Commercial networks are now victims of targeted cyberattacks

Published 20 April 2010

State-sponsored groups with deep technical skills and computing resources have long been directing targeted cyberattacks at government organizations and military targets; the Chinese intelligence services’ cyberattacks on Google are but the latest indication that cybercrooks are expanding their horizons and start aiming targeted attacks at commercial networks

Targeted cyberattacks of the sort that hit Google earlier this year are testing enterprise security models in new ways, and they represent an imminent threat to sensitive corporate data. State-sponsored groups with deep technical skills and computing resources have long been directing such attacks against government and military targets. Computerworld’s Jaikumar Vijayan writes that Google’s disclosure in January that its network was attacked by China-based hackers stoked long-standing fears that cybercrooks would expand their horizons and start aiming targeted attacks at commercial networks.

Some experts say it is likely that widespread attacks have already begun. “If you have not yet identified systems within your enterprise that have been compromised through these advanced attacks, you probably are very lucky — or you aren’t looking closely enough,” said Amit Yoran, former director of the DHS’s National Cyber Security Division and current CEO of security vendor NetWitness Corp.

Vijayan writes that unlike the e-mail- and network-borne worms and viruses that have been hitting corporate networks for years, targeted attacks are stealthier and virtually impossible to block fully. Hackers typically rely on sophisticated social engineering techniques to break into networks, maintain access to them without detection and continually snoop out and steal sensitive information.

Some security professionals suggest that IT managers are better off focusing on mitigating damage from targeted attacks instead of trying to prevent them. Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services, said traditional security measures, such as signature-based anti-malware tools, can not prevent targeted attacks because the perpetrators often take advantage of zero-day threats for which there are no known defenses.

Instead, he said, companies should take steps to strengthen their ability to detect intrusions and to respond quickly. Arries noted that a gusher of data going out over the network, for example, is a sign that something’s amiss.

Paul Wood, a senior intelligence analyst at Symantec Corp.’s MessageLabs Intelligence unit, said that cloud-based security controls could help IT managers better detect targeted attacks. With a hosted security service, the provider sifts through large volumes of network traffic daily and therefore could spot suspicious activity sooner than internal IT operators who handle multiple jobs, he added.

Vijayan quotes Arries to say that enabling remote logging capabilities is also crucial to detecting attacks. Those who break into a server tend to wipe out activity logs and any other evidence of their presence from the server, he said. One way to get around that is to make sure that all logs are created at and stored in a central location.

Read more in this article, which appeared on Computerworld.com as part of an in-depth look at cyberwar