By Splunk February 03, 2013
This past week several very prominent American news organizations publicly admitted having their computer systems hacked into, and explicitly blamed the Chinese government:
“Chinese hackers suspected in attack on The Post’s computers” – The Washington Post
“A Cyberattack From China” – The New York Times
“Chinese Hackers Hit U.S. Media” – The Wall Street Journal
There are several aspects of these events that seem to herald a change in this now familiar story of computer breaches reportedly being conducted by the Chinese. First is the public acknowledgement of the targeting of an apparent industry / sector – by that sector itself. (Obviously, the oil and financial services sectors have been explicitly targeted previously, but companies within those sectors did not openly discuss the issue of computer hacking / breaches, nor which nation was believed to have conducted the attacks.) Second, the prominence of the companies targeted within that sector. And, third multiple targeted companies blaming the Chinese concurrent with breach disclosure – not months or even years later.
What should also be glaringly obvious to information security practitioners by now is that traditional information security tools are almost useless in preventing or detecting these breaches in near real-time. The Washington Post admitted that the intruders gained (unauthorized) access to its computer systems in 2008 or 2009 – and were not discovered until 2011. So, for at least two years, intruders were inside the Post’s computer systems undetected. What is unusual here is not the period of time during which the intruders were undetected – only the public admission of such.
So, if your organization is still relying on a SIEM to help detect such intrusions, maybe you the information security practitioner should rethink that approach. Clearly, we have to do better than we are. The overused and overhyped APT acronym is not looking so advanced anymore – it is rapidly becoming routine.