The National Nuclear Security Administration recently disclosed that its computer systems, charged with protecting nuclear secrets and the nukes themselves, undergo as many as 10 million cyber-attacks a day. Thomas D’Agostino, the NNSA’s department head, states that they have received constant probes by a variety of hackers, from various countries (nation-states) persistently bombarding their network.
This may not come as a surprise that nuclear assets are under constant fire from hackers hungry for the department’s intellectual property (IP), but the magnitude of the attacks falls in line with the growing trend in cyber-attacks. As these advanced attacks increase, so is the need to protect against them. A cyber-attack is not exclusive to military infrastructure either; in fact most cyber-attacks are targeted at corporate IP. It’s much easier for a country or opposing company to steal years of IP than generate it on their own – and if you think this is difficult to do, you’re wrong.
Here at Bit9 we stress the importance of protecting against the advanced persistent threat, but we use the word “advanced” loosely. In fact, most attacks – even successful ones – are not advanced at all. They’re merely as advanced as they need to be to accomplish their objectives. In the recent NFL playoffs, The Patriots developed specific strategies to combat each opposing team. Within this process, there may have been plays they kept in their “back pocket” that were only chosen if needed. This kept more effective plays available for when they may actually be necessary. Now this strategy didn’t work as well as we would have hoped – at least here in New England (come on Welker!) – but the strategy is all the same in relation to malicious hackers: don’t throw the kitchen sink at the problem when you don’t need to.
Most antivirus solutions make claims that one solution, one product, and one strategy can stop these threats. They claim that no additional products are necessary to prevent these advanced threats, but when backed into a corner they admit that other solutions and strategies are necessary from themselves or other vendors. In a recent study we assessed these claims, and tried to look at the difference in strategy and approach to find out which ones were the most effective. Overwhelmingly we found that a solution focused on trust-based application control and whitelisting was the approach most effective in guarding against “advanced” threats.
Traditional legacy antivirus solutions rely on blacklisting approaches that can be easily bypassed by modifying the malware so the antivirus signatures do not recognize it. With how un-advanced hackers have to be in order to bypass these products, it speaks volumes with how limited or un-advanced AV is. This approach just doesn’t make sense from a security perspective or a common sense one. It’s as if a stranger broke into someone’s home by walking in through the front door, and in order for that person to ensure the home’s future security chose to lock only the front door, not taking into account others. What’s to stop this stranger from entering through your window, backdoor or basement? Is it really reasonable to believe that they’ll try the front door and give up? Probably not.
This is where a whitelisting or a proactive trust-based application control solution comes in, where you determine what is pre-approved beforehand. So if that stranger comes up to your home at any entrance, they have to knock first. This gives you the option to decide who can come in and who should stay out by allowing the “known good” to run instead of attempting to identify the millions of “known bad” software products out there. It’s like trying to identifying the “bad” needles in a stack of needles – just simplify your security by knowing what’s trusted. Locking down critical infrastructure like domain controllers (active directory servers), endpoints, servers, and remote users is essential in protecting not only nuclear warheads, but corporate IP as well, and this needs to be taken seriously.