NSA's Malware Infection Spree Leaves Network Managers Powerless
No one except the NSA knows which 50,000 networks it injected data-thieving malware into, so what's a cautious enterprise network manager to do? Pretty much business as usual, suggested Enterprise Management Associates' Jim Frey. However, what's "usual" these days is hypervigilance -- continuous monitoring and analysis to uncover unusual patterns and proactively respond.
The United States National Security Agency has seeded 50,000 networks worldwide with malware, according to a report published last week in Dutch newspaper NRC.
That malware was designed to steal sensitive information, NRC claimed, citing documents provided by NSA whistleblower Edward Snowden as proof.
The report -- the latest in a series of published disclosures based on documents released by Snowden -- is likely to fuel the controversy raging around cybersurveillance by the U.S. and its allies -- the UK, Australia, New Zealand and Canada -- also known as the "Five Eyes."
However, it's not likely to have much of an impact on network management.
"Organizations are looking to mitigate the risk to their network and information assets as a result of cyberattacks," noted Frank Dickson, network security industry principal at Frost & Sullivan.
Because the effect of the NSA's activities on businesses' revenues or profitability is not large, "there won't be a sizable response," he told the E-Commerce Times.
The TAO of the NSA
The NSA used "computer network exploitation" -- its term for the secret infiltration of computer systems through the installation of malware -- in more than 50,000 locations worldwide, according to NRC.
The attacks were conducted by Tailored Access Operations, its cyberwarfare intelligence gathering unit.
TAO custom-builds software attacks and has software templates to break into common brands of routers, switches and firewalls, according to The Washington Post.
Malware-planting operations are conducted under a US$652 million project code-named "GENIE," Le Monde has reported. That program uses the codename "US-3136" for attacks on targets in the U.S., and "US-3137" for targets elsewhere.
The NSA used cookies to spy on French diplomatic activities at the United Nations and in Washington, D.C., according to Le Monde.
The agency apparently used different code names for various exploits. Stealing information from computers through remotely delivered cookies was dubbed "Highlands"; capturing information from computer screens was termed "Vagrant"; and eavesdropping on conversations was called "PBX."
Tens of millions of computers were attacked by TAO in 2011, Le Monde alleged.
Just Friends and Brave Frenemies
"I think everyone's going to feel a little helpless until we understand what the NSA has injected," Jim Frey, research director for network management at Enterprise Management Associates, told the E-Commerce Times.
The planting of malware is "yet another mass-scale security incident, but this time from what would appear to be a friendly source, which is a very troubling development," Frey said. However, "it's in part a natural evolution of trying to define the line between defense and offense in security."
What Network Managers Can Do
Given that no one outside of the NSA knows which networks have been attacked, network managers should follow normal procedures outlined to deal with cyberattacks, Frey suggested. "Check your logs, look at unusual patterns ..., see if there has been a change in patterns in your network of application behavior or activity."
Behavior analysis has become very important in security analytics, Frey pointed out. However, "it's hard work to recognize [a change] and say this is different from what we normally see, because there are natural variations in usage and activity patterns, and I think most network managers are ill-equipped to do this properly for any attackers that come along."
Most importantly, network and security managers should change their approach to security, warns a report from the President's Council of Advisors on Science and Technology.
"It is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses," it recommends. "Static protective mechanisms are no longer adequate."
The private sector should leverage existing regulatory frameworks and focus on auditable processes of continuous improvement instead of depending on list-based mandates "that encourage a 'check-the-box' mentality and provide incentives for minimal compliance," advises PCAST.
Poorly applied security fundamentals were the cause of many network breaches, Frost's Dickson pointed out, citing IBM's 2013 mid-year trend and risk report.
"It's not the hard stuff that's tripping us up," Dickson said. "It's the easy stuff."