Chasing What’s Already Gone – Cyberwar

Cyberwar is upon us.  Last month it was disclosed that the White House Military Office had been attacked.  Thousands of sensitive records have been stolen from the Pentagon.  Major banks have been compromised.

The administration has introduced legislation to address these threats.  Among the provisions of The Cybersecurity Act are data sharing rules.  In his Cyberwar Pearl Harbor speech,  Secretary of Defense Panetta explained data sharing:

Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure and resilient global, digital infrastructure. Particularly those who operate the critical networks that we must help defend.  To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace. We’ve made real progress in sharing information with the private sector.  But very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive.  Companies should be able to share specific threat information with the government, without the prospect of lawsuits hanging over their head.  And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold.

Being unsatisfied with the progress of this legislation in Congress, the administration is now drafting an executive order.

The fundamental assumption of the legislation and the draft executive order is that prompt reporting of threats will be useful.The premise is that as an attack propagates over time, information gathered from early victims can be used to defend and protect subsequent victims. The flaw in this analysis is that highly targeted attacks do not propagate over time. The bad guys are using unique domains and unique malware to infiltrate systems.  FireEye has established that the most common threat profile is to use a single-use throw-away domain:

Microsoft research has demonstrated that unique attacks are the rule:

Ever since criminal malware developers began using client and server polymorphism (the ability for malware to dynamically create different forms of itself to thwart antimalware programs), it has become increasingly difficult to answer the question “How many threat variants are there?” Polymorphism means that there can be as many threat variants as infected computers can produce; that is, the number is only limited by malware’s ability to generate new variations of itself.

Finding the attack on Company A provides little useful information in protecting Company B.  By the time the attack on Company A has been discovered, the bad guy has created a new message, a new domain and new malware to attack Company B.  Sharing the information about the attack on Company A is chasing what’s already gone.  Mary Chapin Carpenter’s, “Chasing What’s Already Gone” is a fine song, but chasing what’s already gone is a poor cybersecurity strategy.

What is common in spearphishing attacks?  While the attack will use a new domain and new malware and even the text of the email will change, the bad guy will masquerade as a trusted sender.  By unmasking the attacker, SP Guard from Iconix provides another layer of defense. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.


Comments are closed.