Archive

Cyber Attacks: Why are they attacking us?

The news sites are abuzz with reports on Chinese cyber attacks on Washington DC institutions both government and NGOs. Are you a possible target? It depends. Attackers funded by nation states have specific objectives and they will follow these. So if you are a dissident or enabling one, or have secrets that the attacker wants, then you may be a target. A law firm with access to intellectual property may be a target, but an individual has much more reason to fear cyber criminals who seek credit card details than a Chinese attack.

As Sun Tzu noted in the Art of War, “Know your enemy and know yourself, find naught in fear for 100 battles.”

So what are the Chinese after? Ezra Klein has a great piece in the Washington Post. He outlines three reasons:

1)      Asymmetric warfare – the US defense budget is larger than the next 13 countries combined and has been that way for a long, long time. In any conventional or atomic war, no conceivable adversary has any chance. An attack on critical infrastructure may help level the playing field. Operators of critical infrastructure and of course US DoD locations are at risk and should shore up defenses.

2)      Intellectual property theft – China and Russia want to steal the intellectual property (IP) of American companies, and much of that property now lies in the cloud or on an employee’s hard drive. Stealing those blueprints and plans and ideas is an easy way to cut the costs of product development. Law firms or employees with IP need protection.

3)      Chinese intelligence services [are] eager to understand how Washington works. Hackers often are searching for the unseen forces that might explain how the administration approaches an issue, experts say, with many Chinese officials presuming that reports by think tanks or news organizations are secretly the work of government officials — much as they would be in Beijing. This is the most interesting explanation but the least relevant to the security practitioner.

If none of these apply to you, then you should be worried about cyber criminals who are out for financial gain. Classic money-making things like credit cards or Social Security numbers that are used to defraud Visa/Mastercard or perpetrate Medicare fraud. This is by far much more widespread than any other type of hacking.

It turns out that many of the tools and tactics used by all these enemies are the same. Commodity attacks tend to be opportunistic and high volume. Persistent attacks tend to be low-and-slow. This in turn means the defenses for the one would apply to the other and often the most basic approaches are also the most effective. Effective approaches require discipline and dedication most of all. Sadly this is the hardest commitment for small and medium enterprises that are most vulnerable. If this is you, then consider a service like SIEM Simplified as an alternative to do-nothing.

Detecting Persistent Attacks with SIEM

Detecting Persistent Attacks with SIEM

As you read this, attackers are working to infiltrate your network and ex-filtrate valuable information like trade secrets and credit card numbers. In this newsletter featuring research from Gartner, we discuss advanced persistent threats and how SIEM can help detect such attacks.  We also discuss how you can quickly get on the road to deflecting persistent attacks. Read the entire newsletter here.

Industry News:

Pentagon cancels divisive Distinguished Warfare Medal for cyber ops, drone strikes

Washington Post

The special medal for the Pentagon’s drone operators and cyberwarriors didn’t last long. Two months after the military rolled out the Distinguished Warfare Medal for troops who don’t set foot on the battlefield, Defense Secretary Chuck Hagel has concluded it was a bad idea. Some veterans and some lawmakers spoke out against the award, arguing that it was unfair to make the medal a higher honor than some issued for valor on the battlefield.

Be sure to read EventTracker’s blog post discussing the creation and withdrawal of the award.

DDoS: What to Expect from Next Attacks

BankInfo Security

U.S. banking institutions are now in the fifth week of distributed-denial-of-service attacks waged against them as part of Izz ad-Din al-Qassam’s third phase. What lessons has the industry learned, and what actions do security and DDoS experts anticipate next from the hacktivists?

 IT security: Luxury or commodity in these uncertain times?

SC Magazine

Written by EventTracker CEO, A.N. Ananth

Those who attended the recent World Economic Forum in Davos, Switzerland reported that the prevailing mood was “circumspect.” Though there was relief that a global financial crisis may have been averted, both companies and countries continue to experience significant economic challenges. To be sure, there is a sense that the worst has passed, but uncertainty hovers as declining tax revenues are forcing many government agencies into spending cuts. In the United States, the threat of across-the-board cuts to agency budgets (called “sequestration”) looms in the air. Companies are hesitant to use cash on the balance sheet to fuel expansion, wondering if demand exists.

EventTracker News:

EventTracker Enterprise is the only “Recommended” Product of 2013 in SC Magazine SIEM Category

EventTracker, a leading provider of comprehensive SIEM solutions announced today that SC Magazine, the information security industry’s leading news and product evaluation publication, has named EventTracker Enterprise v7.3 its only “Recommended” product and awarded it a perfect 5-Star rating in the SIEM Group Test for 2013. The full product review appears in the April issue of SC Magazine and online.

EventTracker Enterprise Wins Certificate of Networthiness from the U.S. Army

EventTracker, a leading provider of comprehensive SIEM solutions announced today that its EventTracker Enterprise v7.3 security information and event management (SIEM) solution has been awarded a Certificate of Networthiness (CoN) by the U.S. Army Network Enterprise Technology Command (NETCOM). Previously, EventTracker’s Enterprise v7.0 also achieved this distinction.

 Featured Webinar:

 EventTracker Enterprise v7.3 – “A big leap forward in SIEM technology”

Tuesday, April 23 at 2:00 p.m. (EDT)

 Dive into the latest features and capabilities of EventTracker Enterprise v7.3 and see why SC Magazine says EventTracker “hits all of the benchmarks for a top-tier SIEM and is money well spent.”

