The defence industry would be best served by maintaining ‘simplicity’ when dealing with increasingly complex cyber threats, say security experts
When it comes to managing highly sensitive information, the defence industry undoubtedly sits in the top bracket of at-risk sectors.
From the leak of personal details and correspondence through private companies like Stratfor and Niteworks, to the hacking of intellectual property on major programmes run by Lockheed Martin and Boeing, there is no sign of respite from hackers seeking compromising data. This week’s headlines are even spilling details on attempts to break into US voting machine manufacturers.
In spite of these enormous risks, the defence industry is notorious for being – compared to other commercial industries – slow to meet the rapid developments in the digital world. The information security sector is, in contrast, fast-paced and ever-changing. So can defence firms close the gap in time or will the gulf eventually become too vast to bridge?
“In the defence sector, whatever sophistication, technology or skillsets you are using to defend yourself, the attackers are as skilled, organised and as well resourced,” said Piers Wilson, head of product management at information software company Huntsman Security.
“As a defender you have to cover everything all the time but as an attacker you have to find one weakness on one day. The resource constraints, the skills shortages and the fact that people have to go home at the end of the day are your realities. The adversary doesn’t have to worry about those things.”
The concept of the advanced persistent threat (APT) typically describes an adversary that will target a specific system and pull out all the stops to steal the data inside. In many cases, attacks on defence companies are APT attacks and are often led or financed by a nation state – meaning the opponent’s skills and technologies are cutting-edge.
One of the defensive tactics that cyber security firms are taking is to engineer platforms that use a multi-layered approach to protection, from basic email filters through to cloud sandboxes that vet untested programs within a safe environment before they reach the server.
As an example, the WannaCry ransomware attack combined a sophisticated infection tool with modern encryption data that attempted to evade the sandbox by playing dead if it detected that it was running within a virtual machine rather than in a physical server. But this tactic was not fool-proof.
Chris Ross of Barracuda Networks, who have clients that were targeted by the worm, explained that the company’s sandbox is able to disguise itself as a full server – something many platforms do not do – and therefore WannaCry did not know it was being quarantined.
“When it subsequently tried to release its malware, we caught it,” said Ross.
“Aside to stopping the threat in the first instance, that action enabled our sandbox and APT cloud service to grow over 7,000 per cent during the weekend of the Wannacry outbreak. That meant we were able to block over 1.35 million of the same attacks on our customers.”
While technology is doing its best to get ahead of these threats, the human factor still remains the weakest link, with many breaches caused by people clicking on bad links or simply failing to patch their systems regularly. This means IT managers must enact increasingly strict regulations on who can access what.
“From an APT perspective, getting the segmentation policies right is vital,” says William Culbert, director of solutions engineering at Bomgar, which specialises in privileged access control.
“Once you have a credential, you have a foothold into the network. That account can be quickly elevated to a privileged account, at which point you have autonomy across the infrastructure. As APT attackers are frequently in place for just under a year before the actual attack happens, that allows plenty of time to undertake reconnaissance and find the protocols used for sharing files across the network and then exploit them.”
Most audits show there are typically three to four times as many privileged accounts as there is staff in an organisation, so the attack surface can be massive.
CyberArk, another security company that specialises in privilege controls and APT protection revealed that it recently undertook a ‘red team exercise’ on a large corporation to test its resilience to these types of exploits.
Matt Middleton-Leal, the company’s UK and Ireland director, said: “It took our guy just eleven minutes to take complete control of the domain controller (the server that responds to security authentication requests). There was no way to stop him.”
Keeping it simple:
In an environment reluctant to change, many defence companies assume that a complex threat will require a complex solution – or will at least require big sums to introduce and manage new technology. But infosec experts suggest simplicity will in fact offer the best return.
“Defence firms have to find vendors with solutions that are easy to deploy and easy to manage,” said Ross.
“They should be thinking about finding one vendor rather than several to protect multiple threat vectors from email to firewalls. Managing things from one central platform reduces the resistance to change that firms may experience because taking that approach will greatly reduce management overhead costs.”
“The reality is that they have to change the approach they take as businesses,” added Middleton-Leal.
“If you build simple, intuitive security that doesn’t compromise usability, people stop trying to find ways around the controls, which is often where the problems first arise.”