Cybersecurity Firms Ditch Defense, Learn To 'Hunt'
News > Technology
Tom Gjelten
Thursday, May 10, 2012 at 2:56 AM
Font size: A | A | A | A |

It's boom time for cybersecurity companies that specialize in going after Chinese hackers. The top competitors in the sector have been taking an nontraditional approach. Instead of focusing on protecting clients from malware, these firms are learning more about the attackers — and going after them.

   
Related Articles
Cyber Briefings 'Scare The Bejeezus' Out Of CEOs
"We can turn your computer into a brick," U.S. officials told executives at a classified briefing.
Bill Would Have Businesses Foot Cost Of Cyber War
Some fear regulations would force a "checklist mentality" rather than focus on real cyber threats.

The most challenging cyberattacks these days come from China and target Western firms' trade secrets and intellectual property. But a problem for some is a business opportunity for others: It's boom time for cybersecurity firms that specialize in going after Chinese hackers.

"It's the next big thing," says Richard Stiennon, an industry analyst who specializes in information security firms.

'An Adversary Problem'

One of the top competitors in this sector is Mandiant, a company founded in 2004 by Kevin Mandia, a former Air Force officer with a background in security consulting. The company distinguished itself early by helping companies learn more about who was attacking them, as opposed to protecting the companies from the malicious software, or malware, the attackers were using.

"We said, 'It's not a malware problem, it's an adversary problem,'" Mandia says. The adversary he and his colleagues focused on from the start was China, the source of the most costly attacks affecting his customers.

In contrast with what he calls "the protection guys" in other security firms, Mandia and his colleagues emphasized intelligence gathering. They studied actors responsible for what cybersecurity officials euphemistically called "advanced persistent threats," or APTs, a term that generally refers to cyberattacks emanating from China.

Such attacks are "advanced" because they employ especially sophisticated methods to penetrate a computer network, and they are "persistent" because the attackers have specific targets and will linger inside a network until they have found the information they are after and extracted it.

"The Russians have done that for a while, but not in the same way the Chinese have," says Richard Bejtlich, the chief security officer for Mandiant. "The Chinese are very loud and broad and aggressive."

Understanding The Enemy

Mandiant threat researchers will monitor cyber-intrusions at a company until they have identified the attackers' characteristic work patterns and what Bejtlich calls their operational "playbook." He says there are signs of an interplay between junior people and senior people in the process.

"You see them fumbling around, and they can't do whatever it is they need to do, and then there's a pause and someone else comes in," Bejtlich says. "You can tell someone else is there because they type at a different frequency. They're entering different commands, [with] no spelling mistakes, whatever. They will get that part of the playbook to work, and then it goes back to whoever the first guy was."

The Mandiant researchers have so far identified 20 distinct groups responsible for the "advanced persistent threats" affecting their clients. Mandia says if his security consultants can identify which APT group is attacking a company, they will be better able to help the company deal with the threat.

"We can [tell] a team that's going to some Fortune 500 company, 'All the evidence points to APT Group 1 or APT Group 5'," Mandia says. "[They will] immediately know the tools they use, the IP addresses they use, the pass phrases they use when they encrypt data, and where they store their files on the machine."

The Industry Expands

The surge in attacks from China has spurred other cybersecurity firms to follow the Mandiant lead, with services and products designed to deal with targeted threats.

"There are dozens, if not hundreds, of service providers doing things similar to Mandiant," says industry analyst Stiennon, "and product companies coming out of the woodwork."

A new entrant in the field is CrowdStrike, a company co-founded by Dmitri Alperovitch, the former chief of threat research at McAfee, where he led a team that uncovered several major cyber-espionage intrusions from China.

Like the researchers at Mandiant, Alperovitch says his company will focus on adversaries, not on the malware they use. "At the end of the day, you want to know what they are after," he says.

'More Fun To Fight'

For Alperovitch, the key element in the APT phenomenon is the persistence of the threat.

"There's really no organization, including government agencies, that can prevent this type of attack," Alperovitch says. "So you need to shift your mode into thinking that you are always in a state of compromise, and you need to start thinking about how to hunt on the network."

This is the new cybersecurity game: Hunting the cyber adversary, tracking him down wherever he goes on a computer network, and confronting him over and over.

Alperovitch and his Mandiant competitors are veterans in the cybersecurity field. They know each other, and their rivalry is friendly.

"[Alperovitch] learned it's a lot more fun to fight the adversary than to guard against him," Mandia says. [Copyright 2012 National Public Radio]



This article is filed in: Technology, U.S. News, News

Also in Technology  
From Science Fiction To Fact, Robots Are Coming To A Farm Near You
Some dairy farms use high-tech robot milking machines that also clean udders and monitor cow health.

Pizza Delicious Bought An Ad On Facebook. How'd They Do?
What happens when two guys who sell pizza out of a window in New Orleans buy an ad on Facebook?

Facebook's Growth And Reach At A Glance
Review key moments in its history, see where it's most popular and compare executive stock holdings.

Is Facebook Worth $100 Billion?
For Facebook to live up to its valuation, the company will need to redefine the ad industry.

LightSquared Files For Bankruptcy Protection
The company amassed more than $1 billion in assets and $1 billion in debts according to its filing.

Comments  
Post a Comment