Companies Rush to Tailor Products to New Cyber-Attacks

By Eric Beidel

The cybersecurity marketplace is flooded with products that tout the ability to keep networks and computers safe from intruders.

They often come bearing watchful monikers that include words like eye, witness, guard and shield. But industry isn’t just throwing products out there blindly. The marketplace’s growth is the direct result of threats from Chinese and activist hackers, as well as a global shift to mobile computing, experts said.

Every new hack prompts the creation of a new defense mechanism. And the growing persistence and sophistication of attacks is even forcing industry to look beyond traditional defense.

“It’s the dawn of private industry’s capability to start doing offense,” Carl Herberger, vice president of security solutions at Radware, told an industry conference hosted by the Institute for Defense and Government Advancement.

Radware has been battling “hacktavists” typified by the group Anonymous, a loose collection of hackers who have taken down websites and computer assets belonging to companies and organizations with which they have an ideological beef.

High-profile clients have come to Radware within hours of being attacked. When the group brought down Indian government sites, officials contacted the company to restore its systems. The Vatican also came calling while being attacked by Anonymous every day at two in the afternoon for months. The company deployed its “all-in-one” DefensePro tool, which includes an intrusion prevention system, network behavioral analysis, denial-of-service protection and an engine to fight against Trojan infections and phishing attempts.

Anonymous largely automated these attacks, but the hackers also threw in surprises here and there, so experts had to stay on their toes, Herberger said.

“The tool can’t handle everything,” Herberger said. “There is a lot of configuration . . . You need a lot of active defense.”

Active defense, Herberger explained, is the politically correct term for what also can be called counter-attack or offense.

According to Radware’s research, hacktavism generated more attacks last year than any other motive, including financial gain and espionage, Herberger said. Hackers have become more persistent and able to exploit vulnerabilities in a variety of ways — through the network, applications or other means.

“Never before have your security tools themselves been targeted for hours,” Herberger said. “In the past, the tools were meant for inspection. They were not meant to protect themselves. And now they need to protect themselves.”

Three recent seminal attacks reportedly created by nation states have increased the incentive for added security. The Stuxnet virus was aimed at Iranian nuclear facilities; Duqu was designed to compromise control systems; and Flamer has been used to target private infrastructure in the Middle East.

“These three attacks have forever changed the space of what we have to consider from a defender’s standpoint,” said Gregory Akers, senior vice president of advanced security initiatives at Cisco Systems Inc.

It has been suggested that the United States was responsible for both Stuxnet and Flamer. Whatever their origins, they represent a new breed of sophisticated attacks that have had a profound effect on the marketplace.

Information technology security products generate about $40 billion in revenue worldwide. Related services account for another $20 billion, said Richard Stiennon, chief research analyst for IT-Harvest.

Products generally can be broken down into categories such as gateway security (firewalls and intrusion prevention), endpoint security (anti-virus and desktop firewalls), data protection (encryption) and identity and access management (authentication and directory services).

Additionally, companies have developed countless products for managing vulnerabilities, tracking alerts and compliance reporting.

“Every security product with a growing base of paying customers has a useful and effective purpose,” Stiennon said. “Choosing between them depends on feeds and speeds, effectiveness and return on investment.”

But firewalls and anti-virus software, which defend systems from known threats, are no longer enough, experts said.

Just a few years ago, the main concerns were worms, viruses, spyware and bots. Now, government and industry are dealing with stealthy, persistent attacks that often have never been seen before. Some are so new they cannot be stopped on the perimeter. Many of the newest products are based on detecting an intrusion and preventing hackers from absconding with information, Stiennon said.

Products and services such as IBM’s QRadar are aimed at increasing awareness of everything happening on a network. It helps clients know if an intrusion prevention system has the latest information about current risks, and it checks to ensure that application scans are updated for the latest threats. It even attempts to anticipate dangers.

IBM Director of Application, Data and Mobile Security Caleb Barlow said, “The question here is not, ‘Are you doing the right thing on the data side? Are you doing the right thing on the intrusion prevention side?’ It’s, ‘Are you aggregating and correlating this stuff up into meaningful information?’”

One of the fastest growing segments of the market centers on threats from hackers in China and elsewhere that have been relentlessly targeting the defense industrial base and government entitites. Netwitness, Solera Networks, FireEye, Damballa, Mandiant — these are just a few companies that have sprung up to offer products specifically aimed at defeating these “advanced persistent threats,” or APTs as insiders have come to call them.

