Asymmetric warfare is hell. Sure, you may have night-vision goggles, body armor, and air support, but you're also working for a bureaucratic organization built to fight a war that doesn't look much like the one you're in. Your adversary, on the other hand, is poorly equipped, yet nimble, resourceful, and adept at spotting and exploiting the slightest weakness. So much so, you may not even know you're under attack.
Take the U.S. Department of Commerce's Bureau of Industry and Security, which just this month confirmed that intruders, traced to servers in China, had spread a massive rootkit infection that will result in the replacement of hundreds of desktop computers. The attack, first discovered in July, eventually forced the Department of Commerce to suspend employee Internet access. A Department of Commerce spokesman admitted that, at first, the Department didn't recognize the extent of the problem.
The Department of Commerce hack is just the latest in a string of attacks of U.S. government agencies, including the State Department and the Department of Defense. The attacks, about which the government has said little, use phishing e-mails to get employees to open e-mail attachments or visit Web sites that download Trojans targeting "zero-day" vulnerabilities in common apps such as Microsoft Word or Internet Explorer. After they gain access to one system inside the network, the hackers fan out across the entire network, harvesting sensitive information and planting rootkit and backdoor programs to ensure they keep their foothold.
And government agencies aren't alone. Security company WebSense reported this month that it recorded many instances of spear-phishing attacks on customers and employees of ISPs, e-commerce, and banking sites. The company also noted a 100 percent increase, in the first half of 2006, in the number of Web sites distributing "crimeware" such as keyloggers and screen scrapers, which capture images of victims' desktops.
Cybercriminals are "more creative, organized, and business savvy" than ever before, WebSense found, noting that true "companies" have emerged, producing and selling toolkits and developing business partner programs that enable less technical criminals to steal data and make money.
The new wave of attacks is challenging conventional wisdom about the effectiveness of signature-based security products. An unknown number of low-intensity attacks from inside networks are often being missed.
So what's an IT manager to do? Security experts say that there's no easy fix. Although traditional layered security is still the best defense, the coming years will demand investment in technologies and processes that might seem "out of the box" or that have often been overlooked, such as insider-threat detection and secure coding. For those on the front lines, new and more effective defenses can't arrive soon enough.
Developing an infiltration profile
In his work for the National Intelligence Research and Applications Group at BBN Technologies, Peiter Zatko -- aka Mudge -- sees parallels between the new generation of attacks and the asymmetric warfare of Vietnam, Afghanistan, and Iraq: Attackers use a high volume of separate, targeted assaults that often prevent victims from seeing the larger threat profile.
Neither government nor enterprise IT security defenses, says Mudge, are geared for such low-key incursions. "They have a fixed mind-set, which is border defense and standard kinds of probing and port scans. The idea that a foreign cyberforce could infiltrate over the period of a few years, then stand up and deny you the use of your own systems is foreign to them," he says. "But that's the scenario we have to start working on."
Alan Paller, research director at the SANS Institute, agrees. "With spear phishing and [zero-day] vulnerabilities there's really no perimeter. And once somebody's in, if nobody is watching, this stuff spreads like a metastasis."
Not to mention that the perpetrators may be very close to home. Cybertrust data shows that, in about 10 percent of all incidents it is asked to investigate, insiders are the source of the trouble. In another 30 percent, attacks come by way of connections with business partners and other trusted parties, says Kerry Bailey, senior vice president of global services at Cybertrust.
"The first problem is that these people didn't necessarily break in. They may already have access, so devices like firewalls and IDS aren't going to do anything. You've got to allow employees to have access to do their job," says network-defense expert Eric Cole, CTO of The Sytex Group and an adjunct professor at New York Institute of Technology and Georgetown University.
That means IT staff must understand how attacks play out within the network: how software vulnerabilities in programs can allow attackers to gain a foothold and how, from there, they can compromise other systems, access sensitive data, and "exfiltrate" it from your network, Mudge says.