Government Agencies Get Creative In APT Battle
Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information
October 3, 2012
SANS National Cybersecurity Conference -- BALTIMORE, MD. -- A handful of security professionals at the U.S. Department of Energy's laboratories were getting weary of trying to repel advanced persistent threat (APT)-type attacks and keep up with the latest threats. So they decided to roll their own tool to automate intelligence-sharing among the agency's national labs and scores of smaller labs.
"A couple of us were basically tired of losing [the race to keep up with new threat intelligence], so we decided we were going to do something about it. We were tired of getting together in little rooms" to share information, said Matt Myrick, senior cybersecurity engineer at DOE's Lawrence Livermore Laboratory, in a presentation here today. So Myrick and a handful of colleagues from Sandia Labs, Los Alamos Labs, and DOE's Pantex plant wrote a Python-based tool to block malicious websites, hashes, spear-phishing attacks. The so-called Master Block List (MBL) runs on an Apache server and can be integrated with any application to share real-time threat data.
Myrick says the tool is simple -- not XML-based, like some open-source tools -- and has helped unite the various labs so they can share attack information quickly. "It's nothing fancy: It's less than 300 lines of code," he says. "Talking about indicators of compromise is hard, and so is parsing PDFs, Office, and XML, for most [people]," he said. The goal was to make it easy for anyone to use.
Federal agencies like Lawrence Livermore Labs are attractive targets for cyberespionage attackers looking for valuable research and other intelligence. But federal budgets are tight, so amid a constant battle to fight back APTs, some agencies are opting to build out their own solutions using existing tools and resources.
Debora Plunkett, information assurance director at the National Security Agency (NSA), in a keynote address here today pointed to the recent breaches of major financial institutions as an example of how even the most security-conscious organizations are getting hit. "We can all agree that all of these targeted companies are among the best at security, yet they were still vulnerable to attack," Plunkett said. Given the value of these organizations, the attacks are "truly highway robbery," she said.
"There is no person or business network that is immune," Plunkett said.
Some 10 DOE organizations in addition to Lawrence Livermore employ its MBL tool, which incorporates threats detected by the various agency sites, as well as from various threat intelligence sources.
"There have been a couple of cases where we've been protected against attack campaigns that others have fallen victim to because they are not" using the list, Myrick told Dark Reading. The breach suffered by Oak Ridge Laboratory last year that forced the lab to temporarily shut down Internet access originated from a convincing-looking spear-phishing email that Myrick says Lawrence Livermore had blocked later that day, after the East Coast-based Tennessee lab had gone home.
U.S. government agencies aren't the only ones with tight budgets. The Australian Defence Signals Directorate (DSD) in 2011 identified some 327 different APT-type attacks, more than 200 of which were not detected by traditional security controls. As part of an effort to roll out the agency's designated top mitigation strategies (including better patching, among other things), Australia's Department of Industry, Innovation, Science, Research and Terciary Education (DIISRTE) employed a combination of existing tools to whitelist applications.
"We didn't have a budget for whitelisting, so we looked for existing" features in our security products, said David Cottingham, who helped spearhead the project at DIISRTE. Cottingham and his team took the whitelisting feature in the agency's Symantec Endpoint Protection software and now block all new applications that aren't preapproved by the agency.
Cottingham, who is now with Foresight Consulting, says a combination of the agency's now-automated patching process and whitelisting has basically stopped most APT-type attacks from escalating. "We found 200 threats and passed them over to DSD," he said.
Those are the attacks that the agency sees, however. Cyberespionage attacks are often camouflaged to maintain their foothold in the victim's network.
"We know APTs are a danger to all organizations. And they are not actually that advanced at all: It's more like targeted, persistent threats," said David Cottingham, who helped spearhead the project at DIISRTE. "If you're lucky to detect them, you'll be continually battling them and cleaning them up."
Cottingham said whitelisting is the most effective tool for beating malware infections, but it's often the least-adopted method. Part of the reason: Whitelisting can be a fairly manual operation, he said. "But it's easy to maintain once it's up and running," he said.
His former agency whitelists .exe and .dll files, which are the main conduits for malicious programs, he said. The Australian agency's whitelisting system is mostly automated, with about 5 percent of it being manually verified for security reasons.
NASA Ames and U.S. Department of Health and Human Services, meanwhile, are each employing continuous monitoring to fight advanced attackers. NASA Ames, for instance, soon will offer to the open-source community a tool it built that scans and scores its servers and workstations for vulnerabilities and risks. The application, which is based on Nessus and an algorithm written by the U.S. State Department, includes a gaming theme that makes it more palatable to systems administrators who voluntarily participate in the program of regular scanning and scoring.
Matt Linton, security operations lead for NASA Ames, says the idea to offer a program for sys admins came out of internal scans and scoring his team had begun. "Eighty percent of our work is incident response. So when we looked at the hosts that were compromised, we'd say, 'Where have I seen that host before?'" Linton told Dark Reading. "[The scan data] seemed to be a pretty good predictor of what hosts were hacked."
It made sense to start sharing that with the system admins, preferably in a way they would be helped and not hounded. So the team came up with a gaming-type theme (think cred like "Mayor of Patchville") to go along with the scoring system results, which is presented to all of the participating sys admins. To date, about half of NASA's sys admins are using the system to gauge the security posture of their systems and remediate them as needed.
The weekly automated scans look for known software vulnerabilities, misconfigurations, weak passwords, and systems that leak information via Google searches, for instance.
Linton says upcoming features for the tool include an "assess on demand" button for the sys admins, where they can get a new scan and assessment once they fix the problems the initial scan found, as well as an "assess on connect" feature for new devices joining the network.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like