DOS Attacks Grab Headlines, But Stealthy Threats Are The Real Story
Widespread vulnerabilities, poorly configured systems and other weaknesses are enabling attackers to easily gain access to the network, in some cases maintaining a presence for months or years while pilfering sensitive data, said Ron Gula, a pen tester and CEO of Columbia, Md.-based Tenable Network Security.
Gula joined former Gartner analyst John Pescatore, now director of emerging security trends at the SANS Institute; Dov Yoran, a malware expert at New York-based startup ThreatGrid; and Peter Kuper, a partner at In-Q-Tel, the investment arm of the CIA, in a wide-ranging discussion on the threat landscape with reporters during a media event last week.
Pescatore has been an advocate of the Twenty Critical Controls for Effective Cyber Defense, a document created by a government-led consortium to outline steps organizations can take to improve their defensive posture and protect data and infrastructure from attacks. Organizations would be better able to defend against attacks if they conducted a thorough risk assessment and proactively addressed vulnerability and configuration weaknesses, Pescatore said. Distributed denial-of-service (DDoS) attacks can be used as a tool in a compounded attack to overwhelm and disable a network security system, but the biggest threat comes from smaller, focused attacks, he said.
"The one that makes the press is the biggest one ever, which is about as meaningful as the world's hottest cup of coffee," Pescatore said of the recent DoS attack aimed at Spamhaus. "You don't need 300-Gbps attacks; you just need a very focused attack at the things you are aiming at."
DoS attacks have gained attention following ongoing high-profile attacks targeting U.S. banks. Business-critical Internet connections require DoS filtering as a backup mechanism to ensure that systems aren't crippled by an attack, Pescatore said. Many organizations rely on their upstream service provider for protection.
Most of the high-profile DoS attacks are done by hacktivist groups to raise awareness about a cause and gain widespread attention, Gula said.
"If you are attacking someone and you don't want to be detected, the last thing you want to do is raise their awareness," he said. "When I was a pen tester for the NSA, every time we did a big vulnerability scan that made their [intrusion detection system] light up, we immediately raised their awareness. They're going to start looking around for an attacker. They're going to check everything."
The most sophisticated attacks and advanced malware don't need to hide behind a DoS attack to successfully penetrate an organization, said Yoran, who founded ThreatGrid to quickly analyze sophisticated malware and now works mainly with large banks and financial clients. Yoran said he suspects ulterior vendor motives around the attention given to DoS.
"There's nothing sophisticated or particularly sexy about it," Yoran said. "There are a lot more sophisticated things our clients are asking us to look deeper into and most are targeted toward generic vulnerabilities."
The panelists said the recent Mandiant report shed light on targeted attacks by providing evidence that many of the cyberespionage attacks are funded and coordinated by China. It raised awareness about the specter of intellectual property theft, the scale of attacks and the need to address the problem before it spirals out of control, said In-Q-Tel's Kuper. With spending projected to reach more than $60 billion globally on IT security, the U.S. needs to determine if money is being spent in the right places and on the right capabilities, Kuper said.
"You are seeing absolutely organized, structured smash-and-grabs where it's literally damaging to the United States economy," Kuper said. "They are stealing intellectual property that we would be minting for our benefit but is now going to be replicated over there."
The problem of intellectual property theft and targeted attacks still stems from widespread software vulnerabilities, the inability of businesses to keep systems updated with the latest security patches and poorly executed security programs, Pescatore said.
"If I am a company and broken into by China, by teenage kids in Staten Island or by cybercriminals in Russia, it doesn't matter where it came from," Pescatore said. "It's about detecting, stopping and preventing and ultimately protecting my business."
PUBLISHED APRIL 8, 2013