alert monitoring-tools-and-logs-make-all-the-difference 6909212

Monitor ing Tools and Logs Make Al l the Dif ferenceIt’s no longer a matter of “if” you get hacked, but when. In this

special retrospective of recent news coverage, Dark Reading

takes a look at ways to measure your security posture and the

challenges that lie ahead with the emerging threat landscape.

A n a l y t i c s A l e r t

A n a l y t i c s . I n f o r m a t i o n W e e k . c o m

M a y 2 3 , 2 0 1 1$ 9 9

2 Log Management Spurs DataCollection Debate

4 Verizon Data Breach Report: BadGuys Target Low-Hanging Fruit

6 Tech Insight: Updating Your Security Toolbox

8 Searching for Security’s Yardstick

12 RSA Breach a Lesson in Detection and Mitigation

15 An Advanced Persistent Threat Reality Check

C o n t e n t s

Presented in conjunction with

2 May 23, 2011 © 2011 InformationWeek, Reproduction Prohibited

May 3, 2011

Log Management Spurs Data Collection DebateBy Ericka Chickowski

As log management and security information and event management (SIEM) experts pore overthe latest results from the annual SANS survey on log management, debate lingers over whetherorganizations really have mastered the art of useful data collection, or whether they need to adjusttheir log collection behaviors to better enable more analysis down the road.

At first blush, consensus from the SANS report seems to be that most organizations have mas-tered log data collection, so now it is time to worry about such things as log data search, catego-rization and correlation.

“We’ve got the collection down, and we’ve got the securing the logs and the chain of custody andthose things that make the compliance auditors happy, but actually turning this information intosomething that is meaningful and actionable is the challenge,” says Michael Maloof, CTO atTriGeo Network Security.

However, when data comes in such an avalanche of information that the tools at hand are stillnot able to give organizations a consistent way to sift through it, then how much collection istoo much?

Some might argue that the better a job organizations do with collection without improving theirability to categorize data and search through it, the more likely they are to have lots of meaning-less information drown out the important data. This point brings up a long-raging debate abouthow much information organizations really should be collecting. Many experts believe that organ-izations need to temper and focus their collection efforts for a long while before they can catch upwith analysis of all data sets.

“First of all, ask yourself, can your event collection be more focused?” says Scott Crawford, aresearch director with Enterprise Management Associates. “Do you necessarily have to pick updata from everywhere, or are there key points where you really do need insight or where insightwould be more valuable, rather than collecting all of it?”

Analytics.InformationWeek.com

S e c u r i t y M o n i t o r i n g



According to Andrew Hay, senior security analyst with The 451 Group, the issue of deciding whichdata to collect is a balancing act. “There are two schools of thought. One is that some organizationssay, ‘I’m going to log absolutely everything and anything,’ and then that becomes a managementnightmare. Logging everything for any sort of real-time analytics or security operations is going to bevery difficult,” Hay says. “You really need to understand what those logs are before you log them. Sothe other camp says, ‘Only log what you need.’ But the challenge is, how many organizations reallyunderstand what they need?”

It is that question that makes Dr. Anton Chuvakin of Security Warrior Consulting lean toward amass-ing as much log data as possible at first, and then worrying more about how that data is reviewed.

“If you’re in doubt, just collect it,” he says. “The filter you apply is what you actually review andwhat you take action on. I would prefer to err on the side of too much data all of the time.Essentially you want to collect more data, but review less of it. That’s the magic trick.”

And, Chuvakin says, the only way to review more effectively is to practice.

“I would say if you can get daily, maybe weekly, log reviews in a consistent manner, then you canknow better what to do with the data. You know when to scream and when to relax,” he says. “Ifyou have a repeatable, consistent process for log review, then you will detect your intrusions andyou’d save more time and eventually understand where you could automate in correlations and withreal-time tracking. Log review processes help to figure out what’s normal, figure out what’s not, andtake action. To me that is more important than how to tune correlation rules; you learn that later.”

Regardless of how many data feeds your organization depends on, the sheer volume of logs canactually be put to good use in and of itself, Crawford suggests.

