Days without incident – the threat of zero day attacks5 June 2014
The world of cybersecurity is locked in a vicious circle: the latest protection suites hit the market, threat actors develop malware to bypass new defence features, and software vendors break them down to create more rigid systems. Any data of value is a target for criminals, from corporate technology patents to classified military documents. Chris Godfrey speaks to John Lyons, CEO of the International Cyber Security Protection Alliance (ICSPA), to discuss the incessant plague of “zero-day attacks” extracting sensitive information from governments, businesses and civilians worldwide.
In what could prove to be the landmark case in cyber-espionage, the US has charged five Chinese Army officers for significant breaches of private sector systems and the theft of sensitive information. Between 2006 and 2014, Unit 61398 of China's People's Liberation Army reportedly stole terabytes of corporate data and caused significant monetary losses. It's a poignant reminder of cyberwarfare's prevalence and potency.
The modern cybersecurity market is a smorgasbord of different suites tasked with countering the latest virtual pandemics - from next-generation firewalls to intrusion prevention systems and everything in between. They work on the premise of recognising malicious code upon entry and purging it before it breaches the system. It's a proven strategy against known threats, but it is the meteoric rise of the unknown that is rendering even the latest mechanisms impotent.
Most modern day defence packages are regularly updated to recognise the latest malicious signatures, but they only identify what they've been programmed to recognise. New strands can effortlessly bypass fortifications, hide, then replicate, making the infrastructure work against itself. These "zero-day attacks" pose the greatest threat to the bastions of cybersecurity, and are reshaping the way military warfare is conducted.
The objective is simple: information. Very few cyber-threat actors are saboteurs, the era of worms and destructive viruses has subsided; the majority wish to preserve the systems they've penetrated. Data extraction is most effective when networks are left undisturbed by intrusions and criminals have gotten very good at producing dynamic Trojans and stealth bots that leave miniscule footprints - if at all. John Lyons, CEO of the International Cyber Security Protection Alliance (ICSPA), cites a report that claims unidentified malicious codes infect systems for an average of 234 days - ample time to disable defences and route valuable information back to the perpetrators.
"The most common reasons for attack are financially motivated, such as the theft of intellectual property, sensitive data and personal information [often auctioned across the dark web]," says Lyons. "For years now, we've also seen a lot of espionage and counterintelligence conducted by hostile actors around the world, trying to access restricted government information."
Advanced patents and cutting-edge research programmes have seen universities earmarked by criminals, joining the list of primary targets made up of, unsurprisingly, government institutions, as well as financial, technology and energy companies. Considering the scale of these sectors in the UK and US, that they were among the most targeted countries is somewhat expected.
Governments and businesses have invested billions into cybersecurity, but as the old adage goes, a chain is only as strong as its weakest link - a maxim criminals are exploiting to great effect. Intentionally or not, it takes just one employee to download malicious code capable of infiltrating an entire network.
Before deciding where to strike, threat actors will amass intelligence and create organograms of the most prolific figures and vulnerable targets in a company, a task made easier with the advent of social media.
"Nowadays, sophisticated attacks are borne from email attachments and infected web pages. Criminals are experts at enticing employees to click on compromised links. The magic is in the way they present it," says Lyons.
"They'll often exploit current events. For example, with the recent flooding in the UK, they may have produced an attachment titled 'latest flooding information', making for very effective bait. Targeted phishing emails can be translated to the corporate world - who's not going to click on a link to the 'company redundancy programme'?"
The 234-day average is partially due to the significant time delay between identifying malicious code, mobilising the industry against it and releasing a software patch to eradicate it. The Conficker virus, the largest worm infection this decade, was first identified in November 2008. Though Microsoft was rapid at issuing fixes; by January, an estimated 30% of Windows PCs were left unpatched. Discovered in December that year, a more potent version of the bug was able to propagate through removable media, yet it took Microsoft a further two months to form an international industry collective capable of responding. By April 2009, five versions of Conficker had been discovered.
"When an attack is made, someone will eventually find it. A computer emergency response team will pick it up, dissect it, understand how it operates, name it and then pass the information around the world to organisations like FIRST (Forum of Incident Response and Security Team). Hardware and software manufacturers are then provided the data; sometimes they may even make their own discoveries. It's a virtuous circle," says Lyons.
