Francis deSouza, President of Products and Services at Symantec, gives a keynote at RSA Conference US 2013 about the role of big data and security intelligence for protection against advanced persistent threats, breaches and sophisticated cyber attacks.
Good morning! A major international brand was recently breached by what was likely a nation state actor; and no, I’m not talking about the hack of Justin Bieber’s Twitter account last week.
I was talking to the Chief Information Security Officer of that organization, and as we were discussing the incident remediation plan, he looked at me and made two interesting observations.
First, he said that he’d been approached since his breach by many security vendors that all talked to him about the single offering they had that will protect him from advanced persistent threats.
Now, he was too smart to fall for that. But that breach had left him feeling very viscerally the asymmetry of the business we are in: the difference between the advantages that the attackers had vs. the advantages that his security team had. And he wondered out loud if it was going to be ever possible, even with his dozens and dozens of security products, for him to bridge that gap.
Now, we all know in the security business that it’s inherently an asymmetric business. The reality is: the attackers have to be right just once, whereas we on the defense have to be right every time. And that asymmetry, that difference in advantage, shows up in many ways.
A few minutes ago we had Symantec publish a white paper on our recent findings on Stuxnet. We now have evidence that Stuxnet actually had its command and control servers alive in 2005. That’s five full years before anyone had previously thought.
We also just published details of an earlier variant of Stuxnet that we’ve captured that we call Stuxnet 0.5. And Stuxnet 0.5 behaves very differently from Stuxnet 1.0 that was found in 2010.
Yes, they both targeted the Iranian uranium enrichment facilities, but the way they did it was very different. As you remember, what Stuxnet 1.0 did was it attacked the high-frequency centrifuge motors, and it disabled the plant by accelerating those motors from 1000Hz to about 1400Hz, so the plant went out of control.
Well, Stuxnet 0.5 a few years earlier tried a different attack. Instead of attacking the motors, what that malware did was it took over the valves that controlled the flow of uranium hexafluoride, the gas, into the centrifuges. Turns out, actually, that you can cause a lot of damage by messing with the high pressure in the centrifuge in a uranium enrichment facility.
Now, the other thing that this finding points out though is that we are now entering close to the end of the first decade of weaponized malware. And as the new malware variants that we see, things like Duqu and Flame show, the research and the sophistication of these cyber weapons has continued to develop. And access to these cyber weapons has continued to get more and more democratized.
There are lots of other places this asymmetry of advantage shows up; it showed up for us last week, when we were running our annual internal cyber war games at Symantec. This is an internal contest we have, where we invite teams of our best and brightest from around the company to compete.
And this year for the finals that we held in Mountain View last week, we actually simulated the critical infrastructure of a country. And we brought in a lot of real components, including controllers that run industrial power plants and other industrial systems.
Now, as we were setting it up, our team discovered very quickly a number of critical security flaws in some of this equipment. Now, I’m not going to name any manufacturer, for obvious reasons, but I’ll tell you that in some of the equipment that we found the administrative password was hardwired into that system. And not only was it hardwired – now, it was an 8-character password, so I’ll give it that – but the password was 12345678, and that password was always sent in the clear.
Now, around the world across industries – airlines, power plants, banking systems, health care systems – security teams are charged and given the responsibility to defend systems that were never designed with security in mind. And on the other side of the attack they’re facing these customized weaponized malware. That gap, that advantage, seems to get bigger and bigger.
So, what I’m going to do over the next few minutes and the rest of this talk is talk about what we are seeing from a threat landscape perspective: what have we seen as the big trends over the last year, and how are we thinking about addressing this advantage gap.
Now, we’ve talked for a couple of years about the five stages of a breach.
1 The first stage where the attackers will do reconnaissance, they’ll do research on the organizations they are targeting, and in a lot of cases on the specific individuals within the organization they are targeting. We saw one attack where the attackers did a social media research on the IT professional they were targeting. They found out that that person had four children, and they led a spear phishing attack on that individual, offering him discounted health insurance for families that had more than three children. So, first stage – reconnaissance.
2 Second stage is the incursion stage: how they actually get into an enterprise. We saw an attack over the last year where a businessman had his smartphone compromised as he was going through the security line in a foreign airport. The attackers then got his corporate credentials off his smartphone and used that to enter the corporate network. So, second stage – incursion.
3 Third stage is the discovery stage. Our analysis shows that takes sometimes a few months within an organization as the attackers will map out the network as well as the critical assets on that network.
4 The fourth stage is the capture stage, where they get the assets that they were after, and the fifth stage is the exfiltration stage, where they’ll take the data out of the company.