The New York Times' description of a cyberespionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible.
On Wednesday, The Times disclosed that hackers had persistently attacked its computer systems for four months, and had stolen passwords for reporters and employees. Rather than boot the hackers immediately, The Times chose to study their movements in order to build better defenses against them.
The attacks coincided with an investigative piece the newspaper published Oct. 25 on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China's prime minister.
The lessons learned from the attack applies to any organization targeted by hackers with a level of sophistication often financed by a nation-state. Potential victims typically include defense contractors, multinational corporations, the military, think tanks and government agencies.
Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware.
One important step the company took in September, when it learned it might be targeted by hackers in China, was to notify its Internet service provider to watch for unusual activity in outbound traffic from the network, experts said Thursday. AT&T eventually did report seeing anomalies, which started The Times investigation and led to its hiring of security firm Mandiant to help it monitor and eventually remove the hackers.
The newspaper believes the hackers initially broke in Sept. 13 through a spear-phishing attack, which is when carefully crafted emails are sent to specific people within an organization to trick them into opening a malware-carrying attachment or visit a malicious website. The break-in occurred while The Times was completing its reporting for the Wen family story.
Besides employee education, ways to combat spear phishing includes technology on the laptop that only allows pre-approved applications to run. Called whitelisting, the technology is difficult to manage, because employees will constantly seek permission to run other software.
"There's a lot of management overhead with it, but I think from a security standpoint, it's the right way to go," George Tubin, senior security strategist for Trusteer, said.
Other technology to prevent infection from an employee laptop includes sandboxing that limits applications only to the network resources that they need. Another option is micro-virtualization, which isolates the laptop from business applications and data by running risky tasks within a micro virtual machine.
Other options include exploit detection technology that makes it difficult for hackers to take advantage of vulnerabilities in software. Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) is an example of such technology, as well as products from Cyvera, Lawrence Pingree, analyst for Gartner, said.
Sign up for CIO Asia eNewsletters.