Organized
hackers have been attempting to breach aerospace and defense company Northrop
Grumman for years to steal sensitive information, according to a Northrop
Grumman senior executive at the Gartner security summit.
The
APTs (advanced persistent threats) are designed to infiltrate networks at
companies and government agencies to steal intellectual property or other
sensitive information. As one of the largest defense contractors in the
country, Northrop Grumman is a lucrative target.
"These
advanced attacks have been going on for several years," said Timothy
McKnight, vice president and chief information security officer at Northrop
Grumman, during a panel discussion on APTs at the Gartner Security and Risk
Management Summit in Washington, D.C., June 21.
Northrop
Grumman has created profiles of about a dozen distinct groups constantly
battering the company based on the information collected by its monitoring,
detection and prevention systems, McKnight said. The cyber-intelligence group
keeps tabs on the attackers, including attack procedures used and the kind of
malware designed.
A
typical attack method involves using zero-day vulnerabilities to compromise
end-user machines, according to McKnight. About 300 zero-day attack attempts
were recorded last year, and the pace has ramped up enormously to several
exploits coming in throughout the day.
"Every
attack, in order to succeed, needs to exploit a vulnerability," John
Pescatore, a Gartner distinguished analyst, said during a separate discussion
at the summit.
However,
APTs don't always target zero-days, but may exploit an existing vulnerability
that an organization might not think was applicable, Pescatore said. APTs
simply compromise an organization's security defense by taking advantage of a
threat it is not monitoring for, over an extended period of time, while
stealing data or causing some other type of damage, he said. For example, an
attack that was previously used to steal money may be redirected to target
non-financial operations.
Attackers
tend to do a lot of research on a targeted company to identify beforehand the
kind of intellectual property they are interested in, and the employees who may
have access to it, Northrop Grumman's McKnight said.
Security
threats tend to evolve about every five years or so as technology changes,
Pescatore said. The current crop of attacks is different from previous attacks
in that they are usually financially motivated and supported by large
organizations. The organizations in question may be organized criminal rings or
nation-states, according to Pescatore.
Even
though nation-states may be behind APTs, these threats aren’t symptoms of
systematic industrial espionage or state-to-state cyber-warfare yet, said
Pescatore, and likely won’t be for at least the next four years or so.
Nation-states will still opt to bribe or blackmail key government personnel
into causing "cyber-damage" to another nation-state, rather than
launch long-lived cyber-attacks, Pescatore said.
Organizations
should exercise due diligence, including having proper vulnerability, patch and
configuration management and intrusion prevention systems, and managing access
privileges to detect APTs, Pescatore recommended. Completely preventing an APT
is at best theoretical, he said.
IT
departments should also harden networks and databases, such as using
application whitelists and network access control. Finally, organizations
should increase their use of sandboxing, situational awareness and forensics
capabilities, Pescatore said.
Northrop
Grumman shut down its network in May shortly after fellow contractor
Lockheed Martin detected attempts on its network. The Lockheed
Martin breach has since been linked to the RSA
Security breach in March in which attackers used the information stolen
from the earlier incident to create cloned tokens used in the later attack.
Even
though Northrop Grumman was hit around the same time, no such link has yet been
announced.
IT Security & Network Security News & Reviews News & Reviews 
