Defending Against Advanced Cyber Attacks

Posted: August 13, 2013 in Computer Security, Cyber Security, Issues
Tags: , , , ,

To defend against today’s advanced cyber attacks we need to fully utilize existing solutions and technologies to address “standard threats” and develop more robust defenses to address the APT. As it is no longer possible to partition cyberspace into “secure” and “insecure” networks and systems, a new model is needed to replace the traditional model of access control. Since the impacts to the economy and national security are severe, government, industry, the general public, and academics should be working together in developing initiatives to mitigate APT’s. In this blog post we outline components of a comprehensive defense that should be undertaken by all four stakeholders in order to defend against the APT. It should be noted that we discuss aspects that we believe should be priorities in defending against today’s threats. This list is not exhaustive and may change with the development of new technologies, changes in policies, and the increasing capabilities of adversaries. Many of the techniques are drawn from measures already begun in the U.S. and EU nations. Both share the common characteristics of being vulnerable due to technology applications permeating all aspects of the economy, yet also demonstrating stronger resilience toward external cyber threats because of a continued effort to improve defenses.

Government
National cyber security strategy

A comprehensive cyber policy governing the nation’s cyber security should be at the centerpiece of a robust defense. This strategy should tie together all stakeholders because one weak component is all that is needed to bring the whole system down. An important component of this strategy is the identification of critical information infrastructure and assets and the design of defenses that reflect the asymmetrical nature of cyber warfare. In May 2009 Cyberspace Policy Review [25] identified cyber security as one of the most serious economic and national security challenges faced by the U.S. As a result President Obama ordered a National Cybersecurity Framework [26], building on the Comprehensive National Cybersecurity Initiative (CNCI), an effort to secure the United States in cyberspace that began under the previous administration.  The NATO Cooperative Cyber Defense Centre of Excellence issued a National Cyber Security Framework Manual in 2012 [27] intended to help academics and policy makers examine all the relevant factors of security cyber space in the national context.

 Centralized cyber defense command

In war, nothing slows down a response more than lack of a unified command. A centralized team is needed to coordinate efforts between different branches of the armed forces, company and national CSIRTs (Computer Security Incident Response Teams), government agencies, and law enforcement. This team would sort through all the data and be the single source of information providing fast and accurate reports to the relevant decision makers.

Public-private cooperation

In the past traditional targets of war included defense of infrastructure vital to the nation’s economic sustainability and sovereignty of a state e.g. utilities, border regions, centers of government, etc. Nowadays industry is often targeted for the same reasons with adversaries intent on damaging the economy or stealing intellectual property. Cooperation between government-industry is vital to a strong defense because both parties have unique sets of strengths and weaknesses that can be overcome with collaboration.

International law

Global critical information infrastructure or assets providing products and services to the public, for example Public Key Infrastructure, should be governed under international law. Governments do not run the internet, nevertheless an international legal framework could be effectively used to govern the management of global critical infrastructure and assets with sanctions for corporations, institutions, and governments that fail to meet a certain level of assurance. It should be understood that a successful attack against any of these assets constitute an attack on the safety of the internet user anywhere in the world. NATO has been developing a legal framework called the Tallinn Manual on the International Law Applicable to Cyber Warfare [28]. The manual addresses issues including sovereignty, responsibility of nations, the jus ad bellum, international humanitarian law, and the law of neutrality. Cyber warfare will be an important part of defense in the 21st century; therefore it must be addressed properly by the international community to prevent unnecessary casualties.

Domestic Laws

Many countries now have laws to deal with crime in cyberspace. Some have taken a step further by regulating information security of banks and other financial institutions. In countries that lack adequate consumer right protection laws, this top down approach may be the only way to ensure that companies deal with information security issues due to the reluctance of bearing the costs of developing secure human resources, policies, and infrastructure. Thoroughly written legislation can go far in forcing corporations to improve their security infrastructure and management practices in order to protect consumers and the economy in general. However, due care must be taken to prevent overregulation of cyber security, when legislation mandates the specific technologies to be used in securing public infrastructure instead of governing policies, management, and general best practices. Governments and lawmakers must not replace the role of IT experts as they are obviously less qualified to provide sound advice. Moreover, new technologies and vulnerabilities are being developed continuously, and if legislation were based on specific technology, everyone is put at risk when that technology becomes obsolete or found to be vulnerable. Overregulation would also interfere with the information security industry caused by unfair state-backed monopolies.

International cooperation

Since cyber threats transcend geo-political boundaries, oftentimes cooperation between countries is needed to deal with them. Investigations and responses to attacks may require cross-border access to information or internet traffic management. Training and practical joint cyber defense exercises are one way to simulate real-life situations and to practice dealing with communication and cooperation problems during an attack. NATO has been organizing such war-games in Europe through its Cooperative Cyber Defence Centre of Excellence since 2010.

National CSIRTs

Constant monitoring of networks and its flow of traffic with signatures and reporting capabilities is an essential part of collecting intelligence on attacks. National CSIRTs will take this intelligence and work with the relevant parties in order to mitigate attacks.

