Operation "Aurora": A Revolution in the Threat Landscape

Following this attack — each user has to be treated as an insider threat since cyber-criminals and government proxies can take control of legitimate user accounts by employing sophisticated phishing techniques and social engineering. This “Aurora” attack was not a direct breach of Google networks. They got access first by attacking an end-point — tricking a user into installing malware.


21 January 2010

On October 25th, 1917, a blank shot from the battleship Aurora's gun signaled the start of the assault on the Winter Palace, which was to be the last episode of the Russian October Revolution.

Is the recent attack on Google and “other major internet companies”, dubbed Operation “Aurora”, going to start a revolution in cyber security? George Kurtz, McAfee's CTO seems to think so. Breaches like this have happened before, but most attention and press would usually go to count how many user IDs and passwords were stolen (I have written about this previously in an article on ZDNet.com) — not the loss of intellectual property as is in this case.

Following this attack — each user has to be treated as an insider threat since cyber-criminals and government proxies can take control of legitimate user accounts by employing sophisticated phishing techniques and social engineering. This “Aurora” attack was not a direct breach of Google networks. They got access first by attacking an end-point — tricking a user into installing malware. After that all bets are off — there is a stealth insider attack going on which is very difficult to detect. Some people call this “advanced persistent threat” or APT. Essentially, if you are important enough (Google) — someone will design an attack tailored specifically to your application and use all known vectors to deliver it. They will not stop trying until they get in. Conceding the point that the adversaries will always find an attack vector that application designers’ threat model has missed, let’s see if reasonable protection is feasible.

No one technique or product will protect from APT. Let’s take a look at a few of the needed measures.

First, the regular cocktail of technical controls (anti-virus and anti-malware software, consistent patching process etc) will neutralize some, if not most of the weapons of the APT attackers. Zero day vulnerabilities are still there however, so sophisticated, especially government-sponsored, adversaries are likely to penetrate the defenses. Going back to assuming a legitimate user’s computer is taken over by an attacker — it is difficult to distinguish legitimate access requests from the fraudulent ones.

As a second line of defense, adding behavioral rules, limiting access to specific times of day and/or days of week and similar techniques will make the attacks difficult to implement, but will not guarantee protection. No control usually stops a determined intruder.

And third, try to make information unusable, if stolen. Use technologies and services that protect information in use. The document content is always encrypted, which means that outside of the legitimate user’s computer (a special viewer that knows how to retrieve an encryption key to render the content in human readable form) it is a sequence of random bytes. As an added bonus — these products allow to remotely shred documents if credential compromise is suspected.

To conclude, the Aurora attack clearly indicates a significant change in the threat landscape. Criminals are going after intellectual property (IP) more than ever. If there is one thing to learn from the Aurora incident (other than it again confirmed the need for defense in depth) is not to use free services to protect valuable intellectual property or what we here at Intralinks call critical information. Luckily, there are commercial services available that are designed with the most security in mind to help address risk and compliance requirements.



Mushegh Hakhinian

Mushegh Hakhinian

Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.