Recent breach at Lockheed Martin, confirmed that the attacks we saw with Aurora and Stuxnet are just the beginning of the new era of the targeted attack. Now cybercriminals are executing perfect plan to get closer to the target without raising any red flags. In case of Aurora attack, more than 30 US companies were breached. Apparently Google lost its intellectual property (IP) in this attack. Attack was identified by McAfee. We were very sure that this is not the end but the beginning of the new era and paradigm shift is required as soon as possible.
Sure enough, there were series of attacks, such as Night Dragon, attack on EMC which put SecureID tokens at risk, Sony, and recently Lockheed Martin.
Lockheed Martin is very important for USA as a defense contractor. Some of the most critical information such as the arsenal used in Afghanistan war and future military technology information are residing in Lockheed Martin network. I don’t want to speculate how the attackers were able to break in. There are multiple theories, such as Spear-Phishing, and some of the blogs and reports are correlating Lockheed Martin attack with EMC breach and attackers came in via VPN. Lockheed Martin has officially neither confirm nor denied this. So we have to wait for this information to unfold.
However one thing is for sure, that we need paradigm shift. At McAfee we see 55,000 new malware every day. There are 2,000,000 (2 Million) malicious website detected every month. These numbers are just unmanageable by patches or blacklisting technology alone. But before we talk about solution let’s look at the anatomy of an attack. Any attack involves following three stages.
1. Exploit the service or application.
2. Drop and execute the payload either in the memory or on the disk and
3. Finally get p0wned!!
You should be able to dissect any attacks in to these three stages. Aurora, Night Dragon, Stuxnet, and possibly other future attacks. Let me briefly explain the protection. For blacklisting solution, we need to have a signature to stop the vulnerability or the behavior based detection to identify something is wrong but behavior based detection is not 100% and signature for zero day vulnerabilities are not available. So Attackers will be able to successfully be able to go to step 2 after exploiting the “zero” day vulnerability. Don’t forget, Stuxnet used four “Zero Day” Vulnerabilities. So it is not a story from Mission impossible or Sword Fish movie. This is real. Once the vulnerability is exploited it’s time to execute payload and connect to command and control center to download some more malicious code such as keyloggers and sniffers.
But with paradigm shift to application white-listing solution, you can protect against such attacks at all stages. Memory protection will prevent attacker from exploiting the vulnerability and in case attacker was successful in exploiting the vulnerability, the payload will not be able to execute from the disk or from the memory because payload is not part of the white list.
It’s time to change the paradigm, and we need combination of white-list and blacklisting solution.
Look out for the solution which can cater to your server and desktop environment and supports *nix and windows operating system.
For Lockheed Martin , there is a possibility that it is linked to RSA token breach or maybe not, but we have to design our defenses in layers in such a way that while designing internal layer we are assuming that outer defense layer is already breached. Application white-listing is definitely going to play huge role in security architecture in the years to come! So next time when you are designing the security architecture with VPN, Firewall and two factor authentication and Antivirus , ask yourself a simple question, if there is a zero day vulnerability, will that be prevented with any of these technology?
No comments:
Post a Comment