How should U.S. businesses respond to allegations that the Chinese government has been waging cyber espionage using advanced persistent threat (APT) attacks since at least 2006?
Security firm Mandiant recently threw down the gauntlet about these types of attacks, tracing exploits of 141 businesses -- across 20 industries -- to a single group based in China, which it dubbed "APT1."
The existence of such groups isn't in dispute. Indeed, China-based APT gangs appear to have been operating for at least the past six years. Such groups often use spear-phishing emails and attractive-looking but malicious attachments to compromise targeted systems and install a remote-access Trojan (RAT). Attackers then gain a back door onto the targeted network, giving them a jumping-off point for further attacks and reconnaissance, including against a company's business partners.
What is in dispute, however, is how businesses should respond. One school of thought is that they should take a more offensive posture, and gather actionable intelligence for government agencies to carry forward.
Another camp, however, argues that businesses' time and energy would be better spent shoring up defenses and patching known vulnerabilities, to minimize the fallout of the next, inevitable data breach.
In our debate, Shawn Henry, president of CrowdStrike Services, calls for identifying your adversaries and providing this information to law enforcement agencies. John Pescatore, director of emerging security trends at the SANS Institute, says the attacks should drive businesses to focus on their defenses.
What's your view? Use the commenting tool below the article to challenge these experts and share your opinion.
President, CrowdStrike Services
We have spoken of the cyber threat for far too long. Foreign adversaries have targeted every major organization in this country, and have stolen untold billions of dollars of intellectual property, research and development and corporate strategies and secrets. The volume and sophistication of cyber espionage has increased dramatically during the past five years, and it will grow, unabated, because the financial reward is incalculably high and the risk of negative consequences is almost non-existent.
Our mistake is that we are using the same approach against targeted attack actors, who actually have specific targets in mind and are not going to stop until they have reached their goal. They are relentless. It's not enough to stop their attacks once or twice; they will keep trying until they get in. The problem with existing technologies and defensive tactics is they are too focused on adversary tools (malware and exploits) and not on who the adversary is and how they operate.
This requires us to stop relying solely on "defense." The current cybersecurity approach is "vulnerability reduction," and it has largely failed for the past 20 years. We focus on hardening our networks by "defense-in-depth," using firewalls, anti-virus software, patching vulnerabilities and employing intrusion prevention systems. This approach generally stops those opportunistic actors willing to rob "any data," but the sophisticated, targeted adversary practices crafty offense, and the offense outpaces the defense. While we certainly need to continue with robust defense, we cannot let our guard down. We need to be more proactive and strategic in our approach to the adversary.
Employing a threat mitigation strategy requires an increased ability to detect and identify our adversaries, and to penalize them. This is the identical strategy we employ in the physical world every single day to thwart criminals, spies, and terrorists. They don't refrain from stealing and killing because we're too secure -- hardly! We walk down the street everyday, play in parks, shop in malls and live in houses with glass windows. We're safer, physically, because law enforcement, the intelligence community and the Department of Defense constantly identifies, mitigates, disrupts, arrests and deters the adversary.
In the cyber environment, we must assume adversaries are already inside the perimeter, and we must constantly hunt them on our networks to identify and mitigate their actions. We cannot stand by and wait for them to trip an alarm as they shake the proverbial fence, because sophisticated adversaries jump over the fence, bypassing the intrusion detection "alarm" entirely. Hunting necessitates us acquiring a better site picture of the adversaries…what assets are they targeting, what techniques are they employing, why are they here and who, exactly, are they? This is where intelligence sharing is critical. Companies can use advanced analytical technology to share actionable intelligence, enabling them to correlate data, learn the human aspects of the attack, become more predictive and identify them early enough in the attack cycle to prevent serious consequences.
By no means do I advocate vigilantism, or "hacking back." While I think companies can employ certain "active defense" strategies on their networks to make things much more difficult for the adversary, such as denial and deception campaigns designed to fool them, the primary mitigation role rests with the federal government.
Success in the cyber environment will require unprecedented coordination between private industry -- which as a whole has the ownership and ability to achieve these goals -- and governments, which are primarily authorized to investigate and penalize.
