NATIONAL HARBOR, Md. -- About a dozen separate legions of organized hackers have been diligently attempting for years to break into aerospace and defense company Northrop Grumman to steal sensitive information, the company's chief information security officer (CISO) said at a Gartner security conference here.
"These advanced attacks have been going on for several years," said Timothy McKnight, vice president and CISO at Northrop Grumman, during a panel discussion on the topic of the "Advanced Persistent Threat," (APT) the term often used to describe attacks by hackers determined to break into companies and government agencies with the goal of stealing intellectual property or other sensitive information.
Northrop Grumman's monitoring, detection and prevention systems see so many traces of well-organized and determined hacker groups that the aerospace giant has actually managed to keep track of distinct profiles of about a dozen separate groups constantly trying their tricks to break in over the years.
The cyber-intelligence group at Northrop Grumman keeps a tally of forensics on attacks emanating from the groups that each work as a team "waking up each day to get into Northrop Grumman," McKnight said. "We can tell what their attack procedures are, how they write the malware."
The typical attack methods are attempts to compromise user machines through zero-day vulnerabilities. While about 300 zero-day attack attempts were recorded last year, the pace has ramped up enormously where it's not uncommon to see zero-day exploits coming in at 11-minute intervals.
Attackers will do as much background investigation on a company as they can to be able to pinpoint the intellectual property they want, and what employees are closest to it, McKnight said.
RSA, which organized the panel discussion, knows about the problem itself all too well.
In March, RSA acknowledged it was hit by an APT attack that resulted in the theft of undisclosed information about its SecurID product. The problems only seemed to grow. Lockheed Martin recently disclosed that it was hit by an attempted APT that in part made use of this stolen information related to RSA SecurID tokens. Lockheed does not believe that the attackers managed to steal sensitive information, however.
After the attack on Lockheed Martin linked in part to SecurID, RSA offered existing customers a free swap to new RSA SecurID tokens. Gartner analyst John Pescatore said his firm is advising clients to definitely take the swap-out if they use SecurID for authentication of any external, Web-facing purpose, though it's viewed as less imperative for internal use. Alternatively, they can move to a new token vendor, he said.
As for preventative measures, David Walter, senior director of products at RSA, said there's a need for companies to "get serious about user training" of employees to resist attack methods such as social engineering. RSA has divulged that the APT strike on it started with someone opening a malware-filled attachment.
However, Amit Yoran, senior vice president at RSA, formerly CEO of NetWitness, the threat-monitoring product vendor recently acquired by RSA, expressed a more pessimistic view about people somehow being able to learn defensive practices.
"People are pretty much useless or worse," he said, "working against you all the time. There's probably not an executive on the planet that wouldn't get spear-phished by a well-crafted attack." He added you could probably say the same thing about security staffs.
But the discussion about APT needs to go on in the enterprise, all on the panel agreed.
RSA this month created the new position of chief security officer, and Eddie Schwartz, that newly named RSA CSO (formerly CSO at NetWitness), yesterday said that was done in part because the RSA corporate security had been handled primarily by parent company EMC, and in the aftermath of the breach it was felt it would be better having certain responsibilities directly at the RSA division level.
While Schwartz said he couldn't discuss the specifics about the breach that hit RSA, he said, "Any organization that has valuable information is under constant attack from nation-states and cybercriminals. You've got to believe you're constantly under attack." He said RSA does intend to offer "additional revelations" in the future about the breach.
Read more about wide area network in Network World's Wide Area Network section.