Sep 5, 2012

Network Monitoring Could Help Detect State-Sponsored Cyberattacks

Malware is created to be undetectable so attackers can launch cyberattacks without attribution, making them hard to source -- but a key difference in state-sponsored malware that makes it stand out, the topic of an Infosecurity and ESET webinar on Tuesday, is that it is often highly sophisticated and targeted.
Because it's impossible to stop all attacks, network monitoring can help make detection faster, experts say.
No matter how strong an organization’s defense, some attacks are going to get through, so monitoring networks is just as important as adding security software, said Tom Burton, Head of Cyber for Defence at BAE Systems Detica.
“The ability to identify attacks is critical…but by its nature, you don’t know what you’re looking for so you must be searching for concerning behavior,” Burton said during the online meeting. “These behaviors will be described by activity over time hidden in vast quantities of data.”
There is no real manual on what to look for so you have to understand your network, know how it works, and be able to identify abnormal activities, says Righard Zwienenberg, Senior Research Fellow at ESET.
Zwienenberg and Burton say the network monitoring they advocate could have had helped detect Stuxnet, which wasn’t discovered until an error in the malware allowed it to be released on the Internet.
“One of the ways Stuxnet was spreading was that infected nodes would look for open shares over the network. Where more and more systems in the network get infected, you would be able to notice the enumeration,” Zwienenberg said by e-mail Wednesday.
State-sponsored attacks manage to fly under the radar because the attackers often have inside information on what types of security tools their targets are using. Administrators should look for things like unusual login patterns or data going back forth from countries or servers they don’t usually do business with. It’s also suspicious when unauthorized systems connect to the network, 
Companies can try and limit which types get through by having data policies that restrict access to critical information and intellectual property. Zwienenberg said companies should consider strengthening Bring Your Own Device policies as well, noting that a flash drive was used to infect Iranian computers with Stuxnet.
If it seems like the advice for detecting state-sponsored attacks and other cyberthreats is the same, that’s because it is and they often use the same tactics. What makes an attack likely to be categorized as state-sponsored is intent. If the target of the attack is data or a facility that would be of particular interest to a non-friendly neighboring country, that’s a sign.
Last month, Google announced that it would be taking steps to warn users when their accounts were under attack by state-sponsored attackers. The company said it wouldn’t reveal how it’s able to determine the source of the attacks.
“That would be difficult,” Zwienenberg says of Google detecting state-sponsored attacks. “[But] storing lots of information-- forensic readiness--and correlating data is a good way to start.”