The archetypal hacker was given a new face a few months ago. On Feburary 20, 2013, leading cyber security consultancy Mandiant reported the existence of a unit inside the Chinese People’s Liberation Army that was deployed full-time to hacking into American companies and critical infrastructure systems. Their primary targets include water treatment plants, pipelines, and power grids, the purpose of which, according to Mandiant, is “to disrupt services.”
The department was identified only as 61398, the number of the building address in Shanghai in which the roughly 1,000 hackers operate. Just one of hundreds of corporate targets breached was Lockheed Martin, makers of the new F35 fighter. Not surprisingly, the Chinese recently “developed” their own version of the fighter, which exhibits characteristics of several highly classified U.S. technologies.
Like most corporations, the industrial control systems that run so many of America’s power plants, factories, pipelines, dams, water treatment plants and other infrastructure elements are fairly well-guarded from the outside, said Dale Peterson, Chief Executive of Digital Bond. But once a hacker is in the system, “there are very few safeguards.”
Not that long ago, you could count on your Security Information and Event Management (SIEM) vendor to protect your entire network. Most malware attacks could be categorized as vandalism created by individual hackers and let loose on the general public largely to gain notoriety. Provided you weren’t the first one hit, your SIEM would have identified the malware and updated your perimeter defenses before it reached you.
Today’s hackers are organized. They work for nation states, hacktivist organizations, criminal enterprises, and other groups with serious funding and a specific purpose. Just this year, they’ve targeted Delta Airlines, Porsche, The Coca-Cola Company, The Chicago Mercantile Exchange, as well as several members of Congress. If you’re targeted, it’s very likely being done in order to steal something, and it’s not likely through the use of any previously known malware.
Securing the perimeter is no longer an option. For a SIEM or tool to identify a breach, it has to be a known issue. When the target and the attack are unique, all security issues are unknown. Organizations must re-think their security strategies to deal with unknown and unpredictable attacks, or expect to suffer the consequences of a breach.
The security community is responding. A new spate of tools that combines pervasive monitoring with big data analytics on a massive scale to create an omniscient view of the enterprise and identify anomalous behavior is in the works. However, it could take years before a commercially viable solution hits the market.
But, if we can’t secure the perimeter, then what? We must assume the intruder is already in the building. Now the security playing field shifts from the perimeter to the heart of the organization — the internal network and the data center.
Performance monitoring offers a solution that while under-utilized, is quickly gaining prominence as a way to identify possible threats before it’s too late. Here are a few ways you can leverage your current performance monitoring efforts as an early warning system to catch breaches before the damage is done.
Keep an eye on performance timings.
Attacks can slow down applications, but they can also speed them up. Anomalies in application performance can be an early warning sign of an intruder. Conceptually, it’s simple. You establish a baseline and look for any deviation. Unlike SIEM approaches, you don’t need to know what’s actually happening – you just need to recognize that something’s not normal and alert your security team. It’s important to note that some of these changes may be subtle. While the goal of many cyber-thieves is to get in and out as quickly as possible, more sophisticated threats often aim to set up shop inside organizations for weeks or months and aggregate small amounts of data over a long period of time. The occurrence of regular variances from your baseline, no matter how minor, should be looked at – it could be the difference between discovering a breach before it’s too late.
Watch specifically for changes in browser response time.
Monitoring applications across multiple browsers (Firefox, Chrome, etc.) can be useful as well. Hackers often exploit browser specific vulnerabilities – which can often surface as performance issues that only occur when you access your Web application in a particular browser.
Compare application performance to traffic stats from Google Analytics.
Attacks can also cause a sudden dip in traffic. Once a site is infected, Google and other browsers may detect well-known infections and prevent the traffic from being delivered. In that case, overall traffic to a site can go flat. Any change in transaction processing time should be investigated. If the change can’t be explained by changes in traffic volume, you may be looking at a breach.
Organizations in finance, healthcare, defense, and other regulated industries are prime targets for cyber thieves and terrorists. Needless to say, the hackers are staying more than one step ahead. As a result, security professionals would do well not to wait on the raft of new security technologies in development. Instead, they should proactively employ effective, practical methods of combating today’s threats, beginning with performance monitoring.