Inevitably we must bring the private sector and the government together to achieve the goal of threat deterrence. The vast majority of the intelligence that will lead to identification of the adversaries resides on private sector networks; they are, in essence, "crime scenes," and the evidence and artifacts of the breach are resident on those networks. That threat intelligence, too, can't be shared periodically via e-mail at human-speed; it needs to be shared among all victims, in real-time, at network speed. The private sector, then, can fill tactical gaps to which the government is blind. This can be done while respecting privacy, a critical and absolutely necessary element of intelligence sharing.
When the adversary is identified, the government can use its resources and actions -- law enforcement, civil, diplomatic, financial, or otherwise -- to mitigate the threat posed by these sophisticated opponents. The consistent threat posed by adversaries will subside only when the cost to operate outweighs any potential gain.
We face significant challenges in our efforts to combat the cyber threat. We must start by opening the debate on the limitations of the existing defensive-only security model and the necessity for a threat deterrence model.
I am optimistic that by strengthening partnerships, effectively sharing actionable intelligence, and successfully identifying our adversaries, with continued defensive measures, we can best protect commercial and critical infrastructure from grave damage. By jointly working together to achieve a safer cyber environment, we can shine a light on our adversaries and stop them in their tracks, instead of constantly telling victims to "just do more."
Shawn Henry is the president of CrowdStrike Services, a security technology firm focused on helping enterprises protect their most sensitive information. He retired from the FBI in 2012 as Executive Assistant Director, where he had responsibility for, among other things, FBI cyber strategy and operations worldwide.
Director, Emerging Security Trends, SANS
Consider this common scenario: your CFO clicks on a phishing email. Her PC, lacking numerous patches, gets compromised and the attacker takes advantage of the CFO's over-privileged account to log into the engineering database and steal the crown jewels of your corporate intellectual property. Six weeks later, when the compromise is finally discovered, your CEO is stomping towards you, and the InfoSec magical genie appears before you and says: "I have a way back machine and will send you back in time to the day before the compromise. You can have one new piece of knowledge to prevent the attack. What do you choose?"
Whether the attack came from a PLA commander in Beijing, a hacktivist in Helsinki or a clever teenager in Toledo shouldn't even make the top 5 things you would wish to know beforehand -- it is the attack and the vulnerabilities exploited that matter, not who launched the attack.
You see, there is a major difference between physical attacks and cyber attacks. In physical attacks, size matters. No bank can protect itself against a tank or a jet aircraft. However, that is not the case in the cyber world. That scenario above has been launched for years by cybercriminals, hacktivists and vandals -- and in recent years received a lot of press because governments are now doing so, as well. Every one of those attacks exploits the same vulnerabilities or deficiencies in critical security controls. Fix those and it doesn't matter who launched the attack. The attack is prevented, avoided or mitigated.
Have you noticed that in this wave of press about advanced targeted attacks some companies have admitted having their entire business compromised, while others have said the first stage got in but the attack failed, and still others have not had to say anything? The companies that pay attention to the blocking and tackling of minimizing vulnerabilities, shielding the unavoidable and leaning forward to detect unusual events not only stay more secure, but also usually end up spending a smaller percentage of revenue to achieve a higher level of security -- without needing to know who actually launched those attacks.
There is also a major difference between what business can and should do about attacks, and what law enforcement and governments should do. Banks don't chase bank robbers. Police departments don't prevent retail shrinkage (shoplifting and employee theft). Defense contractors don't create phony factories to keep industrial spies busy. Fighting back against attackers may sound good but it never, ever makes good business sense.
The best business strategy is the security program that avoids vulnerabilities and risks wherever possible, and minimizes the damage of the inevitable successful attack. Entering into active defense-fueled mutually assured destruction scenarios may have merits at the national defense level but never makes sense at the business level.
Look, it isn't glamorous but the best information security programs are just like the best offensive lines in football. They are the most successful when no one hears about them at all. To keep the quarterback from being sacked, they don't need to know the names of the blitzing linebackers -- they need to know what tactics the attackers use, they need to plug the gaps and they need to jump on the ball when the "skill positions" fumble.
Governments should focus on national security issues, law enforcement on chasing and punishing criminals and businesses should focus on protecting their customers' data and their stakeholders' interests. Mixing those up inevitably ends up with the quarterback sacked and the other team running away with the game.
John Pescatore joined SANS in January 2013 after more than 13 years as Gartner's lead security analyst. Prior to Gartner he ran consulting groups at Trusted Information Systems and Entrust in the firewall and PKI areas and spent 11 years building secure systems for GTE. He began his career at the National Security Agency followed by the U.S. Secret Service.