“There are ways to take a different look at log data that might be indicative of an issue. Rather thanlooking at every single event and correlating individual events for possibility of high-risk activities,[look for] changes in log volume,” he says. “These are things I would consider ’second-order’ indica-tors. Sometimes an attack might itself create a volume of log data, so you see spikes and changes inthe average amount of data. Conversely, if log data really dried up from a given source, it would sug-gest someone is either covering their tracks, has interfered with a service, or created some other dis-ruption we should be aware of.”





April 19, 2011

Verizon Data Breach Report: Bad Guys Target Low-HangingFruitBy Tim Wilson

Cybercriminals are making a leap from the big score to easy money, according to VerizonBusiness’ annual report on data breaches, which was published recently.

According to Verizon’s much-awaited 2011 Data Breach Investigations Report, the number ofcompromised records involved in data breaches investigated by Verizon and the U.S. SecretService dropped from 144 million in 2009 to only 4 million in 2010, representing the lowestvolume of data loss since the report’s launch in 2008.

But this year’s report covers approximately 760 data breaches, the largest caseload to date,according to the researchers. So while the number of breaches continues to go up, the numberof records affected is going down.

“The seeming contradiction between the low data loss and the high number of breaches likelystems from a significant decline in large-scale breaches, caused by a change in tactics by cyber-criminals,” the report says. “They are engaging in small, opportunistic attacks, rather than large-scale, difficult attacks, and are using relatively unsophisticated methods to successfully penetrateorganizations.”

“I think what we’re seeing is that there’s a big change in the type of data that criminals are goingafter,” says Dave Ostertag, global investigations manager at Verizon Business. “There’s a glut ofpersonal data out there now, and there really isn’t a great market for it. The value of intellectualproperty, on the other hand, is much higher—criminals are finding that they can make as muchmoney from stealing a smaller number of highly sensitive records as they can from stealing a bigdatabase of customer information.”

The report also found that outsiders are responsible for 92% of breaches, a significant increasefrom the 2010 findings. Although the percentage of insider attacks decreased significantly overthe previous year (16% vs. 49%), this is largely due to the huge increase in smaller external





attacks, Verizon says. The total number of insider attacks actually remained relatively constant.

Hacking (50%) and malware (49%) were the most prominent types of attack, with many ofthose attacks involving weak or stolen credentials and passwords, the report says. For the firsttime, physical attacks—such as compromising ATMs—appeared as one of the three most com-mon ways to steal information, and constituted 29% of all cases investigated.

Large-scale breaches dropped dramatically last year, while attacks involving smaller numbers ofrecords increased, Verizon says. “Small to medium-sized businesses represent prime attack tar-gets for many hackers, who favor highly automated, repeatable attacks against these more vul-nerable targets,” the report states.

“The guys responsible for a big breach are more likely to get caught than somebody who does alot of little breaches,” Ostertag says. “The criminals are learning that they don’t need to do alarge intrusion to make a steady business. They just follow supply and demand.”

Greater reliance on automated attacks means that there are more attempted intrusions than ever,but the level of sophistication has dropped, says Steve Dauber, vice president of marketing atRedSeal Systems, a maker of tools for measuring enterprise security risk and posture.

“If you look at the [Verizon report], you see that most attacks were not targeted at a specificcompany, but were designed to find the enterprises that were most vulnerable,” Dauber says. Infact, “97% of the breaches could have been avoided by using simple controls,” he adds.

“What this says to me is that we’re seeing more and more automated attacks, but most enter-prises are responding with human defenses that can’t keep up,” Dauber says. “With so manyautomated attacks, companies are going to have to start looking harder at more automateddefenses.” Malware was a factor in about half of the 2010 caseload and was responsible foralmost 80% of lost data, according to the report. The most common kinds of malware foundwere those involving sending data to an external entity, opening backdoors, and keyloggerfunctionalities.

Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security, accordingto Verizon. “Failure to change default credentials remains an issue, particularly in the financialservices, retail and hospitality industries,” the report states.





Ostertag offered advice for enterprises that want to avoid the types of breaches that Verizon sees.

“Protect your data—only store data as long as you need it,” he advises. “Enable your logs andlook at them—in 46% of our cases, the breach is discovered not by the victim, but by a thirdparty. If you’re not sure what to look for, ask your security companies about it.”

