Advanced persistent threats are a way of life for many defense contractors such as Northrop Grumman, who has been seeing regular attacks from various groups for several years.
hackers have been attempting to breach aerospace and defense company Northrop
Grumman for years to steal sensitive information, according to a Northrop
Grumman senior executive at the Gartner security summit.
APTs (advanced persistent threats) are designed to infiltrate networks at
companies and government agencies to steal intellectual property or other
sensitive information. As one of the largest defense contractors in the
country, Northrop Grumman is a lucrative target.
advanced attacks have been going on for several years," said Timothy
McKnight, vice president and chief information security officer at Northrop
Grumman, during a panel discussion on APTs at the Gartner Security and Risk
Management Summit in Washington, D.C., June 21.
Grumman has created profiles of about a dozen distinct groups constantly
battering the company based on the information collected by its monitoring,
detection and prevention systems, McKnight said. The cyber-intelligence group
keeps tabs on the attackers, including attack procedures used and the kind of
typical attack method involves using zero-day vulnerabilities to compromise
end-user machines, according to McKnight. About 300 zero-day attack attempts
were recorded last year, and the pace has ramped up enormously to several
exploits coming in throughout the day.
attack, in order to succeed, needs to exploit a vulnerability," John
Pescatore, a Gartner distinguished analyst, said during a separate discussion
at the summit.
APTs don't always target zero-days, but may exploit an existing vulnerability
that an organization might not think was applicable, Pescatore said. APTs
simply compromise an organization's security defense by taking advantage of a
threat it is not monitoring for, over an extended period of time, while
stealing data or causing some other type of damage, he said. For example, an
attack that was previously used to steal money may be redirected to target
tend to do a lot of research on a targeted company to identify beforehand the
kind of intellectual property they are interested in, and the employees who may
have access to it, Northrop Grumman's McKnight said.
threats tend to evolve about every five years or so as technology changes,
Pescatore said. The current crop of attacks is different from previous attacks
in that they are usually financially motivated and supported by large
organizations. The organizations in question may be organized criminal rings or
nation-states, according to Pescatore.
though nation-states may be behind APTs, these threats aren't symptoms of
systematic industrial espionage or state-to-state cyber-warfare yet, said
Pescatore, and likely won't be for at least the next four years or so.
Nation-states will still opt to bribe or blackmail key government personnel
into causing "cyber-damage" to another nation-state, rather than
launch long-lived cyber-attacks, Pescatore said.
should exercise due diligence, including having proper vulnerability, patch and
configuration management and intrusion prevention systems, and managing access
privileges to detect APTs, Pescatore recommended. Completely preventing an APT
is at best theoretical, he said.
departments should also harden networks and databases, such as using
application whitelists and network access control. Finally, organizations
should increase their use of sandboxing, situational awareness and forensics
capabilities, Pescatore said.
shut down its network in May shortly after fellow contractor
Lockheed Martin detected attempts on its network. The Lockheed
breach has since been linked to the RSA
in March in which attackers used the information stolen
from the earlier incident to create cloned tokens used in the later attack.
though Northrop Grumman was hit around the same time, no such link has yet been