen” that routinely try to steal its data. At least half of them know the identities of the company’s top network administrators.

“They are targeted at home. They are targeted at work, year after year. I suspect the adversaries know everything they have to know about them,” McNight said.

The division in turn makes its own profiles of the hackers, including their tactics, techniques and procedures.

“We do a lot of collection on those 12 groups that are coming at us,” he said. That includes technical evaluations, browsers they are using, language settings, plug-ins, encryption modules, malware, and how they create the codes they are using.

“It’s an analyst’s dream,” McNight said of the work.

The group also routinely sends out fake spams to Northrop Grumman employees in an effort to see if network security training is taking hold. Several years ago, about 60 percent of the company’s executives would have clicked on a link in an email that would lead to malware being downloaded. Now, that’s down to about 30 percent, McNight said.

“The network at some level is always compromised in some respect,” he added.

Graven said hackers target “people” not information. Ultimately, it is an employee that clicks on a fake email. “The problem lies between the chair and the keyboard,” is the often heard quip in network security circles.

McNight is a proponent of letting the hackers roam in a network in order to gather intelligence on them.

While not naming them specifically, Graven was critical of rival firms such as Symantec and McAfee releasing reports on network intrusions. That only tells the spies that they have been compromised, and they go away, possibly to intrude later undetected. It is better to see what they are doing and gather intelligence on them than to tip them off, he said.

Indeed, traditional spycraft techniques often translate into the cyber-espionage world.

“Honeypots,” such as the alleged World War I German spy Mata Hari, traded on their sexual wiles to gather secrets. Today, honeypots are fake networks used to lure in hackers.

“Misinformation” was also used effectively in wars to trick adversaries. Similarly, letting hackers steal corrupt or incorrect data is another possibility.

Graven is generally critical of such efforts in the private sector. It takes time and resources to set up honeypots, and they could be better spent on bolstering network security. As far as misinformation, his experience is that it takes anywhere from one to three days for the data to be analyzed in China. Once the perpetrator realizes that he has been given incorrect information, he knows that his operation has been compromised.

The alternative is for a company to completely scrub its network of all malware, Graven said. That is a very expensive and time-consuming proposition akin to “cutting off the hand of a company.” It could take days to eliminate corrupted software and to change every password, he said. Trying to extinguish successful intrusions as soon as they happen is also hard to pull off, he said. It has to be done in minutes, not hours.

McNight agreed: “Do we want to play whack-a-mole on the network? … I’m a big believer to an extent … of allowing the bad guys and adversaries to operate and give us more intel so we can better target the enterprise.”

Not all Defense Department vendors have the resources of large companies such as Northrop Grumman. Most participating in the Cyber Crime Center program are the larger integrators, Shirley said. When the program expands, other firms will be welcomed. Meanwhile, these smaller Defense Department contractors should talk to primes, peers and others in order to get insights into best practices, he said.

“Companies and their networks operate in a pretty predatory environment,” he said.

A little prevention goes a long way especially as far as training employees, he added. Changing passwords, patch discipline, anti-virus programs, and understanding the devices that are attached to the network are the basic “blocking and tackling” of the security world.
Graven said: “Prevent what you can. Detect what you cannot and respond to what you didn’t detect.”

“When all your email is being piped out the back door on a regular basis — 9 to 5, five days a week, Asian time — that’s when you know you have a persistent problem,” he added.                                            

Topics: Cybersecurity

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.