Malware continues to change at a rapid pace, as evidenced by new types of high-tech, military-grade malicious code grabbing headlines such as Stuxnet, Duqu and Flame.
Another category raising its ugly head is the malware developed specifically for industrial espionage, like ACAD/Medre.A, which we will be seeing more and more of in the future. Why these sudden spikes in the news? This isn't something new; these kinds of situations have happened before. But since people in general are becoming more security-aware due to the ongoing stream of information and related coverage in the media about state-sponsored malware, these anomalies are now noticed on a more regular basis and as a result of being detected more often.
You're most likely are asking yourself: "What can I do to protect my company against these targeted attacks?"
First off, the attacks that are targeted are usually invisible to current security measurements and undetectable by even the most up-to-date anti-malware solutions. This is, of course, not a reason to stop using anti-malware software, as it continues to be a line of defense that can still help you identify and remove threats. Also, anti-malware software is getting smarter and new(er) versions may be able to detect the threats purely based on behavioral detection, but even if it doesn't, when the signature database is updated with entries covering the threat, you may suddenly find that your network has been affected. Even though the system was compromised, and data may have been leaking, at least you now know you have a problem and you can start a proper damage assessment and begin issuing remediation protocols.
More often than not, these attacks have been built with information from the inside, which allows hackers to smoothen the point of entry into your environment. So, to properly protect your company and its assets in the best ways possible against these potential espionage attacks that are trying to steal your intellectual property, it is imperative that you will have to take additional actions and precautions.
- Data Policy: You need to look at who is allowed to access to critical information. In many cases the data holding the intellectual property is readily available on the network for many people and is easily accessible.
- Bring Your Own Device (BYOD): an entire topic by itself. BYOD may seem like an inexpensive solution, but in the end it may cause you more problems than it is worth. You do not know where the device has been, what kinds of software have been installed on it, if copied material has been downloaded to it, etc. If you do support BYOD, at the very least you need to enforce that management/maintenance software has to be installed. Also make sure that some kind of Device Control Mechanism is in place that will safeguard against data leakage. Not only can it only allow certain (USB) devices to be inserted, it will also encrypt the data. When the data is later used on another system inside the company's environment, the data will automatically be decrypted 7mdash; and thus usable - but when copied to a system that does not have the Device Control Mechanism installed, it will be useless.
- Protect your critical infrastructure: separate the network with the intellectual property from the corporate network and only allow access to that network to individuals who need to have access. But you will have to go further than that. Documenting and deciding who is allowed to work on that network and have physical access to locations that can reach that network needs to be determined. Even if you have security clearance screening for employees that can access to these areas, are you sure external companies do the same (e.g. employees of the company cleaning the office)? Or the mechanic of specialized hardware company you hired who is coming from the supplier to perform maintenance? And how about the laptop he connects to the hardware to monitor the proper working order of the hardware (getting back to BYOD)?
- Monitor for unexpected behavior. This is by far the most difficult one as you never know what to look for. In a recent case (ACAD/Medre.A) where industrial espionage is suspected, the malware was sending copies of blueprints via SMTP to an email address in China. There is no reason for ANY code to have mail-sending capabilities other than to the corporate Mail Transfer Agent. With the correct firewall settings (and alert-system), the transmissions should have been noted and prevented. Given the tens of thousands of leaked blueprints we can safely assume that implementation of basic monitoring measurements is not in place in many organizations. In other situations, frequent connections on weird ports to a single (or a small set of) IP address(es) again may indicate something is wrong.
There is no real manual on how to protect yourself from targeted attacks trying to steal your intellectual property. And where these attacks are small-scaled, they may go unnoticed for a long period of time, or go completely undetected. Staying educated, visiting your favorite security vendors' websites, reading how the new threats work and making sure you keep protecting yourself against them is a must if you want to stay properly protected and have all the proper measures in place to keep your intellectual property out of the hands of hackers.
Righard Zwienenberg is a 24 year veteran in the anti-malware industry and a Senior Research Fellow at ESET.