Enterprises should also work hard to enforce the policies they already have in place, Ostertagadvises. Companies should be aware of what their employees are using at home, and how per-sonal systems are interacting with corporate systems.

“There’s a very high correlation between employees who frequently violate security policy andactual breaches and compromises,” Ostertag says. “Make sure your employees are following theprotocol, and that they are only getting access to the resources they need to do their jobs.”

April 15, 2011

Tech Insight: Updating Your Security ToolboxBy Adam Ely

Every now and then, security departments should take a look at their “toolboxes” and askwhether they have all of the right tools to deal with the current range of threats. What open-source tools are available to help combat new exploits, analyze defenses or automate our jobs sowe can work less and slack off more?

As threats change, new technologies are released and tools are updated, we occasionally mustreplace our old favorites with the new hotness. After digging through our applications folder,speaking to consultants and security teams, we’ve compiled a list of some trusty tools that youshould think about keeping on hand. And here’s a bonus: These are all open-source products.No big corporate budgets required.

In no particular order, let’s look at some tools that we use regularly and can’t live without. We’llstart with a few oldies that we still love:





Burp and Paros proxies. Burp and Paros are client-side proxies used to intercept, modify,replay, and craft HTTP requests. They are very similar, so most people use whichever one theylike best. I like Paros; when performing a Web application assessment, I use it to intercept andmodify HTTP requests for a variety of reasons, from understanding what the application is doingto cookie manipulation. I even use Paros occasionally when I need to debug and test Web appli-cations I’m developing.

Firebug and Tamper Data. Both Firebug and Tamper Data are Firefox plug-ins designed tohelp Web developers debug their code in the browser. Many security experts use these to under-stand Web applications, quickly examine code, and follow JavaScript logic in Ajax calls. Both arevaluable tools for Web application assessments.

Metasploit. The one, the only, and a favorite of penetration teams. Metasploit is about as simpleas it gets when trying to exploit a system and obtain pure ownage. In the good ol' days, we had toobtain, compile, and pray an exploit worked. Now Metasploit takes much of the work out ofexploitation.

W3af. This Web application attack and audit framework has been called the Metasploit of Webapplication security. Its goal is simple: to make it easy to find and exploit Web applicationdefects. This project is still much younger than many other tools, but shows promise and issponsored by the owners of Metasploit, Rapid 7.

Skipfish. Skipfish is a Web application scanner developed by Google that is offered as an open-source tool and overcomes some problems that are common to other scanners. It works in a waythat is similar to other scanners, crawling a Web application and testing for common vulnerabili-ties. Skipfish claims high-performance, ease-of-use and well-designed security checks.

Selenium. Selenium is a suite of tools used to automate Web application testing. While Seleniumwasn’t developed for security teams, it is used by some security organizations to help automatetesting of common Web application security problems in place of commercial testing suites.

EtherApe. EtherApe is a graphical network monitoring tool useful for inspecting network trafficand seeing what is coming and going on a host.

BackTrack. Technically, BackTrack is actually a collection of tools, but we couldn’t leave it out of





this list. It’s a great place to start when building a toolkit and features some of the most commontools ready to work out of the box.

Nessus. While no longer officially an open-source product, Nessus is still the de facto free vul-nerability scanning tool. Many network penetration tests start by using Nessus to sweep acrossinfrastructure and identify services, hosts, and vulnerabilities.

There are more. Ophcrack, Kismet/Kismac and John the Ripper come to mind—but this smallset of open-source tools is a great start for security departments that are just starting out or look-ing to update their arsenals. If you haven’t taken a look at these tools yet, then check themout—they might be just the ones you need for the next new threat.

March 30, 2011

Searching for Security’s YardstickBy Tim Wilson

There’s an old saying in IT: You can’t manage what you can’t measure. If that’s true, however,security managers must be in a world of hurt.

Across this usually contentious security industry, there is violent agreement about two points:Security departments need better ways to prove that their organizations are safe, and there areno clear-cut numbers that definitively prove that point.

“So you’re in the management meeting, and the sales guy gives specific numbers about ordersand gross revenue,” says Steve Dauber, vice president of marketing at RedSeal, which makessoftware designed to monitor security posture. “The networking guy gives numbers aboutuptime and throughput and response time. Then it comes around to the security guy, and hesays, ‘Well, we didn’t get hacked today.’”