CEO, A.N. Ananth will also go over the features highlighted in EventTracker’s recent 5-star review by SC Magazine.

One lucky webinar attendee will win a Microsoft Surface tablet, so be sure to register!

Check out a recent EventTracker’s blog post: Interpreting logs, the Tesla story. You can read all of EventTracker’s blogs at http://www.eventtracker.com/resources/blog/.

The current version of EventTracker is 7.3 b59. Click here for release notes. 

Watch EventTracker’s latest video “SIEM Simplified” here. Or view some of our other new videos here.

Distinguished Warfare Medal for cyber warriors

In what probably was his last move as defense secretary, Leon E. Panetta announced on February 13, 2013 the creation of a new type of medal for troops engaged in cyber-operations and drone strikes, saying the move “recognizes the changing face of warfare.” The official description said that it, “may not be awarded for valor in combat under any circumstances,” which is unique. The idea was to recognize accomplishments that are exceptional and outstanding, but not bounded in any geographic or chronologic manner – that is, it’s not taking place in the combat zone. This recognized that people can now do extraordinary things because of the new technologies that are used in war.

On April 16, 2013, barely two months later, incoming Defense Secretary, Chuck Hagel has withdrawn the medal. The medal was the first combat-related award to be created since the Bronze Star in 1944.

Why was it thought to be necessary? Use the case of the mission that got the leader of al-Qaida in Iraq, Abu Musab al-Zarqawi in June 2006. Reporting showed that U.S. warplanes dropped two 500-pound bombs on a house in which Zarqawi was meeting with other insurgent leaders. A U.S. military spokesman said coalition forces pinpointed Zarqawi’s location after weeks of tracking the movements of his spiritual adviser, Sheik Abdul Rahman, who also was killed in the blast. A team of unmanned aerial systems, drone operators, tracked him down. It was over 600 hours of mission operational work that finally pinpointed him. They put the laser target on the compound that he was in, this terrorist leader, and then an F-16 pilot flew six minutes, facing no enemy fire, and dropped the bombs – computer-guided of course – on that laser. The pilot was awarded the Distinguished Flying Cross.

The idea behind the medal was that drone operators can be recognized as well. The Distinguished Warfare Medal was to rank just below the Distinguished Flying Cross. It was to have precedence over — and be worn on a uniform above — the Bronze Star with “V” device, a medal awarded to troops for specific heroic acts performed under fire in combat. It was intended to recognize the magnitude of the achievement, not the personal risk taken by the recipient.

The decision to cancel the medal is more reflective on the uneasiness about the extent to which UAVs are being used in war, rather than questioning the skill and dedication of the operators. In announcing the move, Secretary Hagel said a “device” will be affixed to existing medals to recognize those who fly and operate drones, whom he described as “critical to our military’s mission of safeguarding the nation.” It also did not help that the medal had a higher precedence than a Purple Heart or Bronze Star.

There is no getting away from it, warfare in the 21st Century is increasingly in the cyber domain.

Interpreting logs, the Tesla story

Did you see the NY Times review by John Broder, which was critical about the Tesla Model S? Tesla CEO Elon Musk was not pleased. They are not arguing over interpretations or anecdotal recollections of experiences, instead they are arguing over basic facts — things that are supposed to be indisputable in an environment with cameras, sensors and instantly searchable logs.

The conflicting accounts — both described in detail — carry a lesson for those of us involved in log interpretation. Data is supposed to be the authoritative alternative to memory, which is selective in its recollection. As Bianca Bosker said, “In Tesla-gate, Big Data hasn’t made good on its promise to deliver a Big Truth. It’s only fueled a Big Fight.”

This is a familiar scenario if you have picked through logs as a forensic exercise. We can (within limitations) try and answer four of the five W questions – Who, What, When and Where, but the fifth one -Why- is elusive and brings the analyst of the realm of guesswork.

The Tesla story is interesting because interested observers are trying to deduce why the reporter was driving around the parking lot – to find the charger receptacle or to deliberately drain the battery and make for a bad review. Alas the data alone cannot answer this question.

In other words, relying on data alone, big data included, to plumb human intention is fraught with difficulty. An analyst needs context.

What is your risk appetite?

In Jacobellis v. Ohio (1964), Justice Potter Steward was quoted as saying, “I don’t know what porn is, but I’ll know it when I see it.” This is not dissimilar to the position that many business leaders confront the concept of “risk”.

When a business leader can describe and identify the risk they are willing to accept, then the security team can put appropriate controls in place. Easy to say, but so very hard to do. It’s because the quantification and definition of risk varies widely depending on the person, the business unit, the enterprise and also the vertical industry segment.

What is the downside of not being able to define risk? It leaves the security team guessing about what controls are appropriate. Inadequate controls expose the business to leakage and loss, whereas onerous controls are expen$ive and even offensive to users.

What do you do about it? Communication between the security team and business stakeholders is essential. We find that scenarios that demonstrate and personalize the impact of risk resonate best. It’s also useful to have a common vocabulary as the language divide between the security team and business stakeholders is a consistent problem. Where possible, use terminology that is already in use in the business instead of something from a standard or framework.