A new breed of information security firms helps defeat targeted attacks.
Last year the South Carolina Department of Revenue found that a hacker had used a “spear-phishing” attack to install at least 33 unique pieces of malicious software and utilities on the department’s servers to steal financial data. A spear-phishing attack typically poses as an email from a known entity or person and asks users to click on a link, which deploys malware that steals data. More than 3 million Social Security numbers and 387,000 credit and debit card numbers were exposed. Of the credit card numbers, approximately 16,000 were unencrypted.
In another headline-grabbing security breach a year ago, hackers from Eastern Europe stole the Social Security numbers of as many as 280,000 people from Utah Department of Health databases, an incident that quickly forced state CIO Steve Fletcher’s resignation.
Historically personal health information in state and local government databases hasn’t been as big a target for hackers as other sectors. But the South Carolina and Utah breaches could represent a shift in thinking. Cybercriminals may increasingly exploit personal health records for identity theft and insurance fraud, warned Daniel Berger, president of security consulting firm Redspin. The Utah attack, he noted, “may be the canary in the coal mine.”
To respond to its breach, South Carolina hired Mandiant, a fast-growing intrusion detection and response company founded in 2004. A November 2012 public incident response report from the state summarized the contractor’s actions: “Mandiant developed an immediate containment plan to deny the attacker access to the environment using the known methods of access. … Mandiant then developed a plan to implement intermediate and longer-term recommendations to enhance the Department of Revenue’s security against future compromise.”
Mandiant booked more than $100 million in revenue during 2012, up 76 percent from 2011, according to a February Bloomberg Businessweek profile. The Alexandria, Va.-based company is one of a new generation of network threat detection and response companies that have sprung up over the last few years to complement traditional anti-virus and data loss prevention approaches that — although still necessary — are inadequate to cope with new types of targeted attacks. Indeed, a post-breach investigation of Chinese hackers’ cyberattack last year on The New York Times’ computer systems uncovered that anti-virus software found only one of the 45 different pieces of malware planted on The Times’ systems during a three-month period.
Photo: Christopher Ling, senior vice president of Booz Allen Hamilton. Photo courtesy of of Booz Allen Hamilton
Over the last decade, intrusion threats have evolved to encompass everything from teenagers in their basements trying to breach networks for fun, to professional criminals stealing credit card information. But today’s threats have escalated to theft of corporate and government intellectual capital, said Christopher Ling, senior vice president of Booz Allen Hamilton. “Advanced, persistent threats created by nation states have leaked out onto the black market, and bad actors can buy them,” Ling added. “It is a great concern, because traditional cybersecurity weapons are being outgunned.”
The conventional approach of perimeter defense involves making lists of suspicious signatures and then telling systems: “When you see this signature, stop it.” But that approach is failing in an era of zero-day attacks (a term that means anti-virus developers have had zero days to address and patch the vulnerability). The Stuxnet worm that damaged Iran’s nuclear complex is an example of an attack that wasn’t discovered until the damage was already done.
Local and state government offices that may not see themselves as prime targets for theft of intellectual property or financial information can be used as the weak link to get at financial institutions, Ling said. “Banks use government websites all the time for things like title searches. Attackers can spot a weakness in a county government website and attack the bank from there.”
The business models of large anti-virus vendors such as Symantec and McAfee incorporate everyone who has a computer, because perimeter defense is an important aspect of protection and is mandated by many federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA). “But that approach is not geared toward someone who is a specific target of an attack,” Ling said. “When that happens, you need specialized help. The vendors who are going after thousands of customers may not be the company you ask to help eradicate a particular piece of malware and do incident response. That is where these newer niche players are coming in.”
So who are these new players? Many are network security and Silicon Valley veterans who are exploring new ways to tackle malware. Government Technology asked executives from a few of these emerging companies to describe their approaches.
Cupertino, Calif.-based Bromium, which was founded in 2011 by former Citrix executives, has venture capital backing from Silicon Valley heavy hitters.
Bromium takes a virtualization approach to protecting users from malware, explained Tal Klein, senior director of product management. “In the past, we just accepted that the amount of time it would take for malware to propagate would allow us to develop a vaccine in time — before it became massively destructive and became an epidemic,” he said.
Photo: Tal Klein, senior director of product management, Bromium. Photo by Jessica Mulholland
But Stuxnet was in the wild for two years before it was detected. “No security solution stopped it, because they were looking for things they already knew about,” Klein said.