The basic problem, experts say, is that it’s tough to measure a negative. If security’s primary goalis to prevent outsiders from getting in—and insider data from getting out—what numbers are





there to measure its success? The only clear metric is a negative: How many times has a compro-mise been discovered?

“The measure of success in security is that nothing bad happened,” says Mike Rothman, an ana-lyst for Securosis, a security consulting firm. “Your best day is going to be that zero bad thingsoccurred. There’s never going to be a measurement that shows that good things are happening.”

If security is about prevention of leaks and attacks, then what metrics should security depart-ments show their bosses to prove that they are doing their jobs well?

“I think you have to start with things you can control,” says Scott Crawford, an analyst atEnterprise Management Associates, a consulting firm that focuses on systems and network man-agement. “If you can’t change the controls, then metrics won’t do you any good.”

Setting a security policy—and the means to monitor it—is a good place to start, Crawford says.“If you set a policy, and there is a growing number of systems or users that are operating outsidethe policy, then that’s something you can act on, either through education or through greatercontrols,” he observes.

But security professionals should be wary of “dashboards” and artificial measures that don’t havemeaning for the specific business that their enterprises are in, says Gary Hinson, CEO of securityconsulting firm iSecT in New Zealand.

“Some companies begin with a long list of ‘security things that can be measured’ and then try toshoehorn them into some sort of metrics system or dashboard. That, to me, is the wrong way togo about things,” Hinson says. “You don’t design an aircraft cockpit’s information systems with alist of things that can be readily measured on the aircraft. You start by asking what does the pilotneed to know—altitude, azimuth/heading, etc.—and then prioritizing those things, organizingthem into related groupings and finally filling the dashboard.

“Then you get lots and lots of feedback from pilots about what is missing, superfluous, mislead-ing, wrongly positioned, too big/too small, too annoying/too discreet, etc.,” Hinson continues.“In other words, the metrics design process is very interactive, involving the system designers,instrumentation specialists, engineers and pilots all working together to define, design and refinethe metrics system.”





But no matter how customized your measurement system, every company needs some basic met-rics to start off with, notes Steven Piliero, who heads up the Benchmarks Division of the Centerfor Internet Security (CIS). The CIS Consensus Information Security Metrics benchmark is per-haps the closest thing the industry has to a set of standards for security metrics today.

“There are three kinds of metrics: those that are broad enough and understood well enough thatthey can be used across industries; those that are industry-sector specific; and those that areorganization-specific,” Piliero says. “We’re helping to define that first category: the metrics thatmany industries can use.”

The CIS Consensus defines some basic metrics that organizations can measure frequently, as com-panies do with certain financial numbers, or as hospitals measure post-surgical infection rates,Piliero says. “They’re a starting point for building out your metrics—some unambiguous stan-dards for measuring specific security functions.”

“It is possible to get some level of agreement on high-level metrics,” Rothman agrees. “CISConsensus is a great resource to kick-start the metrics effort.”

The CIS Consensus offers standardized methods for tracking measurable activities, such as thefrequency of incidents and the time/cost to mitigate them; scanning of vulnerabilities and thetime/cost to repair them; and the frequency/time required to do patch management.

“You can measure things like the number of times you investigated potential indicators of anom-alous activity,” says EMA’s Crawford. “You can track the number of cases of investigation and thenumber of cases that have had to be escalated to mitigation. You can measure the percent ofunplanned IT work related to that escalation and the resulting security spend.”

However, experts warn against measuring aspects of security that may not be meaningful to thebusiness—or worse, may cause the security department to focus its efforts on the wrong priorities.

“Tracking vulnerabilities, days to patch, [antivirus] performance—these might be useful at anoperational level, but measuring these in order to show security effectiveness is a load of crap,”Rothman says.

And while tracking incident response or mitigation time might be useful in benchmarking theperformance of the security department for upper management, these metrics still don’t provide





enough meat to serve as a gauge for the organization’s security posture, experts advise.

“To measure security posture means arriving at compound and composite metrics—somethinglike the cost of sales numbers that many companies track,” says CIS’ Piliero. “I’m not aware ofany standard metrics that can measure that today.”

