Last year the South Carolina Department of Revenue found that a hacker had used a “spear-phishing” attack to install at least 33 unique pieces of malicious software and utilities on the department’s servers to steal financial data. A spear-phishing attack typically poses as an email from a known entity or person and asks users to click on a link, which deploys malware that steals data. More than 3 million Social Security numbers and 387,000 credit and debit card numbers were exposed. Of the credit card numbers, approximately 16,000 were unencrypted.
In another headline-grabbing security breach a year ago, hackers from Eastern Europe stole the Social Security numbers of as many as 280,000 people from Utah Department of Health databases, an incident that quickly forced state CIO Steve Fletcher’s resignation.
Historically personal health information in state and local government databases hasn’t been as big a target for hackers as other sectors. But the South Carolina and Utah breaches could represent a shift in thinking. Cybercriminals may increasingly exploit personal health records for identity theft and insurance fraud, warned Daniel Berger, president of security consulting firm Redspin. The Utah attack, he noted, “may be the canary in the coal mine.”
To respond to its breach, South Carolina hired Mandiant, a fast-growing intrusion detection and response company founded in 2004. A November 2012 public incident response report from the state summarized the contractor’s actions: “Mandiant developed an immediate containment plan to deny the attacker access to the environment using the known methods of access. … Mandiant then developed a plan to implement intermediate and longer-term recommendations to enhance the Department of Revenue’s security against future compromise.”
Mandiant booked more than $100 million in revenue during 2012, up 76 percent from 2011, according to a February Bloomberg Businessweek profile. The Alexandria, Va.-based company is one of a new generation of network threat detection and response companies that have sprung up over the last few years to complement traditional anti-virus and data loss prevention approaches that — although still necessary — are inadequate to cope with new types of targeted attacks. Indeed, a post-breach investigation of Chinese hackers’ cyberattack last year on The New York Times’ computer systems uncovered that anti-virus software found only one of the 45 different pieces of malware planted on The Times’ systems during a three-month period.
Photo: Christopher Ling, senior vice president of Booz Allen Hamilton. Photo courtesy of of Booz Allen Hamilton
Over the last decade, intrusion threats have evolved to encompass everything from teenagers in their basements trying to breach networks for fun, to professional criminals stealing credit card information. But today’s threats have escalated to theft of corporate and government intellectual capital, said Christopher Ling, senior vice president of Booz Allen Hamilton. “Advanced, persistent threats created by nation states have leaked out onto the black market, and bad actors can buy them,” Ling added. “It is a great concern, because traditional cybersecurity weapons are being outgunned.”
The conventional approach of perimeter defense involves making lists of suspicious signatures and then telling systems: “When you see this signature, stop it.” But that approach is failing in an era of zero-day attacks (a term that means anti-virus developers have had zero days to address and patch the vulnerability). The Stuxnet worm that damaged Iran’s nuclear complex is an example of an attack that wasn’t discovered until the damage was already done.
Local and state government offices that may not see themselves as prime targets for theft of intellectual property or financial information can be used as the weak link to get at financial institutions, Ling said. “Banks use government websites all the time for things like title searches. Attackers can spot a weakness in a county government website and attack the bank from there.”
The business models of large anti-virus vendors such as Symantec and McAfee incorporate everyone who has a computer, because perimeter defense is an important aspect of protection and is mandated by many federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA). “But that approach is not geared toward someone who is a specific target of an attack,” Ling said. “When that happens, you need specialized help. The vendors who are going after thousands of customers may not be the company you ask to help eradicate a particular piece of malware and do incident response. That is where these newer niche players are coming in.”
So who are these new players? Many are network security and Silicon Valley veterans who are exploring new ways to tackle malware. Government Technology asked executives from a few of these emerging companies to describe their approaches.