Defence CommitteeWritten evidence from Trend Micro

Developing Threats Facing UK Defence

Industry is discovering that it has been targeted for several years by attacks with a level of sophistication and stealth previously thought to be reserved for nation-on-nation.

The real world and cyber world are joining, which can catch even the most security savvy person out—real world contact gives credibility to an online approach.

The twin pressures of Consumerisation and Virtualisation are stretching traditional defences.

The latest commercial systems can help in ultra-secure environments by filtering noise—classifying/removing “known bad” which makes it easier to spot the ultra-stealthy unknown.

Techniques/products also exist for further segmenting networks and identifying internal attacks. The single ultra-strong perimeter is dead—perimeter fractalisation is here.

Many commercial vendors still believe they can offer adequate protection by doing what they have always done just a little better. They are fundamentally wrong and are adding to the severity of the problem.

The savvy organisation now assumes compromise, and works to minimise the impact of that by earlier detection and better containment.

1. Sleeper agents and long term under cover intelligence gathering are the lifeblood of spy novels but, as is rapidly becoming apparent, exist also within the cyber-attack space. Often masked by the daily noise of mass random attacks (looking to harvest passwords, credit card numbers and banking details for financial gain) there is growing use of what has been coined by the media as Advanced Persistent Threats.

2. Much of the malware used for these attacks is in fact anything but “advanced”. Often it is several years old and incapable of breaching a company perimeter. However, using advanced social engineering techniques, increasingly linked to real world contact, to gain control of a machine within the company perimeter, the attacker can gain a platform to launch their attack from within. Now with all the guards facing outwards towards the perceived threat of the open internet, the adversary can used tried and tested techniques (available off the shelf for a few hundred bucks if you know where to look) to roam freely within the internal assets of an organisation over a long period.

3. Virtualisation and Cloud computing are removing barriers between systems in the name of efficiency. All too few organisations implement the necessary security to provide virtual separation within those environments to return them to near physical security standards. It can be done, at least to EAL4+, but only with the right software and techniques.

4. Consumerisation is seeing smart devices walking in and out of the workplace, connecting to multiple networks, and providing a bridge between them that didn’t previously exist. Devices with cameras, microphones etc that could be remotely controlled/activated introduce a new security dimension.

5. Of course in highly secure establishments such devices are banned, and proper network separation is still maintained. But increasingly the adversary is working back up the supply chain to compromise assets before they are shipped, or compromise products used as part of the security infrastructure itself. The RSA takedown is probably the most public example of this, where the commonly held belief is that RSA were merely a security supplier to more interesting (defence industry) targets. By remaining dormant over a long period such attacks may escape detection until the damage is done.

So can anything be done to stop them?

6. We must remove our reliance on a single perimeter, however strong. But we should not abandon that perimeter. Though leaders Jericho forum talk about de-Perimeterisation to indicate that the age of the perimeter is dead—they couldn’t be more wrong. The perimeter remains vital to filter noise. The earlier (further from the vital core systems) that any attack can be blocked the better. We need now not one perimeter but multiple repeating perimeters tightening around key groups, individual servers, particular applications and data. It’s like a fractal—a mathematical shape that however much you zoom in looks identical, with ever repeating copies of itself on a smaller scale. Each one strips noise by blocking stuff that shouldn’t be heading that way.

7. On the inner layers anything you block also becomes vital intelligence—because that threat must have come from inside the organisation. Track back and clean, or honey pot and try to discover more about the adversary.

8. Ultimately you may get to a point where only a smart human, focused on the task, can spot something happening. But you make that person’s job a whole lot easier by removing the haystack and just leaving the needle on the bare ground.

9. Then plan for compromise. Don’t just watch for stuff coming in (Outside-in security) but also stuff going out. Build a second series of layers watching and guarding Inside-out. Encrypt data and switch the problem away from “how do you stop the wrong folks gaining access” to “how to you ensure the right folks do have access”. Watch for data flowing out, particularly encrypted data. Where is it going to, does that make sense, is it authorised?

10. The answer to defence of ultra-secure systems isn’t exclusively off the shelf security. But without learning from the latest industry best practice we will focus on re-inventing what already exists rather than the value add required exclusively for such secure systems.

17 February 2012

Prepared 8th January 2013