This column is about computer-based espionage and how we can defend our organizations against it. But I'd like to start with a mood piece of sorts.
There has been too much noise about information warfare lately. Distributed denial of service and defacement attacks like what happened in Estonia and Georgia come to mind.
The following two stories give a better understanding of what it is really about, without resorting to more scary stories about what China is or isn't doing. We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures against computer-based espionage and targeted attacks.
The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage. The second is a lesson from history called the Farewell Dossier - a collection of intelligence documents KGB defector Colonel Vladimir Vetrov (code-named Farewell) handed over to NATO during the Cold War.
This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982, in which a huge explosion ripped apart a trans-Siberian pipeline. The resulting explosion was so big, it was supposedly confused for a nuclear explosion by American decision makers until the CIA said, "Oh, that's one of our operations."
It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former US Air Force secretary and National Security Council member.
What does this mean? While destructive attacks are certainly of significance and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its users), smarter, quieter attacks are all around us. How do we defend against them?
I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.
And yet, what if you are a target?
Recognizing there is a threat You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples:
One famous case from a few years ago, which I had the unfortunate opportunity to study as the lead incident response guy for the government, is the Israeli Trojan horse case.
Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for a long period of time, undetected by any of these companies.
The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes and was discovered during an investigation into a harassment incident. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.
In another case Israeli case, the attackers broke into a local branch of the post office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation. This case was also broken by complete chance.
In other cases, intelligence agencies for various countries such as France have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.
Here is an interesting quote from " The Industrious Spies, Industrial Espionage in the Digital Age":
"This transition fosters international tensions even among allies. 'Countries don't have friends, they have interests!' screamed a DOE poster in the mid-1990s. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same."
Defending against computer-based espionage For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it - there is no inherent difference in how you defend your organization from computer-based espionage and in protecting against any Joe Hacker.
In espionage, the attacker has more resources, both technical and operational.
Some of what I would do differently I'd concentrate more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.
Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).
I'd also consider putting up a good deterrent as a cyber security policy, both to add to the attacker's risk and increase their cost.
First, I'd make myself too difficult of a target and let people know about it. Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught and scare them. Covertness is the name of the game, or they would have come through the front door.
Entering an "industrial espionage defense" clause into your budget or creating a five-year plan to better protect your organization from organized industrial espionage may just get you a larger budget to cope with your organization's security needs.
Do you have something you'd do differently from (or in addition to) regular security practices when facing espionage from organized hackers? Any experience or thoughts are welcome.
No comments:
Post a Comment