Klein described what he calls the “Security Insanity Cycle:” You are attacked, you try to recover and patch, then you try to figure out how to stop it in the future. Each of these protection efforts creates friction in users’ lives because sensitivities are turned up too high, which makes protections — whether anti-virus or data loss prevention and whitelisting agents — a drag on productivity, Klein said. Employees end up circumventing IT to get their work done. “Our philosophy has a starting point,” Klein said, “that the solution must be user-centric so they are not trying to circumvent it.”
Bromium’s solution takes a different approach. It doesn’t try to identify and block the malware. Instead it uses virtualization technology to take a narrow bit of hardware and isolate each user task and apply a set of rules to it. So the “task” of visiting Facebook doesn’t have access to the company intranet. Everything is restricted into a virtual container. If a PDF file is loaded, it doesn’t have access to the network.
“If a customer is attacked by malware, [the task] is allowed to run. Once that session is gone, everything it did is gone,” Klein said. The session leaves behind a record of what it was attempting to do, such as trying to change registry settings. You can see the IP address it was launched from, so the detection becomes part of the forensics.
One of the fastest-growing companies in the sector is Milpitas, Calif.-based FireEye Inc., which reported more than $100 million in bookings last year. Founded in 2004 by Ashar Aziz, a former Sun Microsystems engineer, FireEye’s partner and customer base has grown to more than 1,000 organizations, with more than 25 percent of the Fortune 100 deploying its solutions. The company recently announced an additional $50 million in venture funding. In 2009, the investment arm of the U.S. intelligence services invested in FireEye, and the U.S. government is a lead user.
As with other vendors, FireEye’s starting point is that malware threats evolve so quickly that the traditional protection model is antiquated, explained Phillip Lin, director of product marketing. Signature-based techniques make it difficult to protect from zero-day attacks, he said.
“That is why every three or four years, the anti-virus community sort of collapses in on itself and tries to take a new approach. And now with all the mobile devices in use, the endpoint clients are inherently vulnerable,” Lin said.
Before 2009, most companies and government agencies weren’t being attacked in a targeted manner, Lin said. “After what became known as ‘Google Aurora’ — a cyberattack originating from China that sought the source code of several high-profile corporations — the focus on targeted threats really picked up,” Lin said.
Photo: Phillip Lin, director of product marketing, FireEye. Photo by Sam Willard
FireEye’s solution starts from a premise similar to Bromium’s. The FireEye model also uses virtualization to supplement signature-based firewalls and anti-virus software. Its Malware Protection System builds a 360-degree, stage-by-stage analysis of an advanced attack, from system exploitation to data exfiltration, in order to stop would-be attackers.
“We identify suspicious activity, re-create the endpoint in a virtual way, inspect it, do a virtual execution, detonate it to see what happens, analyze it and apply that analysis,” Lin said.
For email, the FireEye solution sits as one message transfer agent and analyzes the message and any attachment before it gets to the user. “The virtual execution engine provides for a real-time analysis so you don’t have to wait for days or weeks to do an off-premise analysis.”
The idea for CrowdStrike grew from efforts by former McAfee employees to do more than breach remediation. “When we were working for McAfee, we investigated large breaches such as Aurora,” recalled Dmitri Alperovitch, a CrowdStrike co-founder and former vice president of threat research at McAfee. “These companies said to us, ‘It’s great that you can help us recover; how about trying to stop it?’ So what we are doing is an alternative to anti-virus,” Alperovitch said. “Rather than spending millions on perimeter defense and still failing, there is a real hunger for a new approach.”
Photo: Dmitri Alperovitch, co-founder of CrowdStrike
Based in Orange County, Calif., CrowdStrike was founded in 2011 by George Kurtz, the former worldwide CTO of McAfee; Alperovitch; and Gregg Marston, who worked as chief financial officer of Foundstone Inc., a cybersecurity forensics firm that Kurtz sold to McAfee. CrowdStrike received initial funding of $26 million from Warburg Pincus.
The CrowdStrike brain trust believes the prevailing mentality about cybersecurity is ultimately counterproductive. As IT security has evolved, conventional wisdom has focused heavily on vulnerability mitigation: firewalls and intrusion detection. The thinking has been that hackers won’t bother cracking a “hard nut,” how Alperovitch refers to a computer system with hardened security. But that mindset is outdated, he says, especially when it comes to targeted attacks. In these instances, intruders might be most interested in proprietary data about a new jumbo jet or a revolutionary consumer product — information only available on the servers of one particular company. An adversary might spend hundreds of millions on a way to get at something that is worth billions to them if they can avoid that research and development cost.
CrowdStrike wants to shift the focus to threat deterrence and raise costs to the adversaries. “Our current approach is bankrupting ourselves and failing to deter,” Alperovitch said. Even focusing solely on malware is missing the larger point, he argues. “What we should focus on is who attacked us, what vulnerability they leveraged, what they are doing with that data and what we can do to mitigate it.”