Larger enterprises may have the resources to employ the most robust defences, but the scale of these systems make the duration of company-wide updates significantly longer. It is why decisive and rapid communication is critical, if a little idealistic, between firms, hardware manufacturers and software vendors, as well as organisations like the ICSPA.
Alongside China, Russia has long been considered one of the state front-runners in its capacity to wage cyberwar, and the escalating crisis in Ukraine has allowed it to, allegedly, demonstrate its technical prowess. The build up to the Crimean referendum saw Ukraine's Computer Emergency Response Team stave off a surge in "distributed denial of service" assaults, as well as attacks designed to impede military and government infrastructure. In March 2014, a Russian state arms group claimed that complex radio-electronic technology was used to compromise the connection between a US drone and the ground forces controlling it, bringing the UAV down.
Though a discernible reflection of how modern warfare is conducted, these orchestrated attacks pale in comparison with the potency of the SNAKE virus that targeted Ukrainian systems in early 2014. Lying dormant for days, the cyber-espionage tool can be extremely difficult to detect and has the potential to grant complete remote access to its architect. With the ability to extract sensitive information, take control of computer terminals and shut down defence programmes, it is believed to have been created by Russian experts, though with such sophisticated encryption it's hard to tell.
Many corporations have proved unforthcoming in revealing to competitors their exposure to malware, with pride, concerns over negligence and repercussions with authorities all playing their part. Creating an effective, virtuous sharing programme requires total anonymity. Lyons believes that the ICSPA can fill the vacuum and perform the role of "honest broker".
"If 400 banks, for example, are part of this group and one is attacked, we could log information they provide and rapidly distribute it to the other 399, without having to identify them," he says. "Years ago, when I was part of the law enforcement team in London's high-tech crime unit, I was involved in a case where 11 UK banks were attacked by the same malicious code. They weren't communicating this to each other though, and we only knew about it because we spoke with our contacts in each organisation. It emphasises the need for an independent body who can respond to these situations ASAP."
Conflicts of interest
Data providers already exist that offer a similar service, albeit at a premium. It's not in their interests for an NPO to exist in this area and Lyons feels these companies are blocking attempts to set up such an entity. Though governments have encouraged data sharing, managing a goliath programme like that envisaged by Lyons is not their function and presents a crucial conflict of interest.
The tension between corporations and law enforcement over obligations to comply with legislative requirements mitigates the likelihood that those affected by cybercriminals will come forward and share sensitive information. The data they share could highlight their own negligence, and leave them liable for prosecution.
"Company lawyers would advise the board and security staff against divulging certain information, particularly that which could have profound effects on share price," says Lyons. "Knowing the full extent of any given virus strand would convince companies to spend more money on defence mechanisms but they don't want to be legislated against while they try and plug the gap."
An NPO with the capacity to fulfil Lyons' vision would become an integral partner to SMEs. With relatively limited resources, many are unable to fund a team of security specialists, CISO or state-of-the-art technical equipment. As a fundamental part of supply chains, their vulnerabilities could compromise partners as well as themselves.
"For this to work, we would need to be at the centre of commerce, not just protecting national boards, large conglomerates and helping the likes of GCHQ," says Lyons. "At the moment, we're lucky to have the support of the UK Government, and we're in the process of opening an ICSPA Asia-Pacific office in Singapore, but the support has often been sporadic. We want to see a programme that is sustainable over years to come, without political motivations - one the industry trusts."
Whether it is the ICSPA or another organisation that takes the mantle of cybersecurity white knight remains to be seen. From nation states targeting classified government information to rival corporations engaging in espionage, the face of cyberwarfare is as pliant as the codes it is fought with. An endless stream of zero-day attacks shows no sign of abating, their very nature means they will continue to pervade and pilfer. Creating an independent body tasked with responding to new outbreaks may be the surest way of reducing the 234-day average in which they lie unnoticed. Stealing information is often the ultimate goal for cyber-threat actors; sharing it could be the key to stopping them.