The recent security breach at Lockheed Martin confirmed that the attacks we saw with Operation Aurora, identified by McAfee, and Stuxnet are just the beginning of a new era of targeted attacks. Cybercriminals are now executing the perfect plan to get closer to their target without raising any red flags. In the case of Operation Aurora, more than 30 U.S. companies experienced data breaches, including Google who lost its intellectual property (IP). We are very sure that this is not the end, but the beginning of a new era. A paradigm shift in the current model of security is required as soon as possible.
Sure enough, there were a series of attacks: Night Dragon, the attack on EMC, which put SecureID tokens at risk, Sony, and, recently, Lockheed Martin.
Lockheed Martin is very important to the U.S. as a defense contractor. Some of the most critical information, such as the arsenal used in the Afghanistan war and future military technology information, are residing in the Lockheed Martin network. I don’t want to speculate how the attackers were able to break in, but there are multiple theories, one being spear-phishing. Some of the blogs and reports are correlating the Lockheed Martin attack with the EMC breach, where the attacker entered the network via a VPN. Lockheed Martin has neither confirmed nor denied this, so we have to wait for the information to unfold.
At McAfee, we see 55,000 new pieces of malware each day. There are 2,000,000 (2 million) malicious website detected each month. These numbers cannot be managed by patches or blacklisting technology alone. But before we talk about the solution, let’s look at the anatomy of an attack. Any attack involves three stages:
You should be able to dissect any attack (e.g. Operation Aurora, Night Dragon, Stuxnet and possibly other future attacks) into these three stages. Let me briefly explain the protection. For blacklisting solutions, we need to have a signature to stop the vulnerability or the behavior-based detection to identify that something is wrong, but behavior-based detection is not 100% and signatures for zero day-vulnerabilities are not always available. Therefore, the attackers will successfully be able to go to step 2 after exploiting the “zero-day” vulnerability. Don’t forget, Stuxnet used four “zero-day” vulnerabilities. This is not a story from the movie Mission Impossible or Swordfish. This is real. Once the vulnerability is exploited, the attacker can execute payload and connect to a command and control center to download more malicious code, such as keyloggers and sniffers.
With a shift to application whitelisting solutions, you can protect against all stages of an attack. Memory protection will prevent the attacker from exploiting the vulnerability and, in case the attacker was successful in exploiting the vulnerability, the payload will not be able to execute from the disk or from the memory because payload is not part of the whitelist.
It is time to change the current structure of security – we need a combination of whitelisting and blacklisting solutions.
Look for a solution that can cater to your server and desktop environment and support a Unix or Windows operating system.
For Lockheed Martin, there is a possibility that it is linked to the RSA token breach. Regardless, it is a crucial reminder that we must design a layered defense. While designing the internal layer, we should assume that the outer defense layer has already been breached. Application whitelisting is going to play a huge role in security architecture in the years to come! Next time you are designing a security architecture with VPN, firewall, two-factor authentication or antivirus, ask yourself a simple question: If there is a zero-day vulnerability, will a security breach on my system be prevented with any of these technology?