Vulnerability Management

The U.S. maintains a National Vulnerability Database. This database is publicly available thus enabling anyone to refer to it for updates on software vulnerabilities. The Security Content Automation Protocol (SCAP) drives updates to this database allows swift updating of this database, leading to faster detection time of compromises. With the information maintained in this database if an organization secures its infrastructure accordingly, its security level will be significantly increased, leaving only zero-days to deal with.

Cybersecurity workforce

There are estimates that North Korea has as many as 4000 trained cyber warfare specialists [29]. According to a recent report, China is estimated to have hundreds if not thousands of cyber warfare specialists in Unit 61398 of the People Liberations Army [30]. The most powerful APTs are nation states, and all of them are investing heavily in equipping their human resources with the skills needed to develop sophisticated malware. The U.S National Cybersecurity Workforce framework is a response to the need of highly skilled cyber security professionals working for the right side.  Following the 2007 attacks, the voluntary Estonia Defence League’s Cyber Unit (EDL CU) was established. This initiative allows talented cyber specialists to participate in national defense without needing to work full time for government or military, and provides an outlet for youth to positively contribute to cyber security.

Industry
Robust systems & software development

Most security holes are caused by poor programming practices. If nation states are to stand any chance against the APT, then security must be built into software by design, not as an afterthought. A clear message to the software industry can be sent if government agencies were required by law to use fulfilling a certain standard.  Standards could include software provision of security features such as control flow integrity, stringent input validation, or sandboxing.

Company CSIRTs

Have the same function as national CSIRTs, but cover the scope of company assets. Should have much more detailed detection capabilities because the networks monitored are limited in scope.

Regular penetration tests

Also known as red teaming, penetration testing is used to simulate a real world attack scenario to identify the most likely attack vectors. Most IT organizations would not be aware of their vulnerabilities until an external independent party conducted an audit or pentest.

Social engineering awareness

The majority of APT attacks exploit human vulnerabilities as their initial entry point, however not enough attention has been brought to seriously address this. It is just as important to consider the security level of employees, as it is to deploy the state of the art firewalls, antivirus, and IDS devices. Apart from ensuring awareness programs and compliance of security policies, social engineering tests should be regularly carried out in order to assess the security robustness of the human factor. Limitation of employee participation in social networks should also be considered as the information gained could be used in launching an attack against the organization. Since the beginning of warfare, people have been the first line of defense. Technology has not and never will replace the human factor.

End point security

From a management perspective, it is vital to document and control everything running on the company computers. Even if the IT security team is vigilant in monitoring vulnerability databases and patch releases, if the technical support team does not know which computers are vulnerable, tremendous effort would be required to ensure every machine is secured.

Public
Information

The public must be kept informed of current risks and how to protect themselves. The U.S. National Cyber Awareness System is an excellent example of how detailed information can be presented in a format that is easy to understand. The system provides up-to-date information about high-impact types of security activity affecting the community at large, timely information about current security issues, vulnerabilities, and exploits. Aside from information tailored for the IT professionals, the general public should also be made aware of social engineering attack scenarios and how to prevent them. The media plays a central role here, and balanced, informative reporting is absolutely necessary.

Protection of rights

Citizens of a country should have the legal right to privacy of personal information, to be notified and be able hold organizations accountable for misuse or failure to protect their data or finances, and to demand strong security measures from their government. These rights go hand in hand with the need to be informed of the latest risks stated earlier.

Research
Malware analysis and strain mapping

Security labs and CSIRTs should be working on understanding the threats before they’re made known to the bad guys. Continued antivirus and intrusion detection system upgrades should not only be reactive. Unknown malware detection by heuristics and other methods need to be researched and implemented widely. Databases of vulnerabilities and exploits exist so we can manage risk. In-depth analysis of malware is needed to find commonalities to define patterns. These patterns needed to accurately detect and defend against future attacks.

Strong protocol schemes

Secure communications depends on secure protocols. Schemes that have been widely used, such as SSL, have been proven to contain vulnerabilities. Online Identity Management: Today’s users have to manage tens or hundreds of accounts across a myriad of online applications and services. Several offerings exist to manage online identities [31]. A new approach to online identity management is the National Strategy for Trusted Identities in Cyberspace. Strong schemes can help to minimize harms if a website with weak security suffers a data breach as user account details are handled by a third party provider with stronger systems.

References:
[25] U.S.Cyberspace Policy Review. 2009
[26] S.M. Kerner, “Obama Orders National Cybersecurity Framework,” eSecurity Planet [online] 13 February 2013, Available: http://www.esecurityplanet.com/hackers/obama-orders-national-cybersecurity-framework.html (Accessed 18 April 2013)
[27] National Cyber Security Framework Manual
[28] Tallinn Manual on the International Law Applicable to Cyber Warfare
[29] Youkyung Lee, “North Korea Cyber Warfare: Hacking ‘Warriors’ Being Trained In Teams, Experts Say,” The Huffington Post [online] 24 March 2013, Available: http://www.huffingtonpost.com/2013/03/24/north-korea-cyber-warfare-warriors-trained-teams_n_2943907.html (Accessed: 18 April 2013)
[30] Mandiant M-Trends Report 2013
[31] K. Tracy. “Identity management systems,” IEEE Potentials, 27 (6), 2008, pp. 34–37

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s