This morning security company McAfee issued a white paper detailing cyber attacks from China on global energy companies; an effort it dubbed “Night Dragon.” The report chronicles highly determined, professional, and focused efforts to penetrate energy firms and steal proprietary information including “operations and project-financing information with regard to oil and gas field bids and operations.” You can download a copy of the white paper here.
Like anyone that’s been in the security business for a while, I’ve seen more than a few reports like this over the last 15 years. Beyond just being chilling though, “Night Dragon” is noteworthy for two reasons. First, it’s a stark reminder of just how professional the bad guys have become. Second, the attack mechanics suggest a hide in plain site component.
Per the figure below, McAfee chronicles a multi-phased, focused attack in which the perpetrators progressively penetrate the targets’ infrastructure to get at data on executives’ computers.
Targeted attacks aren’t new, but it’s rare that the public gets detailed (if aggregated and anonymized) information on how the bad guys got in and got the data out.
Also noteworthy is Night Dragon’s use of remote administration tools (RATs). The use of RATs is interesting not because they represent a new or sophisticated technique, but because of the implications for detection. RAT traffic complicates detection because it looks like standard host administration traffic, the likes of which you can find on most any enterprise network. McAfee and others now have signatures to detect this, but it represents another class of threat requiring signature creation – as if there weren’t enough already.
What does it all mean?
Night Dragon reminds security pros how important it is to: 1) identify what your most valuable data is and 2) determine who would like to get their hands on it. These questions need regular review distinct from tactical security technology projects. For example, is there a nation-state that would be particularly interested in your data? Then perhaps all traffic to and from it warrants special monitoring. Might activists like to make a statement about their cause at your expense – as happened to MasterCard, Visa, and others in the wake of Wikileaks? Then perhaps it’s time to investigate protection against denial of service attacks. Do you have an important product launch coming up later this year? Then perhaps the product manager’s e-mail warrants enhanced protection.
The lesson to ID your valuable data and top attackers is sadly obvious. But day-to-day discussions and breaches like this make clear that we lose sight of it regularly. And in the face of APTs, zero day threats, and reactive security tools, it may be the best defense we have.