help – my thermostat is calling home to china -- pn 12-22-11
TRANSCRIPT
Help–MyThermostatisCallingHometoChina!IBM/Q1LabsBlogPostbyPhilNeray(December2011)
AccordingtoareportearlierthisweekintheWallStreetJournal,agroupofhackersinChinabrokeintotheU.S.ChamberofCommerce’snetworkaroundNovember2009andwerenotdiscovereduntilmorethanayearlater.Thehackerslikelyusedaspearphishingattacktoinstallspywareonend-usermachines.Thespywarewasusedtostealemployeeadministrativecredentials,whichwerethenusedtoinstallaboutahalfdozenbackdoorswhichcommunicatedwithcomputersinChinaeveryweekortwo.ThehackersstolesensitiveChamberdatasuchastrade-policydocuments,meetingnotes,tripreportsandschedules,andemailscontainingthenamesofcompaniesandindividualsincontactwiththeChamber.Theyevenusedtheirownsearchtoolstolocatedocumentscontainingkeywordsrelatedtofinancialandbudgetinformation,andstoleallemailsfromfourtargetedemployees–whoworkedonAsiapolicy–forapproximatelysixweeksduringoneportionoftheattack.Andhere’saninterestingtwist–athermostatataChambertownhouseonCapitolHillwascommunicatingwithanInternetaddressinChina,andaprinterspontaneouslystartedprintingpageswithChinesecharacters.TheChamberrepresentstheinterestsofU.S.companiesinWashingtonanditsmembersincludemostofthenation'slargestcorporations.Asaresultofthisincident,theorganization’sCOOconcludedthat“It'snearlyimpossibletokeeppeopleout.Thebestthingyoucandoishavesomethingthattellsyou
whentheygetin.It'sthenewnormal.Iexpectthistocontinuefortheforeseeablefuture.Iexpecttobesurprisedagain."Sohowcannext-generationSIEMandSecurityIntelligencehelp?First,weshouldacknowledgethatcompliancemandateswouldprobablynothavehelpedthisorganizationbebetterpreparedforthisattack.Theattacktargetedintellectualproperty(IP)–ratherthancardholderdata,financialdata,PIIorPHI–andtherearen’tanycomplianceregulationsthatapplytoIP.Althoughnext-generationSIEMcancertainlyhelpinstreamliningcomplianceprocesses–bycentralizingandautomatingcompliancereportingandaddressinglogretentionrequirementsforregulationssuchasPCI,SOX,dataprivacylawsandHIPAA/HITECH–itprovidessignificantaddedvaluebyhelpingtoproactivelydetectattackssuchasthisone.Second,thefactthatthehackerswereinthenetworkformorethanayearbeforebeingdetectedisnotunusual.Accordingtothe2011DataBreachInvestigationsReport,morethan60%ofbreachesremainundiscoveredforaperiodofmonthsorlonger(versusdaysorweeks).AndaccordingtoKimPeretti,formerseniorcounselattheU.S.DepartmentofJustice,“Ourmostformidablechallengeisgettingcompaniestodetecttheyhavebeencompromised.”Why?Becausemostorganizationsstillrelyonbasiclogswhicharewidelydispersedacrosstheirinfrastructures–combinedwithmanual,after-the-factloganalysis–makingitvirtuallyimpossibletodetectanyintruderalarmsbecausetheinformationsimplygetslostinthenoise.Continuousreal-timemonitoringofallnetworkandsystemactivity–combinedwithreal-timeeventcorrelationandautomatedbehaviorprofiling–canhelpbyrapidlyidentifyingsuspicious,anomalousorout-of-policyevents,suchas:
• Aserver(orthermostat)communicatingwithanIPaddressinChina.• AnunusualWindowsservicestartingup,suchasabackdoororspywareprogram.• Aspikeinnetworkactivity,suchasahighvolumeofdownloadsfromaSharePointserver.• Ahighnumberoffailedloginstocriticalservers,whichcanindicateabrute-forcepassword
attack.• Aconfigurationchange,suchasanunauthorizedportbeingenabled.• Aninappropriateuseofprotocolsandapplications,suchassensitivedatabeingexfiltratedvia
P2Porsocialmediaapplications;inthiscase,detectionrequiresapplication-aware(Layer7)monitoringwithflowanalysisanddeepexaminationofpacketcontent.
Moreinformationonhoworganizationscanleverageaunified,continuousmonitoringarchitecturetoreducerisk,canbefoundinthiswhitepaper,“CounteringAdvancedThreats.”