The company’s approach is to attribute attacks to specific actors and go on the offensive. “There are not that many of them,” Alperovitch said. “For the last year and a half, we have been following about two dozen groups behind most targeted attacks on all our customers. They are targeting groups in financial, government, defense and energy sectors.”
“Knowing who the enemy is and why they are attacking is the first step in forming a defense and figuring out what you can do to them,” he added. For instance, deflection activities such as exposing misinformation raise attackers’ costs.
CrowdStrike’s Enterprise Adversary Assessment service reveals compromised systems and provides counterintelligence and recommendations to help prevent future targeted attacks. The company also gives strategic and tactical measures for combating an adversary on the client’s network.
Another strategy is to publicize cybercrimes. “We should name and shame them,” Alperovitch said. “In the West, people don’t do this, in part because their business would be crushed if it were publicized — if Pepsi did this to Coke, for instance. We need to detect and attribute attacks and share information.”
Mike Maxwell, director of Symantec’s state and local government organization, said anti-virus continues to be an important tool for containing and blocking malware, but other approaches are necessary to complement it. “In contrast to the past, today’s cyber bad guys are not distributing massive virus payloads of different malware types, but are simply creating variants of existing malware. This makes it difficult for traditional ‘signature-only’ anti-virus approaches to keep up with these evolving threats,” he explained in an email response to questions from Government Technology.
To counter this threat, the company’s anti-malware solutions couple traditional signature-based approaches with reputation- and behavioral-based detection, Maxwell said.
“To assess a file’s ‘reputation,’ we collect data from millions of protected endpoints across the globe to support a reputation engine we call ‘Symantec Insight.’ From over 2.4 billion files from this community, we can categorize a file’s reputation before a user downloads it,” he noted. For instance, if a file is only a couple of days old, that may show it to be unproven or malicious. Symantec also looks at the prevalence in terms of how many people have the file.
In addition, Symantec uses “behavior-based” detection in its endpoint anti-malware solutions. Behavioral-based detection analyzes installed programs for malicious behavior once installed and has the ability to block a suspicious process and notify the end user, Maxwell said. Behavior-based technology builds a database of the good stuff it has learned from the application, such as it has a help file as most legitimate applications should. But it also builds a list of bad stuff such as the application is communicating with a known bad IP address or it is attempting to insert files in other common load points, such as the registry, removable storage or file system, so this may be suspicious activity that would be blocked, logged or alerted based on configured policy.
Mandiant, Bromium, FireEye and CrowdStrike are just a few of the players in this burgeoning niche dealing with advanced, persistent threats. Other new names in the field include Bit9, Imperva and TaaSERA.
University researchers are also trying to solve the spear-phishing problem. A platform called Phalanx created at the Georgia Tech Research Institute (GTRI) looks at behavior patterns in the kinds of email users get and tries to give users warnings. “Rarely do these attacks target one person,” said Andrew Howard, a GTRI research scientist who heads up the malware unit. “Usually it is sent to several people. So we can give an email a ‘spam score’ on steroids.”
For instance, an email would get a suspicion score of 7 out of 10 based on an analysis of the URL and attachments, natural language processing, expert heuristics and several other factors. “Then we have an analysis engine on the back end that can put an attachment in a sandbox and launch it to see what it does,” Howard said.
He said all new niche players in this emerging field of targeted threat detection face a challenge in convincing organizations that they are under attack. “It is a hard sell,” he said. It’s not easy to convince organizations that they are targets, although that is changing. But the question is, what is the return on investment for protecting against that type of attack? There are few metrics a CIO or chief information security officer can use to make a case for spending on these types of new services. Yet Howard said he has seen real change during the past few years: More organizations are moving away from denying that they are under attack; instead they are trying to figure out how they can limit the damage.
Bromium’s Klein said one of his company’s challenges is changing the mindset of IT departments. “Our solution requires a user-centric perspective from the IT department, and they are still clinging to the idea of controlling what users do,” he said. “Plus, it is not cheap, so you have to be strategic about it.”
Booz Allen Hamilton’s Ling said that although these new companies may be good at what they do, it’s difficult to create a business model around any one aspect of protection, and a chief information security officer may not want to create a mix-and-match solution, because then the risk is assumed by the decision-maker, not the solution provider. In spite of the obstacles, Ling said this type of IT security service is worth exploring. “You need a security wrapper, something that can scale up to respond to a very significant incident,” Ling said. “And it has to be something that is economically viable, because this is a problem that is only going to get worse — and you can’t spend money asymmetrically.”
Main Photo: Tal Klein, senior director of product management, Bromium. Photo by Jessica Mulholland