Recently it was revealed to the media that Chinese hackers had stolen data concerning multiple U.S. weapon systems, including fighter aircraft and missile defense systems. This information came to light through a Defense Science Board report indicating a wide array of breaches by Chinese cyber spies and the inability for the Department of Defense to do anything about it.
While this report is disturbing, it is actually the hacking cases we don’t hear about (the unknown unknowns) that are of most concern. For every headline event like this that impacts the confidentiality of information, there are exponentially more covert intruders lurking. These Advanced Persistent Threats (APT) can lie low and be undetected for years! They are extremely difficult to find and can serve as pre-positioning nodes from where the enemy can later strike.
Tools alone will never discover covertly stolen information on a small scale. But what do we do about the threat? While everyone knows some action needs to happen, this is currently occurring in a spastic way. People and organizations want the easy solution, hoping that hooking up a fancy new tool to a network will solve everything. Things are just more complicated than that. This is fundamentally a human problem, and the real solution lies in situational awareness of networks. An organization must be able to look at any communication within the network and search for anomalies. Analysts and operators need to use tools to queue tips into anomalies, then employ analytical and investigative methods to determine just what that the tip or alert really means. This may require utilizing entirely different problem-solving techniques from those used in the past. This is not an easy solution; it is a constant fight that must be viewed almost as a cyber war – and in a war intelligence and analysis must be brought together so leaders understand the environment.
Post by Bob Stasio, Praescient’s Director of Cyber Analytics