How did intrusions go on for five years without being noticed?
Dan Raywood, news editor, SC Magazine
The Shady RAT report from McAfee this week found that some sensitive organisations had been under attack for up to five years in some cases.
Back in June last year, ArcSight president and CEO Tom Reilly told me that he had met with the CEO of a company who had suffered ‘the largest breach in history', and said that while his technology could not have stopped the breach, it could have stopped it going on for '18 months'.
This led me to think; surely some sort of security information and event management (SIEM) technology would have detected this on the first intrusion and stopped the lengthy invasion? I spoke with Bill Roth, chief marketing officer at LogLogic, who said most people are under-protected and do not consider the reality of the advanced persistent threat (APT) or think that it will affect them.
He said: “There has been a major change in the way that black hat hacking is done, it is now about stealth and taking one's time. The trapdoors are laid slowly over time with one event a day or a week, it is among white noise.
“Now it is a case of you will get hacked, as the black hat only has to get it right once while you have to be protected all of the time. A system that is focused on storing large amounts of data needs to detect these things.”
Likewise Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “The way this attack was spotted is a lesson to all organisations about how they should approach IT security in future.
“By collecting and analysing log data it was possible to locate where traffic flow was coming from. In addition, using log data in this way meant data loss and the methods by which it was extracted could be identified.
“Unfortunately many firms are wasting this valuable resource. In order to spot vulnerabilities in real time it is essential that organisations have automated, centralised systems in place that collect and monitor 100 per cent of log data on an ongoing basis.”
Nathan McNeill, co-founder and chief strategy officer at remote working solutions specialist Bomgar, said that the 'not knowing' can go on for a very long time and an effective security framework has to include means of detecting breaches when they happen, not just prevent them from happening.
He said: “A large enterprise is like an opera house. By necessity, you have an extensive network of secret remote access passageways that allow work to go on behind the scenes without disrupting the show.
“The problem with many enterprises is they've forgotten about half of the passageways and they don't have a way to audit the other half, leaving the door wide open for a phantom (or shady RAT) to take up residence and live comfortably, undetected for years."
One person also speculated to me that the report could see Senate Bill 21 reinstated, saying that it had been sidelined by the national debt issues and was suspected to be dead, but following this report the US government may see this as something big.
There was some comment on our original story that this was a marketing wheeze to encourage people to invest further in stronger security software, but talking to McAfee made me aware that the number of companies affected was not the story, but the duration of the operation was.
Could this roll on to greater levels? Well if those comments that a crucial piece of US legislation could put cyber security back to the fore do become true, then surely this has been a worthwhile exercise.