Advanced Persistent Threat: Security Strategies from Ron Gula, CEO, Tenable Network Security
Ron Gula, CEO of Tenable Network Security, explains the threat and the challenges to mitigating it. In an exclusive interview, Gula discusses:
Gula is known in the global security community as a visionary, innovator and engineer of extraordinary talent. He traces his passion for his work in security to starting his career in information security at the National Security Agency, conducting penetration tests of government networks and performing advanced vulnerability research.
Since co-founding Tenable in 2002, Gula has been CEO and CTO at Tenable, maker of the world renowned Nessus Vulnerability Scanner and Unified Security Monitoring enterprise solution. As CEO/CTO of Tenable, he is responsible for product strategy, research and development, and product design and development. Gula is also a leader in his community and a passionate advocate for education and scientific research.
TOM FIELD: The advanced persistent threat--what is it and how are organizations vulnerable to it? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Ron Gula, the CEO of Tenable Network Security. Ron, thanks so much for joining me again.
RON GULA: Glad to be here and talking about the advanced persistent threat.
FIELD: Well, let's tackle the question that I asked up front here. What is the threat exactly, and how are organizations today vulnerable to it?
GULA: Organizations have always been vulnerable to remote attackers or hackers exploiting software and technology issues to gain access to their information and their data and their system resources. What has changed is that with the rise of something called botnets, where hackers want to organize hundreds if not thousands of hosts at the same time to achieve access to them, it's that they want to maintain that access. So all of those systems are always vulnerable, and they are always being patched. What the advanced persistent threat is, is when an attacker is trying to exploit these vulnerabilities, but then keep their foothold. So maybe after a system is patched or after an organization is aware of a vulnerability and they have mitigated it, the hacker is still going to be able to persist in an automated and hidden fashion in a manner that is unaware to the organization and remain on that network.
FIELD: Ron, clearly this is a threat to all industries, but I am curious: Where are industries such as financial services, healthcare and even government especially vulnerable?
GULA: Well, industries like finance are going to respond to this a little bit differently. Of all those industries that you mentioned, the financial industry has the most controls for monitoring what goes on in the network; they have pretty good consistent desktop policy, server policies, and they have the infrastructure to monitor. So for them, the advanced persistent threat is the one that is targeting or evading those technologies. One of the qualities about today's advanced persistent threat is that they evade detection by antivirus and by intrusion detection systems. So for example, if you were able to get one of these systems infected in a financial network, then it may not be detected by your modern top-of-the-line antivirus software. And if that system starting communicating to the rest of its botnet for command and control and other types of information, it might not be detected by your intrusion detection system. So in the financial industry, they are going to detect the basic attacks, but they might detect something that is custom designed to evade what is on their network.
Now when you move out of that industry into healthcare and to government, you get a wide variety of responses. A typical hospital does not have the auditing and technological staff that a typical bank would have. So there you have regular attacks, regular malware, regular viruses being spread, probably occurring alongside advanced persistent threat types of software that is maybe even more advanced. From the hospital's point of view, they might not know any different. They might be getting infected with a malicious software that is targeting their specific healthcare systems, or they might just be getting infected with the virus of the month. So outside of the financial industry, the awareness of this kind of stuff is not going to be as high.
FIELD: Now, you have talked about awareness a couple of times. What do you find generally to be the awareness level in organizations across industry to the advanced persistent threat?
GULA: Well, if you have an organization that is not well managed from a security or an IT governance point of view, they are not going to be very aware of it. In other words, if you have an organization that is always responding to the latest vulnerabilities, in other words they are surprised every Microsoft Tuesday with you know, 'We have got to respond to this and patch our systems,' or they are always running around and responding to the next system that got compromised. That type of organization is always in response mode. They are not going to have any time to look at anything that is specifically targeting them or maybe even going under the radar.
Whereas other organizations that do have the resources to have control over their system configurations, positive control over their network monitoring and access control and different things like that, not only are they going to have more time to do more investigations to look for anomalies and things that might be slightly out of place, but they are going to have more, more advanced detection just based on policy.
