Human Frailty Lets Cyber Thieves Attack, Expert Says

As money becomes more mobile, the threat from cyberattackers is likely to increase, a top security expert told a U.S. Senate panel on Tuesday.

"I always believe wherever money goes, crime follows," Kevin Mandia, the founder and chief executive of digital security firm Mandiant, told an Armed Services subcommittee at a hearing on cyber threats. "Pretty soon we'll all be paying for things with our Android phones or iPhones and the minute we're doing all digital money, we're going to see more digital crime, and we're going to need more expertise."

Mandia, whose firm released a report in February that documents theft of intellectual property from more than a hundred U.S. companies by hackers backed by the Chinese military, stressed to senators that intruders' sending emails that induce victims to open them and other tactics that exploit behavior adds to both the sophistication of cyberattacks and the difficulty of defending against them.

"They're leveraging human weaknesses and human vulnerability and trust to break into these organizations," said Mandia, who added that the Chinese intruders his firm has witnessed have sought to steal corporate secrets, not to alter data or shut down networks. "Make no mistake, they're targeting our intellectual property," Mandia added.

Companies have little choice but to be on the lookout for electronic intrusions because trying to prevent them entirely can be futile. "Unless you are a top company that can hire top talent and scale those costs across the business, you can't afford defenses that will stop a Chinese unit or a Russian unit or anyone else," Richard Bejtlich, Mandiant's chief security office, told the panel.

Bejtlich added that in high-performing organizations, "people accept that you will be compromised, but you have to find it quickly, stop it quickly, and then contain it."

Mandiant's report shows "there is simply nothing left for the public to doubt about the magnitude or relentless character of China's theft of American technology and other valuable business information," Senator Kay Hagan (D-N.C.), the subcommittee chair who convened the hearing, said in prepared remarks.

"The issues are complex, technical and can at times seem very academic; but make no mistake, the consequences are real and potentially far-reaching," Senator Deb Fischer (R-Neb.), the subcommittee's top Republican, added.

For their part, Chinese officials have denied sponsoring the attacks, which the White House says underscores the need for a dialogue with China and other nations on what constitutes acceptable norms of behavior in cyberspace.

The hearing comes amid a wave of cyberattacks on some of the nation's biggest banks and a series of warnings about the threat that cyber intrusions pose to financial networks and other critical infrastructure. The Director of National Intelligence, James Clapper, recently told the Senate Intelligence Committee that cyberattacks present a growing threat to financial networks and other critical infrastructure.

Last week, roughly a half dozen banks weathered digital assaults on their websites that bogged down online banking and frustrated customers who were unable to log on to their accounts. The denial of service attacks continued an uptick in such attacks that started last year, when the number of such assaults rose 170% from a year earlier, according to Radware, a digital security firm.

Cyber intrusions are on the rise as well. Though the median time cyberattackers were present in the networks of companies and other victims dropped in 2012 to 243 days from 416 days in duration a year earlier, the downward trend was accompanied by a higher mean number of days of compromise, according to the latest threat report from Mandiant.

Financial firms were among those that have experienced a rise in advanced attacks. Electronic intrusions of financial firms rose to 11% of advanced threats last year, up from 7% a year earlier, placing the financial industry third, behind the aerospace and energy industries, among more than eight industries being targeted by intruders, Mandiant found.

Mandiant says it was hired by a bank late last year to investigate the theft of nearly $2 million via a fraudulent wire transfer. The bank learned of the incident after discovering a series of messages that had been sent using a cloud-based application both the bank and its customers used to process transactions.

Mandiant discovered that attackers had compromised a computer belonging to the bank by installing malicious software that exploited a weakness in Java when an employee of the bank used the computer to visit the website of a local news outlet, where they were redirected to a computer the intruders had infected with pernicious code.

The attackers later installed software via the compromised machine that enabled them to access the account management application, which they logged into using credentials the attackers stole from employees whom they targeted. After logging into the bank management applications, the attackers identified accounts with large balances, disabled the authentication, reset the passwords, logged back in as the targeted account owner and transferred money to an account owned by the attackers.

"We saw multiple instances of this type of attack throughout 2012," Mandiant wrote. "The attackers stole large sums of money in different ways, depending on the type of credentials they were able to obtain."

According to Mandiant, cyberattackers increasingly are tapping into the networks of outsourced service providers to gain access to victims, using more sophisticated reconnaissance to map victims' networks, and compromising websites the attackers know to be browsed by users at target companies.

Companies spent $134 billion on outsourcing business processes such as accounting, finance and human resources last year, along with another $252 billion to outsource information technology, according to Mandiant. The outsourcing "adds up to a lot of organizations allowing outside vendors unfettered access to large portions of their networks," the firm wrote.

Attackers can compromise outsourced service providers and gather information they need to compromise a second victim, while lying dormant at the first victim for months or even years.

Mandiant urges companies to ensure their organization knows the security practices of providers to whom they outsource functions, and to classify and secure information about their own networks and systems appropriately.

Companies also should treat detecting and responding to cyber intrusions as a consistent business practice, and more than something they do reactively, Mandiant says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER