The entire globe, or at least the entire IT security community, has seemingly found itself captivated this week by the recently reported wave of targeted IE zero day attacks carried out against Google and a number of other major firms – a campaign that has been dubbed “Operation Aurora” that many research experts have also identified as emanating out of China.
Like many of the other high-profile attacks that have garnered similar attention in the IT industry and beyond in recent years, the widespread coverage being given to the Aurora campaign seems to be focused on the fact that companies with such deep, established security practices were reportedly infiltrated for a period of months without ever knowing about it or being able to prevent the activity.
But the reality is that within the context of the current state of widespread software vulnerabilities and the ability of advanced attackers to isolate those issues and exploit them stealthily, none of this should really come as a surprise to anyone, and most certainly not IT security experts.
Whether or not the Operation Aurora attacks were in fact conceived in China, and the inability of governments and the global law enforcement community to do anything to effectively thwart such action is another extremely important and challenging issue. (I was interviewed about all of these topics in a recent podcast conducted by reporters with the ThreatPost security news service.)
However, the fact that cybercriminals were able to find a previously unreported “zero day” vulnerability in a ubiquitous technology such as IE, and then use that as a means to infiltrate specific organizations, even those with stout security defenses, is truly a non news item at this point. With many such vulnerabilities resident throughout some of the most popular applications used by organizations today – including those reported by our CoreLabs research group – the opportunity for advanced persistent threat campaigns like Aurora to be carried out is constantly present.
And targeted cyber-infiltration against these tech giants further ushers in a new era wherein attacks upon their own products and source code will increase – leading to significant systemic risk to our overall digital ecosystem.
That’s precisely why organizations have to stop sinking so much of their security resources into defensive tools that create barriers certain to eventually be circumvented, or invest all their time into vulnerability management efforts that only guess at which potential exposures may place them at greatest risk of compromise.
Penetration testing offers organizations a powerful alternative through which to understand precisely where they are vulnerable, and what the implications of those weak points may be in direct relation to cutting-edge threats – it’s time to recognize that this is the only way that we can hope to effectively level the playing field.
After known intrusions, organization must have the capability to draw detailed attack graphs that allow them to understand how intruders were able to maintain a persistent presence in their environments and transport across chains of interconnected vulnerabilities and assets in order to bolster their post-breach situational awareness.
On Jan. 18, Core Security shipped an exploit to all CORE IMPACT Pro customers that enables organizations to ensure that they are not exposed to the widespread attacks currently targeting the IE vulnerability used in Operation Aurora and detailed in Microsoft Security Advisory 979352.
In a Core-sponsored webcast tomorrow, my colleague Alex Horan will demonstrate specifically how the Aurora exploits worked and how IMPACT Pro allows you to assess your resiliency to such threats.
Patched, un-patched, or anywhere in between, the only way for you to truly be sure that your systems are not vulnerable to these types of attacks is by testing to see if flaws are exploitable in your environment and validate that security defenses are functioning properly, and that remediation efforts including patching have been successful.
The problem of zero day attacks isn’t going away anytime soon. However, those who are best prepared ahead of time will be the organizations capable of enduring in the face of this onslaught.
-Tom Kellermann, VP of Security Awareness