There is an emerging class of tools for security posture management (SPOM), such as thosemade by RedSeal, currently on the market. Such products harvest firewall configuration dataand other information to show the potential for access to critical business data—a measure ofboth vulnerabilities and risk.

“Companies use us to do a risk analysis on a specific vulnerability—what’s the potential impactif it’s exploited?” Dauber explains. “They can use this data to help with prioritization of securityactions—to help figure out what issues they should handle first.”

Rothman says the SPOM concept has merit for measuring security posture, but the markethasn’t taken off. “The big problem is the cost,” he says. “Executives have to see that it’s worththat much to be able to judge security posture, and that’s only going to happen in industrieswhere that sort of data is critical to the business.”

Still, there is clearly a need for tools that can not only provide simple metrics for reporting toupper management, but can provide real insight into the company’s state of security, Rothmanobserves. Core Security’s new Core Insight tool—essentially a penetration-testing appliance—isone such emerging product, and nCircle’s Suite 360 Intelligence Hub offers a way to benchmarkone company’s security against other, similar companies, he notes.

“One promising way to get some security metrics is to benchmark one organization’s state andprocesses relative to others,” Rothman says. “The problem with that is how do you attribute thedata back without giving away too much about its source? Sharing between security companiesis still the main constraint on this.”

Organizations such as the CIS and the new Open Security Intelligence forum are attempting toprovide a basis for the definition and sharing of security data and metrics, but there is still a lotof work to be done, experts say. Part of the problem is that there are so many different functionsand players in the security metrics game.





“There is still a big gap between operations people, compliance people, and security peo-ple,” says Joe Gottlieb, CEO of SenSage and founder of the Open Security Intelligence ini-tiative. SenSage earlier this week published a study in which a majority of security peoplesaid they thought their security processes are less effective because data is not effectivelyshared among the various functional areas, such as compliance, incident response, and real-time monitoring.

“Most security metrics [initiatives] start because some enlightened executive up the chainasks for the numbers,” says CIS’ Piliero. “Once that happens, you see companies trying to gettheir own house in order, working together to pull together operational metrics before theystart reporting up the chain.”

May 23, 2011

RSA Breach a Lesson in Detection and MitigationBy Ericka Chickowski

While pundits say RSA, as a standards bearer in security, should be held to a higher measureof security than the average enterprise, some say the company’s recent breach is less a blackmark on the company than a lesson to organizations at large about the scope of today’sthreats. And as details emerge about how RSA dealt with its breach, it is clear that mostorganizations need to do a better job with not just real-time monitoring—but also real-timeblocking—of threats.

According to those in the security information and event management (SIEM) space, the RSAbreach should be a wake-up call for any enterprise that needs to protect its “special sauce” tomaintain customer confidence and smooth operations.

“What we can take away from it is whether you’re making a widget for a car, an airplane,[or] software for the banking industry, you should really consider who might be targetingyou and why would they target you, and you have to put protections in place,” says BrendanHannigan, president and chief operating officer of SIEM firm Q1 Labs. “Targeted threats are





serious and are coming from a variety of different sources, whether they be state actors orindustrial espionage or criminals.”

And these determined crooks are not just seeking out the big dogs like RSA.

“We’ve increasingly been seeing within our own practice specifically targeted attacks, and I’mnot talking great, big Fortune 500 companies,” says Bobby Kuzma, owner of managed securi-ty service provider Central Florida Technology Solutions. “I’m talking targeted, against 10-doctor medical practices.”

In order to detect sneaky multivector threats like the one that struck RSA, organizations needto count on a higher level of intelligence than is currently utilized today.

“You have a variety of different security controls in place, but in addition you need to havethis blanket of security intelligence that’s overlaying this that’s looking for very sophisticated,low, slow, insidious, unusual behavior in your environment,” Hannigan says. “That’s theimportant layer we think customers haven’t focused on. They focus on the point products,[but] they haven’t focused on the security intelligence layer that takes all of these controlsand puts them together.”

While the breach is a blow to RSA, many within the industry have said the security firm stilldid better than the average organization that probably wouldn’t have even known it hadbeen struck.

