August 04, 2011
Security Threats, Statistics, Shady RATs, Hype and Hoaxes in the News
There's been a lot of of buzz in the security blogosphere- and more than a little bit of hyperbolic press coverage (including a screaming headline from the front page of this morning's Silicon Valley Mercury News) - in the last 24 hours based on a new whitepaper from McAfee, Revealed: Operation Shady RAT,released in conjunction with this week's BlackHat security conference.
That paper reveals some of the details of a wide ranging and long lived series of targeted intrusions affecting, "70+ global companies, governments and non-profit organizations during the last 5 years."
The report describes how McAfee apparently gained access to a command and control server used in this series of cyberattacks, exposing logs that revealed extensive information about the nature of the attacks. According to McAfee, this coordinated attack compromised systems at more than 72 organizations worldwide, including US and other government agencies, enterprises in numerous industries and non-profit organizations.
While a lot of the media coverage of this report has had a strong element of sensationalism ("Hacker Armageddon," anyone?) these sorts of reports can be extremely instructive in explaining the importance of IT security to those who don't spend their lives immersed in the security space.
While McAfee's report doesn't specifically say what sort of systems might have been compromised, what sort of data might have actually been exposed and who might be behind the intrustions themselves (I'm not unique in pointing this out - tip of the pen to Graham Cluley for his good insights), it sounds like many of these compromises were likely the result of rather basic lapses in security.
As we've seen in so many other recent attacks, the initial vector appears to have been email. Dmitri Alperovitch, VP of threat research for McAfee writes in that report (emphasis my own):
"The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware."
Furthermore, Alperovitch notes that McAfee's own malware detection has detected the exploits in question "for years" using their "Generic Downloader.x" and "Generic BackDoor.t" heuristic signatures.
So it appears that highly-effective email security and malware detection systems and a healthy dose of end-user education ("Don't click links in email, mmm-kay?") remain the front line of defense against hacker Armageddon, state-sponsored cyberterror, the good old "Advanced Persistent Threat," or whatever you want to call this.
This is not to downplay what appears to be a general increase in these sorts of threats. It behooves security professionals to continually evaluate their current security stances and the effectiveness (both threat-effectiveness and cost-effectiveness) of the solutions that they have deployed.
The aforementioned Bloomberg "hacker Armageddon"article I referred to earlier notes recent Gartner Dataquest research that showed that bigger security players like McAfee and Symantec have actually been losing share in the security software market (share for the top five vendors is down from 60% in 2006 to 44% in 2010) because best-of-breed solutions from smaller vendors are continually being introduced. (And yes, Proofpoint is one of the companies that continues to benefit from this overall trend.)
One thing I wanted to leave you with: When presented by media coverage of any sort of statistics, it's extremely helpful to seek out the original source report, rather than simply taking press interpretations at face value. You probably saw a great example of this earlier this week as a report implying that Internet Explorer users had lower IQs than users of other web browsers was revealed to be a (fairly obvious) hoax.
Be safe out there, OK?