May You Live in Interesting Times

Published on April 25, 2013

It’s not exactly news.  For years, the conventional wisdom has been that hackers out of Russia and Eastern Europe were criminals, intent on stealing money by way of fraud and extortion, and hackers out of mainland China were mostly focused on industrial espionage, stealing trade secrets and intellectual property on behalf of state-owned industry.  But it’s notoriously hard to pin down who the attackers actually are, and often impossible to identify their location with certainty.  With compromised systems all over the globe, the actual attackers can hide behind a complex chain of systems, networks, domains and IPs.

But over the last year or so, with the rise of so-called APTs (Advanced Persistent Attacks), it has become more acceptable to openly discuss the near-certainty of Chinese state-sponsored cyber espionage.  Companies in virtually every industry are coming to recognize that their most valuable asset was their data, and their data isn’t being effectively protected.  Then, in February, Mandiant released a report documenting six years of increasingly sophisticated penetrations and exploits from an organization they called APT1.  APT1, they had determined, was a special group under the auspices of the Chinese People’s Liberation Army with funding from the central government and technology from the state telecom entity.  Then, just last week, the US Congress passed an appropriations bill that included a provision limiting the ability of key American government agencies such as NSA, DOJ and NASA to purchase computer and telecom equipment from Chinese manufacturers.

So now we find ourselves in this new place, where we just know we are under sustained attacks from the most sophisticated, well funded organization of hackers in the world.  What does it mean?  We need to think about it at two levels. On the big picture level, the repercussions will be felt for years, in diplomacy, in trade regulation, in both government and business strategy, affecting everything from economic growth to matters of war and peace.  How long can US and European businesses continue to use China as a global manufacturing center while desperately fighting to keep their supposed “partners” from stealing their trade secrets?  What happens to those logistic relationships if the attacks continue?

The other level is the day-to-day reality of the struggle to secure our network infrastructure.  Can we protect our data in an environment where we know with a high level of certainty that we cannot prevent network penetration?  In essence, it comes down to a simple binary option.  We either find a way to harden the network so effectively as to keep these incredibly sophisticated attackers out 100% of the time, or we start to think about living in a world where the operative assumption is that the network is under attack and the challenge is protecting data and transactions in a compromised  environment.

If we accept the premise that we very likely have hackers in our networks right now, then the focus becomes one of detection and not just prevention, and the number of tools and solutions available in the marketplace plummets.  The idea that we must somehow develop the capability to detect an attacker using legitimate credentials and valid permissions, and differentiate his actions from those of thousands of other legitimate users is daunting.  It would require that we aggregate and integrate all our data, from user identities to permissions, from applications to transactions and apply some kind of big-data type intelligent analysis to all that data in real time so as to detect not the penetration, but the activities that give away the hackers actions.

Fortunately, some of the Securonix platforms most powerful capabilities are made for the fast detection of these very advanced and sophisticated threats .  We’re living in a brave new world, where the forces arrayed against us are more powerful and better funded than we are.  We need to confront this reality with intelligent solutions inside the network rather than continuing to believe that we can find a way to prevent the compromise in the first place.