Northrop Grumman Regularly Repels Advanced Attacks Seeking Sensitive Data

Advanced persistent threats are a way of life for many defense contractors such as Northrop Grumman, who has been seeing regular attacks from various groups for several years.

Organized hackers have been attempting to breach aerospace and defense company Northrop Grumman for years to steal sensitive information, according to a Northrop Grumman senior executive at the Gartner security summit.

The APTs (advanced persistent threats) are designed to infiltrate networks at companies and government agencies to steal intellectual property or other sensitive information. As one of the largest defense contractors in the country, Northrop Grumman is a lucrative target.

"These advanced attacks have been going on for several years," said Timothy McKnight, vice president and chief information security officer at Northrop Grumman, during a panel discussion on APTs at the Gartner Security and Risk Management Summit in Washington, D.C., June 21.

Northrop Grumman has created profiles of about a dozen distinct groups constantly battering the company based on the information collected by its monitoring, detection and prevention systems, McKnight said. The cyber-intelligence group keeps tabs on the attackers, including attack procedures used and the kind of malware designed.

A typical attack method involves using zero-day vulnerabilities to compromise end-user machines, according to McKnight. About 300 zero-day attack attempts were recorded last year, and the pace has ramped up enormously to several exploits coming in throughout the day.

"Every attack, in order to succeed, needs to exploit a vulnerability," John Pescatore, a Gartner distinguished analyst, said during a separate discussion at the summit.

However, APTs don't always target zero-days, but may exploit an existing vulnerability that an organization might not think was applicable, Pescatore said. APTs simply compromise an organization's security defense by taking advantage of a threat it is not monitoring for, over an extended period of time, while stealing data or causing some other type of damage, he said. For example, an attack that was previously used to steal money may be redirected to target non-financial operations.

Attackers tend to do a lot of research on a targeted company to identify beforehand the kind of intellectual property they are interested in, and the employees who may have access to it, Northrop Grumman's McKnight said.

Security threats tend to evolve about every five years or so as technology changes, Pescatore said. The current crop of attacks is different from previous attacks in that they are usually financially motivated and supported by large organizations. The organizations in question may be organized criminal rings or nation-states, according to Pescatore.

Even though nation-states may be behind APTs, these threats aren't symptoms of systematic industrial espionage or state-to-state cyber-warfare yet, said Pescatore, and likely won't be for at least the next four years or so. Nation-states will still opt to bribe or blackmail key government personnel into causing "cyber-damage" to another nation-state, rather than launch long-lived cyber-attacks, Pescatore said.

Organizations should exercise due diligence, including having proper vulnerability, patch and configuration management and intrusion prevention systems, and managing access privileges to detect APTs, Pescatore recommended. Completely preventing an APT is at best theoretical, he said.

IT departments should also harden networks and databases, such as using application whitelists and network access control. Finally, organizations should increase their use of sandboxing, situational awareness and forensics capabilities, Pescatore said.

Northrop Grumman shut down its network in May shortly after fellow contractor Lockheed Martin detected attempts on its network. The Lockheed Martin breach has since been linked to the RSA Security breach in March in which attackers used the information stolen from the earlier incident to create cloned tokens used in the later attack.

Even though Northrop Grumman was hit around the same time, no such link has yet been announced.