“Instead of pointing fingers, I’d probably take a look at my house and wonder, ‘Do I havesimilar problems?’” says Philip Cox, principal consultant at IT security consulting firmSystems Experts. “If the ‘A’ team is getting broken into, that should cause some worriesbecause other companies might also be suffering the same attack and not even know it.”

While SIEM tools may certainly go some ways toward detecting attacks, such as the one thatstruck RSA through a phishing email and a zero-day Flash exploit, they are hardly a panacea.According to the report that RSA made publicly recently via a company blog and an analystbriefing, the company did not depend solely on its own in-house tools to find the attack. Itcredits the tools from NetWitness with helping detect the attack, though when pressed wasnot willing to divulge technical details about the way the product worked.





Interestingly, the NetWitness revelation came on the very day EMC and RSA insiders wereclosing a deal to acquire that firm and just a business day before it would publicly announcethe acquisition. While the disclosure of some limited details about the breach was seen bysome as a way to advertise the benefits of a product line that it was poised to acquire, RSAexecutives say the deal wasn’t precipitated by the breach.

“This [deal] was in the works before that,” says Tom Heiser, president of RSA. “Having saidall that, I don’t think it could have happened at a better time than it did right now.”

It’s clear that even before it was stung that RSA saw the need for more advanced means ofdetecting threats in real time. The real problem highlighted by this recent blow-up, though,is not so much about real-time detection of threats as it is about blocking threats before theydo damage. RSA claims it did, in fact, detect the attack on its systems in real time. But thefact remains it was unable to stop attackers from stealing some part of its SecurID intellectualproperty, details about which the firm still have not disclosed. Until the company divulgeshow much was or was not stolen, it is hard to show how effective real-time detection is inmitigating risk. Regardless, the lesson is that something was exfiltrated.

“You’ve got to be able to use monitoring tools intelligently, not just from a forensic view-point, but from a proactive viewpoint to stop the transactions,” says Avivah Litan, vice presi-dent and distinguished analyst at Gartner, who believes it doesn’t do a company much goodto detect an attack but be unable to prevent it from doing damage.

She believes the current monitoring and SIEM tools need to evolve to offer better blockingcapabilities. “Log management and SIEM are not going to get you there. All those complianceSIEM systems are not in line to the transactions; they score in real time, but their architec-tures aren’t made to be inline and interdict.” she says. “It wouldn’t be that difficult for theSIEM vendors to build that in, and they probably will when they start getting demand for it.”

In the meantime, she suggests organizations work to build APIs or have vendors build APIsthat sync their SIEM into fraud detection and prevention tools that call authentication ortransaction verification that has blocking capabilities.





Jan. 27, 2011

An Advanced Persistent Threat Reality CheckBy Kelly Jackson Higgins

Most victims of targeted attacks that originate from so-called advanced persistent threat (APT)attackers have been under siege for so long by the time they discover it that forensics investiga-tors can’t even trace the original machine that was infected.

The majority of the 120 victim organizations that enlisted the help of Mandiant in the past 18months were first hit by the targeted attack two years before, according to Kevin Mandia,founder and CEO of Mandiant, which published its annual report on APT, “MTrends: WhenPrevention Fails.”

And there’s the danger of making it more difficult to track or contain the perpetrators if the vic-tim organization shares its malware sample with its antivirus company too soon. “If you’re goodat this, you don’t share with vendors, only with your industry brethren,” Mandia says, like thedefense industry typically does. “Malware has a shelf life. If you share it [with too many parties],people take action and it changes the tools of the bad guy.”

That’s because once a signature is released for a piece of malware, the bad guys quickly reinventit with a new variant via the backdoors they typically place in the victim organization that keepstheir foothold strong. “All you’ve done by sharing is change the fingerprint and made the prob-lem worse,” Mandia says. Their response is just that fast, he says.

At one Fortune 50 company that Mandiant was working with in the wake of a targeted attack,around 100 people gathered to remediate the network. But the company’s antivirus vendorupdated one piece of the malware, which then “destroyed” the remediation drill altogether,Mandia says. “The attackers were responding to the AV update,” he says.

