ITC Security Threat of the Week – Week 4: The China Syndrome
This week’s research publication by Mandiant, complete with photographs of anonymous buildings in China has raised awareness of the Advanced Persistent Threat or APT. Mandiant’s research, if you were to swallow it whole, fingers China, the People’s Liberation Army and more specifically unit 61398 (Mwahahaha) for a large chunk of targeted malware.
The Mandiant report is very ‘focussed’ in that it does not report on the espionage activity of any nations other than China. Perhaps we should believe that there is none and that like rubber ducks, all APTs are ‘Made In China’.
Reading around this report and the subject more broadly, it is clear that hacking is becoming more deterministic and less opportunistic. Hidden beneath the spamware botnet landfill are targeted attacks delivered via compromised websites that specific groups of individuals are likely to visit (for instance web sites offering accommodation near to the targets offices), spear fishing emails or the Stuxnet blunt instrument – USB drives.
The message is clear. Targeted infiltration is on the up. Everyone is a potential target providing they have information that can be used to someone else’s advantage. The ‘it’s far too big to be true’ head in the sand denial no longer stands. How many individuals actually have data on mergers and acquisitions? How many individuals can manipulate the prices of commodities? How many individuals are on the board of the FTSE 100 companies? These are very manageable numbers in terms of targets.
It is a fact that anti-virus does not detect a large swathe of malware, specifically zero day vulnerabilities (and this it would appear is where the Chinese excel because unlike the West they do not have a market economy in zero day preferring to keep their weapons in their war chest) and more mundanely software which users actually elect to install and run when prompted, or just rotten bug ridden applications like popular document publishing and reading software (you know who you are). So what can be done?
It is imperative that CIOs and CISOs take it for granted that they are under attack, that the threat is real and needs to be hunted. You need to look for droppings to know you have a rat and you need to set a trap to get that rat (apologies to UB40).
ITC’s Netsure360° security platform, analyses inbound traffic and compares it with known vulnerabilities, outbound traffic is analysed for connections to known bad destinations and all downloaded content can be scanned and marked. Network devices can be assured before being allowed to join the network and barred instantly if they start exhibiting rat like behaviour.
Of course if you take the Mandiant report at face value and have no business with the Chinese, traffic to and from this geography can be banned. But we all know it’s not that simple. Don’t we?