For example, an organization that forces all of their users to go through a proxy firewall to get access to the internet -- the first time the machine gets infected and starts making outbound calls to the internet and not going through the proxy there is going to be a red flag, and that type of organization is going to be able to find malicious software a lot easier than somebody who is always in a response mode.
FIELD: So once an organization becomes aware, Ron, what become the main challenges then to overcoming the threat?
GULA: Well, the main challenge of course is always detecting it. Now more and more botnets that are out there, more and more malicious software is getting again, more and more sophisticated, but a trend that has been occurring over the last couple of years is that malware and malicious software are being custom designed for your organization.
For example you might have a website that is waiting for people to come to it with vulnerable internet explorer browsers, but maybe only users from a certain organization will actually be targeted. This type of thing--there are a lot of different names for this kinds of tailored attacks for specific organizations -- but they are very difficult to detect if you are on the defender side because every particular day you might be getting attacks from hundreds if not thousands of different viruses, and it is very difficult to find the ones that are targeted just for you.
Now if you do detect something, a lot of time what happens is that you want to reach out to your antivirus vendor or some public resources where you can compare perhaps signatures and forensics evidence in these various files to see if it is something other people have seen. If you are faced with the fact that this hasn't been seen before you might really question is this really a threat or not. A lot of times, knowing that somebody else has got the same problem is somehow comforting, and you have indeed had some validation that you found something. So unless you have the resources to really do the reverse engineering to confirm that this is really malicious for you, you really don't have a whole lot of opportunity to confirm that you are being targeted. In that case, you have to fall back on the traditional security models, defense in depth, monitoring access control violations and so on.
FIELD: Well, you talked about a couple of things, sophistication for one, and of course the persistence. What do you find to be the types of strategies and solutions that are most effective against the advanced persistent threat?
GULA: Definitely the basics, so if your organization doesn't have firewalls, doesn't have people doing things like spyware, outbound web filtering, web proxies, different things like that, you don't have antivirus deployed on all of your desktops, all of those basics reduce the noise. They take away a lot of potential attack vectors. They take away a lot of potential infection vectors. You are still open to zero day attacks that can invade your antivirus, but what you won't be dealing with on that day to day basis are all of the fire drills of responding to virus infections and compromised systems and so on.
Apart from that, the next best thing I have seen an organization do is basically do auditing. If they have a program that audits what their users are doing, that audits how their systems are configured, that audits what processes and software are installed on these systems -- a lot of times those types of programs will turn up systems that are running perhaps at high CPU utilization that aren't really running anything. And then, finally, organizations who do basic what I call blacklist or behavioral-based analysis of what is on their network also find a lot of systems that are infected. There are a lot of free systems out there, such as the SANS Internet Storm Center, there is ShadowSaver.org, where your organization can basically join these projects, give their data to them and then when machines that have bad reputations start communicating with your network you can get alerts based on that.
FIELD: Ron, one last question for you: For somebody that might feel that their organization could be exposed to this threat, where do they need to begin to access and remediate the situation?
GULA: If they want to start looking at their networks to see if they have this kind of information, or this kind of potentially unwanted software on their network, they really need to review everything that is on their network. How did the software get there? How did the server get it? Who has been managing the servers? Do they connect to the internet? Have they been managed? Different things like that.
Now if you are in an organization where none of this information is known to you, your best chance of detecting something is to go with a traditional detection measure: antivirus software, network intrusion detection systems, different things like that. Now if you are on a managed network, very interesting things can be done there, such as looking at all of the file systems for all of your servers, doing an audit of what files and what versions are there, doing file integrity checking on certain system files. There are actually tools out there than can do comparisons across all of your servers and see which system files have been or are just different. It doesn't necessarily mean that a hacker has done something, but you can say, 'Hey, this machine over here is configured slightly different than this machine over here, and why is that?' That type of situational awareness can really allow you to find small slight differences between your systems that might indicate that you have got something running on there that is trying to hide and that is potentially doing bad things for your systems.
FIELD: Ron, that is great advice. As always, I appreciate your time and your insights today.
GULA: Thanks very much. Hopefully people will find this useful when they start analyzing their systems.
FIELD: We have been talking about the advanced persistent threat, and we have been talking with Ron Gula, CEO of Tenable Network Security. For Information Security Media Group, I'm Tom Field. Thank you very much.