help – my thermostat is calling home to china -- pn 12-22-11

Help – My Thermostat is Calling Home to China! IBM/Q1 Labs Blog Post by Phil Neray (December 2011) According to a report earlier this week in the Wall Street Journal, a group of hackers in China broke into the U.S. Chamber of Commerce’s network around November 2009 and were not discovered until more than a year later. The hackers likely used a spearphishing attack to install spyware on end-user machines. The spyware was used to steal employee administrative credentials, which were then used to install about a half dozen back doors which communicated with computers in China every week or two. The hackers stole sensitive Chamber data such as trade-policy documents, meeting notes, trip reports and schedules, and emails containing the names of companies and individuals in contact with the Chamber. They even used their own search tools to locate documents containing keywords related to financial and budget information, and stole all emails from four targeted employees – who worked on Asia policy – for approximately six weeks during one portion of the attack. And here’s an interesting twist – a thermostat at a Chamber town house on Capitol Hill was communicating with an Internet address in China, and a printer spontaneously started printing pages with Chinese characters. The Chamber represents the interests of U.S. companies in Washington and its members include most of the nation's largest corporations. As a result of this incident, the organization’s COO concluded that “It's nearly impossible to keep people out. The best thing you can do is have something that tells you

Upload: pneray

Post on 20-Feb-2017

73 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Help – My Thermostat is Calling Home to China -- PN 12-22-11

Help–MyThermostatisCallingHometoChina!IBM/Q1LabsBlogPostbyPhilNeray(December2011)

AccordingtoareportearlierthisweekintheWallStreetJournal,agroupofhackersinChinabrokeintotheU.S.ChamberofCommerce’snetworkaroundNovember2009andwerenotdiscovereduntilmorethanayearlater.Thehackerslikelyusedaspearphishingattacktoinstallspywareonend-usermachines.Thespywarewasusedtostealemployeeadministrativecredentials,whichwerethenusedtoinstallaboutahalfdozenbackdoorswhichcommunicatedwithcomputersinChinaeveryweekortwo.ThehackersstolesensitiveChamberdatasuchastrade-policydocuments,meetingnotes,tripreportsandschedules,andemailscontainingthenamesofcompaniesandindividualsincontactwiththeChamber.Theyevenusedtheirownsearchtoolstolocatedocumentscontainingkeywordsrelatedtofinancialandbudgetinformation,andstoleallemailsfromfourtargetedemployees–whoworkedonAsiapolicy–forapproximatelysixweeksduringoneportionoftheattack.Andhere’saninterestingtwist–athermostatataChambertownhouseonCapitolHillwascommunicatingwithanInternetaddressinChina,andaprinterspontaneouslystartedprintingpageswithChinesecharacters.TheChamberrepresentstheinterestsofU.S.companiesinWashingtonanditsmembersincludemostofthenation'slargestcorporations.Asaresultofthisincident,theorganization’sCOOconcludedthat“It'snearlyimpossibletokeeppeopleout.Thebestthingyoucandoishavesomethingthattellsyou

Page 2: Help – My Thermostat is Calling Home to China -- PN 12-22-11

whentheygetin.It'sthenewnormal.Iexpectthistocontinuefortheforeseeablefuture.Iexpecttobesurprisedagain."Sohowcannext-generationSIEMandSecurityIntelligencehelp?First,weshouldacknowledgethatcompliancemandateswouldprobablynothavehelpedthisorganizationbebetterpreparedforthisattack.Theattacktargetedintellectualproperty(IP)–ratherthancardholderdata,financialdata,PIIorPHI–andtherearen’tanycomplianceregulationsthatapplytoIP.Althoughnext-generationSIEMcancertainlyhelpinstreamliningcomplianceprocesses–bycentralizingandautomatingcompliancereportingandaddressinglogretentionrequirementsforregulationssuchasPCI,SOX,dataprivacylawsandHIPAA/HITECH–itprovidessignificantaddedvaluebyhelpingtoproactivelydetectattackssuchasthisone.Second,thefactthatthehackerswereinthenetworkformorethanayearbeforebeingdetectedisnotunusual.Accordingtothe2011DataBreachInvestigationsReport,morethan60%ofbreachesremainundiscoveredforaperiodofmonthsorlonger(versusdaysorweeks).AndaccordingtoKimPeretti,formerseniorcounselattheU.S.DepartmentofJustice,“Ourmostformidablechallengeisgettingcompaniestodetecttheyhavebeencompromised.”Why?Becausemostorganizationsstillrelyonbasiclogswhicharewidelydispersedacrosstheirinfrastructures–combinedwithmanual,after-the-factloganalysis–makingitvirtuallyimpossibletodetectanyintruderalarmsbecausetheinformationsimplygetslostinthenoise.Continuousreal-timemonitoringofallnetworkandsystemactivity–combinedwithreal-timeeventcorrelationandautomatedbehaviorprofiling–canhelpbyrapidlyidentifyingsuspicious,anomalousorout-of-policyevents,suchas:

• Aserver(orthermostat)communicatingwithanIPaddressinChina.• AnunusualWindowsservicestartingup,suchasabackdoororspywareprogram.• Aspikeinnetworkactivity,suchasahighvolumeofdownloadsfromaSharePointserver.• Ahighnumberoffailedloginstocriticalservers,whichcanindicateabrute-forcepassword

attack.• Aconfigurationchange,suchasanunauthorizedportbeingenabled.• Aninappropriateuseofprotocolsandapplications,suchassensitivedatabeingexfiltratedvia

P2Porsocialmediaapplications;inthiscase,detectionrequiresapplication-aware(Layer7)monitoringwithflowanalysisanddeepexaminationofpacketcontent.

Moreinformationonhoworganizationscanleverageaunified,continuousmonitoringarchitecturetoreducerisk,canbefoundinthiswhitepaper,“CounteringAdvancedThreats.”