Trapping Hackers

Arthur Piper


May 2, 2013


Hackers seem to be getting the upper hand in the battle for data, if news reports are anything to go by. Just after Christmas this year, for example, the New York Times reported that Chinese hackers had infiltrated its computer systems, stolen the passwords of key reporters and carried out a four-month-long spying mission against the newspaper.

The Times linked the attack to its reporting on the relatives of Wen Jiabao, China’s prime minister. And the ensuing public row over this and similar hacking operations against U.S. organizations has seen Mike Rogers, the chair of the country’s House Intelligence Committee, accuse the Chinese of using military personnel to carry out the strikes.

It is not just politically engaged organizations that are under attack. According to Verizon’s 2012 Data Breach Investigations Report, the last 12 months have seen a massive surge in such assaults. It estimated that hacking accounted for 81% of all data breaches, an increase of 31% from the previous year. From spying and corporate espionage to activism and plain criminality, all figures had increased. In addition, the researchers found that 69% of all breaches involved malware—software specifically designed to compromise data security.

Many organizations have only themselves to blame, Verizon said. They often failed to follow or implement the most-basic security procedures. They did not set proper passwords, maintain firewalls or implement secure authentication checks. This is despite the fact that a typical data breach costs an organization about $5.5 million, according to a study by the internet security firm Symantec and the Poneman Institute, an industry research body.

But even for the most well-defended businesses, disaster may be one inadvertent click away. Events at the Times are a case in point. The online security firm Mandiant, which eventually evicted the hackers from the paper’s network, said the internet attackers had probably used a so-called spear-phishing attack to gain initial access. In such a scheme, an email containing a link to a remote access tool is sent to an employee. When the unsuspecting user clicks the link, the program installs itself on the system and it begins monitoring keystrokes, passwords and other information. This enables hackers to syphon sensitive data from the company and can create an opening for further, more serious attacks.

Developing defenses against the persistent use of such techniques is all but impossible. “Organizations are struggling with a range of threats that are escalating in scale,” said Kevin Skapinetz, program director, product strategy at IBM Security Systems. He thinks many businesses that use traditional defensive methods are not capable of identifying an attack until after it occurs, and they often find the breaches only by accident. While tools such as anti-virus software and firewalls are essential, he said, some security professionals are starting to fight back.

“Companies are beginning to think like their attackers,” said Skapinetz. “They are hunting for things that indicate sophisticated, or even non-sophisticated, attacks in their environments.”

Given the huge stores of data flowing through large organizations, so-called big data techniques are crucial to this approach. IBM, for example, purchased the security intelligence platform Q1 Labs in 2011. It has used the company’s expertise in defense of its own platform Q Radar, a product that monitors corporate information in real time to search for possible attacks. That data can include email, traffic flows and file transmissions—information often excluded from regular security programs.

“Businesses can take something like a spear-phishing email and use it as a starting block to look through other data to find commonalities, such as email and web addresses,” said Skapinetz. “Or they might want to look at big volumes of corporate traffic going to a newly registered domain.” They can use this intelligence to identify attackers, block ongoing activity and alert the authorities if the assault is serious enough to warrant it.

Other security professionals have gone even further. They have set up systems called “honeypots” that mimic the properties of their existing networks but contain false data. The technical team can lure hackers into the network, monitor their activity, learn their methods of attack and assess the vulnerabilities of their own systems.

“Honeypots can give organizations free security information or act as a decoy from the real system,” said Joseph Steinberg, chief executive of Green Armor Solutions, an online security firm. In addition, a business may plant data with unique identifying properties that can be traced back to the people that stole it.

While human hackers can often tell when they are being tricked, honeypots can be a useful tool against automated attacks. “They are not a fool-proof method,” said Steinberg, “but you’d be amazed at how often they do work.”

Such active defense methods can extend to attacking the attackers themselves. For example, if a technician detects a security breach happening in real time, any attempts to steal passwords from the system could be met by a defense that responds with fake data. Going further than that, though, could land corporations in trouble.

“It might not be wise to start having technology that launches a massive offensive against another system involved in a cyberattack,” said Steinberg, “as that may be a totally legitimate system that is being used by the hacker.”

Any computer network is protected by law—if not in reality—against hacking attacks, whatever their purpose.  So criminals can effectively hide behind the very laws they flout. “This creates an imbalance—a Chinese hacker can attack me, but I cannot do anything against their infrastructure to defend myself,” said Rob Sloan, head of response at Context Information Security.

While that asymmetry in the online war may be frustrating, Sloan said that it is a fact of life that businesses are going to have to learn to live with and take the protection of their data more seriously. In fact, he sounds a rare note of optimism on the subject. “It represents an amazing opportunity to move security back to the top of the agenda within your organization,” he said. “A chance to highlight the threat and prove the risk is real.”
Arthur Piper is a Nottingham, U.K.-based freelance writer and editor.