Mandiant does forensics. If an organization suspects it has been breached, it can pay Mandiant to find the infection. Netwitness captures all network traffic and applies filters to it. Security firm RSA turned to Netwitness to decrypt outbound traffic and figure out what data had been stolen after a March 2011 hack. Other vendors, such as Industrial Defender and SecureCrossing, have positioned themselves to protect industrial control systems, such as those that are used to run electricity, gas and water services.

FireEye sells a physical network appliance that in tandem with virtual machines can see all inbound and outbound traffic, explained Phil Lin, director of product marketing. The company puts all the traffic through a crash test to see how it would affect the network.

“We’re looking for that bullet in the dark that starts off an initial infection,” Lin said.

Most commercial customers have a firewall, intrusion prevention system and even have done some level of security with applications. But that’s often where they stop, Barlow said. Experts these days recommend a layered approach to security that takes into account anti-virus, firewall, intrusion detection and prevention, applications and databases. IBM’s AppScan and Guardium focus on the latter two, but sometimes even they are not enough.

The bad news is that if a hacker is watching closely, he will find a way to break into a system. “I don’t care whose tools you’re using,” Barlow said.

Nation states and criminals have shown an incredible amount of creativity in coming up with attacks, employing everything from simple spear phishing to extremely complicated social engineering. One intelligence analyst was targeted through a dating website. An adversary created a perfect profile match for him, and was able to get details from him person to person. No technology can stop that kind of exchange, Lin said.

Companies like Adobe, whose products are installed on virtually every computer, have been forced to change their approach to security because of continuing attacks. In January 2009, hackers began taking control of Adobe Reader 9 users’ computers through malicious PDF files attached to emails or accessed through website links. The company hardened some code and developed a tool that kept hackers from being able to access vulnerable functions in JavaScript. Since the release of Adobe Reader 10 in 2010, “I’m not aware of any machine that has been successfully attacked through a malicious PDF,” said Brad Arkin, hired by Adobe in 2008 to direct security for its products and services.

The hackers, though, did not go away and began targeting other Adobe products such as Flash Player.

Arkin described it this way: A company puts up a fence to keep kids off its property. The kids get a ladder. The company puts barbed wire at the top of the fence. The kids get a rug to throw over the barbed wire. The company installs razor wire. The kids get a helicopter.

“It just goes on and on,” he said.

An alliance of software companies have formed the Trusted Computing Group to collaborate on uniform security components, but Arkin said the pursuit of high-level, elegant solutions sounds like something out of a fairy tale and is not based on what’s happening in the trenches.

Laboratory research doesn’t always translate to the field, he said.

“I’m an engineer,” Arkin said. “We’re just trying to make things better.”

In 2009, it took Adobe 10 weeks to get updates to customers who were suffering attacks. That time has shrunk to about 48 hours, Arkin said.

“But Reader 10 is out there, it’s degrading. People are studying it,” he said. “I’m sure it’s not as strong today relative to the skill set of the attackers we’re defending against as the day it shipped.”

Like Adobe’s applications, mobile devices are being used by just about everyone. Six billion people worldwide have them, with users adopting smartphones at a rapid pace. It is creating a security nightmare as more and more users are bringing their personal devices into the workplace, be it at a private company or at the Pentagon. And hackers are licking their chops, experts said.

Every part of the Defense Department is considering a move to cloud computing, Akers said. He referenced plans of the Defense Information Systems Agency to create a bring-your-own-device policy, allowing military employees to bring personal phones and tablets to work in unclassified situations.

“My concern about this is that every time we add something special to provide BYOD access, we create an opportunity [for an] attack,” Akers said.

Cisco’s approach to this conundrum is to create a clear separation between military and civilian data. If a device goes missing or is compromised, an organization can wipe it clean of sensitive information without affecting family pictures or other personal items. If an employee is using the gadget at an unsecured hotspot, an organization can prevent access to certain materials.

An IBM team that researches vulnerabilities last year found a 19 percent increase in the number of items that can be exploited to take advantage of mobile devices. The company now is working on new tools to scan mobile apps for both corporate and public institutions.

But what happens when hackers add an element of physical danger?

The next trend may be for hackers to combine their persistent attacks with physical consequences, Herberger said. They already have shown they can make Apple’s iPhone battery or an HP printer catch fire, he said.                                         

Topics: Cybersecurity

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.