Eddie Schwartz, chief security officer at NetWitness, concurs that you shouldn’t hand off mal-ware samples until your breach investigation is completed. “Submitting to AV vendors earlytakes the control of the incident out of your hands because of how the APT operates, commonlyactivating secondary systems when primary ones are discovered,” Schwartz says. And a virus





definition update would wipe out the malware you were analyzing, thus requiring you start yourinvestigation all over again.

It’s not about preventing a targeted attack from the ATP adversary, which typically hails fromvarious organized groups out of China who are hell-bent on snatching as much information asthey can. It’s more like a game of chess, where businesses and government agencies have toassume the ATP perpetrators are inside and focus on predicting, detecting and responding totheir moves, according to Mandiant’s report.

The biggest shift during the past year is the volume of these attacks and the wider scope ofindustries being targeted. Mandia says he believes these attacks mostly go under the radarscreen; his firm sees only about 2% of them. In the past 18 months, 42% of these victims werecommercial firms, with law firms surprisingly representing 10% of that sector. “Law firms aregetting absolutely hammered,” he says, but no one knows for sure why.

It’s possible these firms have become collateral damage from other hacks that resulted in accessto the firm’s email addresses or other information, according to Mandia. “We haven’t seen a pat-tern” to explain it, he says.

And the initial attack vector for most of the cases Mandiant investigated were either email-borneor from improperly remediated cases where the attackers were still inside even though the vic-tim had thought it had eradicated them.

“We see a number of APT attacks in our work with customers,” NetWitness’ Schwartz says. “Thevolume of victims has gone up across the board, as well as the number of platform-independentvectors for exploitation, which is far more worrisome. The public hears about very few of theactual compromises of organizations.”

And even more disconcerting is that victim organizations aren’t likely to be able to discerneverything the victims stole or accessed by APT actors. “We don’t see them doing keywordsearches, so we can’t tell that they are searching for this or that,” Mandia says. These attackerstypically are cagier about what they are actually after: It appears they are rewarded by the vol-ume of information they grab, he says.

“A real APT never really damages anything. They tweak a log file here and there... They are steal-





ing stuff, but you still have your copy. You never see them taint it,” he says.

Mandiant has witnessed APT attackers stealing PKI credentials and even hacking smartcardreaders to grab credentials to various systems.

“We have seen cybercriminals successfully bypass two-factor authentication in banking sys-tems for years. Likewise, a common activity for Zeus is to steal any local PKI certs it finds,”NetWitness’ Schwartz says. “A great example [is] the Kneber Zeus botnet we reported on in2010. There also have been multiple pieces of malware in the recent past that have beenlegitimately signed, which points to the theft and use of software certs: Stuxnet is a greatexample here.”





Want More Like This?Making the right technology choices is a challenge for IT teams everywhere. Whetherit’s sorting through vendor claims, justifying new projects or implementing new sys-tems, there’s no substitute for experience. And that’s what InformationWeek Analyticsprovides—analysis and advice from IT professionals. Our subscription-based site houses more than 800 reports and briefs, and more than 100 new reports are slatedfor release in 2011. InformationWeek Analytics members have access to:

Research: 2011 Strategic Security Survey: Security professionals often feel that execu-tives don’t prioritize information security and risk management, in terms of attention,budgets or both. But the 1,084 security pros responding to our InformationWeekAnalytics 2011 Strategic Security Survey suggest that may be changing.

Research: Security Technologies:We’re pouring literally billions of dollars into prod-ucts that are gaining us very little. So we pile on more layers, leading to increasedcomplexity, expense and exposure.

Best Practices: The New Perimeter:Attackers want to sell your personal, financial andproprietary corporate information, and the traditional perimeter security model is nextto useless for stopping them.What’s a CISO to do?

IT Pro Ranking: Web Security Gateways: IT pros give high marks to makers of Websecurity gateways for their ability to block malware. But when it comes to manage-ment, there’s room for improvement.

Strategy: IPv6 Security: IPv6 advocates have long touted the elimination of NAT andthe return to a true peer-to-peer Internet. But IT pros who’ve come to see NAT as anessential network security element are worried, and they have some questions:

PLUS: Signature reports, such as the InformationWeek Salary Survey, InformationWeek500 and the annual State of Security report; full issues; and much more.

For more information on our subscription plans, please CLICK HERE.


