Cyber attacks are growing in frequency and sophistication. The 4-month attack on The New York Times is fascinating (to me, anyways) in how expansive it was.
- Multiple layers of security are required.
- Close monitoring and analysis of application behavior is required.
- Sandboxing and whitelisting — while often annoying for users — are effective in isolating / containing intrusions.
Emphasis in red added by me.
Brian Wood, VP Marketing
Why the Times let hackers stay awhile
Last week’s disclosure by The New York Times that Chinese hackers had infiltrated its computer systems offers a sharp lesson in cyber defense. Instead of kicking out the hackers when they were first discovered, the company kept an eye on them long enough to follow their trail, writes Antone Gonsalves at CSO magazine.
During a four-month attack, the hackers installed a great deal of malware on the Times‘ computers, most of which went undetected by the company’s antivirus program. The hackers stole passwords of reporters and other employees as the paper was preparing to publish an investigative article on business deals that reaped China’s prime minister billions of dollars.
The Times learned in September that it could be the target of hackers, and asked its ISP to be on the look-out for strange activity in outbound traffic. When AT&T (NYSE: T) reported unusual activity, the paper opened an investigation. A spear-phishing attack is believed to have given the hackers their entree, after which they installed remote access tools to take data.
By monitoring the hackers’ activity before shutting them out, the paper was able to gather important information. For one, they could see whether they were infiltrating from more than one access point. Also, they were able to determine that the hackers’ main goal may have been to find out who was giving reporters information for the investigative article.
Lesson learned in cyberattack on The New York Times
The New York Times‘ description of a cyberespionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible.
On Wednesday, The Times disclosed that hackers had persistently attacked its computer systems for four months, and had stolen passwords for reporters and employees. Rather than boot the hackers immediately, The Times chose to study their movements in order to build better defenses against them.
The attacks coincided with an investigative piece the newspaper published Oct. 25 on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China’s prime minister.
The lessons learned from the attack applies to any organization targeted by hackers with a level of sophistication often financed by a nation-state. Potential victims typically include defense contractors, multinational corporations, the military, think tanks and government agencies.
Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware.
One important step the company took in September, when it learned it might be targeted by hackers in China, was to notify its Internet service provider to watch for unusual activity in outbound traffic from the network, experts said Thursday. AT&T eventually did report seeing anomalies, which started The Times‘ investigation and led to its hiring of security firm Mandiant to help it monitor and eventually remove the hackers.
The newspaper believes the hackers initially broke in Sept. 13 through a spear-phishing attack, which is when carefully crafted emails are sent to specific people within an organization to trick them into opening a malware-carrying attachment or visit a malicious website. The break-in occurred while The Times was completing its reporting for the Wen family story.
Besides employee education, ways to combat spear phishing includes technology on the laptop that only allows pre-approved applications to run. Called whitelisting, the technology is difficult to manage, because employees will constantly seek permission to run other software.
“There’s a lot of management overhead with it, but I think from a security standpoint, it’s the right way to go,” George Tubin, senior security strategist for Trusteer, said.
Other technology to prevent infection from an employee laptop includes sandboxing that limits applications only to the network resources that they need. Another option is micro-virtualization, which isolates the laptop from business applications and data by running risky tasks within a micro virtual machine.
Other options include exploit detection technology that makes it difficult for hackers to take advantage of vulnerabilities in software. Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET) is an example of such technology, as well as products from Cyvera, Lawrence Pingree, analyst for Gartner, said.
Once The Times‘ computers were compromised, the hackers installed remote access tools, known as RATs, in order to steal data. Once malware gets in computer systems, one of the better ways of catching it is through appliances that monitor application behavior and network traffic.
Another technology is a security information and event management (SIEM) system, which can capture and analyze logs from network hardware and software to flag abnormalities. Leading SIEM vendors include Hewlett-Packard, EMC-owned RSA, McAfee, Symantec, LogLogic and Q1 Labs, says Gartner.
In general, there is no one technology to combat a sophisticated attack like the one against The Times. Organizations that could become targets have to build layers of security that starts with the employee laptop and builds inward into the network behind the firewall.
“All of these strategies need to be used together,” Pingree said. “There’s no silver bullet for security solutions.”
For companies that have the resources, The Times‘ strategy of monitoring the hackers’ movements can reveal important intelligence, said Wolfgang Kandek, chief technology officer for Qualys.
For example, hackers may build several openings into a network, so shutting them out too quickly could lead to missing one of those backdoors, Kandek said. “It makes sense to watch for awhile.”
The Times said it was able to close every backdoor in its network and to use the intelligence it gathered to determine the additional security technology needed to fend off future attacks.
The company also determined that the hackers seemed primarily interested in finding the names of people who might have provided information to the reporter of the Wen family story, Shanghai bureau chief David Barboza. No customer data was stolen.
The hackers infiltrated the computers of 53 employees, most of them outside the newsroom. The attackers tried to cover their tracks by first breaching computers at U.S. universities and then routing the attacks through them, Mandiant said.
Mandiant believes the hackers are members of a group the company calls “A.P.T. Number 12,” for Advanced Persistent Threat. The group is one of 20 tracked by Mandiant that are spying on organizations in the U.S. and around the globe.
China’s Ministry of National Defense denied it had anything to do with the cyberattacks.
The Times is not the first U.S. news media company to be targeted after reporting on Chinese leaders and corporations. Last year, Chinese hackers tried to penetrate the computers of Bloomberg News after it published a June 29 article on the wealth accumulated by relatives of then Vice President Xi Jinping, who became general secretary of the Communist Party in November and is expected to become president in March.
Also, The Wall Street Journal reported Thursday that its computer systems had been infiltrated by Chinese hackers bent on monitoring the newspaper’s China coverage. The break-ins at the three companies along with reports of breaches at other news outlets indicate a widespread campaign to spy on U.S. media, the Journal said.