‘Nation-state sponsored cyber attacks’ – A powerful statement, and one that represented the majority of recent headlines in press articles about the Gauss malware. With the targeted nature of the attack, and its complexity cited as examples to support ‘Gauss-es’ of the attribution.
Whilst the speculation makes for excellent media stories and fuels alcohol induced debates at security conferences – for the beleaguered CISO faced with the threats it really becomes nothing more than an afterthought. Whether we are discussing, Flame, Gauss, Night Dragon, or any other attack; the first question asked will be;
Is my organisation impacted?
Of course, dependent on the answer, there is likely to be a whole host of additional answers sought by management; such as what information was leaked, how long was the threat on our network, and why didn’t you stop it? Some organisations may well rephrase the last question to ask why didn’t we stop it?
The key question that should be (and not always is) asked is how do we prevent from being compromised again? Threats of this nature are invariably difficult to detect, which explains why with Gauss the threat appeared to be active for 10 months. Authors will dedicate efforts with the explicit intention of remaining as stealthy as possible, a far cry from website defacements and declarations on social media of compromised organisations, or intended targets. The standard response is as expected to be ‘Defence in depth’, and quite rightly so. As was documented in the McAfee Advanced Persistent Threat, Solution brief; ‘There is no silver bullet for APTs because it’s more than firewall and IPS, more than anti-malware, and more than data loss prevention’.
Those tasked with building the defenses have to be well-funded and versed in information security. They also need to be patient in building an effective security management programme as developing security maturity does not happen overnight, and is a repetitive process. For example, initiating security awareness is a continuous process that demands constant reminders for employees on adopting best practices. When we consider the ‘modus operandi’ for many of these ‘APT’ types of attacks, they invariably utilise the inherent human propensity to click before they think!
Sharing information about the threats allows organizations to begin to answer that initial question. Although the answer may be painful, there is no benefit in burying one’s head in the sand, and without it building the defences to mitigate the risk of it happening again becomes almost impossible!
McAfee EMEA CTO