At the same time that my RSA Research colleagues were uncovering the Boleto fraud in Brazil reported this week, Symantec released a Security Response describing a 2013 cyber-attack on US energy infrastructure, dubbed “Dragonfly“. (Also researched by Kaspersky under the name “Energetic Bear”. F-Secure has been tracking one of the malware variants used, called Havex.) The attack used spear-phishing, water-holing and Remote Access Trojans to compromise a number of important organizations in the United States, Spain, France, Italy, Germany, Turkey and Poland. These targets included energy grid operators and electricity generation firms, as well as oil and gas infrastructure and industrial control systems equipment manufacturers.
The Dragonfly attack is particularly important in helping everyone involved in the security of critical infrastructure understand the magnitude of the threat confronting us. Although the initial phases of the attack focused on data exfiltration, the attackers then turned their attention to embedding malware into the software updates for control systems, effectively enabling sabotage capabilities that could inflict significant damage or disruption on electric supplies. As a result of this risk, the US ICS-CERT has issued a strong recommendation that “organizations check their network logs for activity associated with this campaign.”
So how should we respond to this attack? The ICS-CERT suggests inspecting network logs. But that is only a first step. The Dragonfly attack shows the need for much richer information sources than just network logs, for much broader and more agile analysis than log inspection, for much more effective response than looking just for the indicators of this particular compromise. It requires intelligence-driven security: a strategy that brings together technology, processes and people to enable organizations to leverage big data capabilities to detect, investigate and respond to attacks quickly and effectively.
The heightened visibility provided by the Big Data capabilities of new security analytics platforms create unprecedented opportunities to identify anomalies, uncover evidence of hidden threats or even predict specific, imminent attacks. We need to take advantage of those capabilities. More data creates a richer, more granular view. Security-related details can be seen in sharper focus and irregularities can be found faster. Also, because security analytics platforms integrate threat intelligence from outside sources, like the RSA fraud reports and the Symantec Security Responses, organizations see the threat landscape as a panorama, not just from the narrow aperture of their own internal IT environments.
It is this strategy that is the key lesson from the Dragonfly attack. We need to embrace detection, not just prevention, if we are going to respond not just to Dragonfly, but the new attacks that are sure to keep coming.