FireEye throws virtual decoy at advanced persistent threats

In January 2010, in a blog post entitled ‘A new approach to China’, web giant Google revealed that it had suffered “a highly sophisticated and targeted attack on our corporate infrastructure”.

“It soon became clear that what at first appeared to be solely a security incident, albeit a significant one, was something quite different,” it explained. “First, this attack was not just on Google. As part of our investigation we have discovered that at least 20 other large companies… have been targeted.”

“Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.”

This attack was later dubbed Operation Aurora by the information security industry. According to Ashar Aziz, CEO and founder of malware protection supplier FireEye, it exemplified a new breed of information security threat that has since been implicated in cyber attacks on the French finance ministry, on both NASDAQ and the London Stock Exchange, and many more high-profile organisations.

This new breed of attack is sometimes described with the term “advanced persistent threat”. Aziz reports that this phrase is often used as a euphemism for attacks that appear to originate from Chinese foreign intelligence forces. (He also claims that in Google’s blog post, ‘Chinese human rights activists’ is a euphemism for the Dalai Lama.)

But that does not mean it is just state actors that are using this kind of approach. “The same attack pattern is being used by Ukrainian cyber gangs to extract financial data,” he says.

What unites these attacks, he says, is that they exploit vulnerabilities that were previously unknown even to the security industry’s cutting edge. “These are unknown attacks, and there is no well-defined signature for them.”

This is why they have proven so effective, he adds. “If you look at enterprise security infrastructure, whether it is antivirus software or defences at the network perimeter, it is all fundamentally signature based. It is looking for known patterns in the wire.”

In the case of Operation Aurora, it was a vulnerability in the Internet Explorer web browser that even Microsoft itself was unaware of that opened the back door to the attackers. When an attack is undocumented, Aziz says, most organisations are entirely defenceless against it.

Aziz claims that FireEye has the solution. Its appliance-based technology analyses Internet traffic as it enters the corporate IT environment for signs of anything remotely suspicious. This suspicious traffic is duplicated and directed to numerous virtual server instances. The instances are running whatever software the customer uses, and the appliance analyses them to see if the suspicious network traffic has any effect.

The appliance, which sits in the customer’s data centre, is looking for a sign that a connection is being made to an external server, Aziz explains. This is how modern web-borne malware works – once an agent has made its way through the firewall, it connects to a remote server and downloads further material to complete the attack, usually without detection.

Operation Aurora was the ultimate test of FireEye’s technology. One of its customers was targeted in the attack, and the appliance successfully detected and neutralised the threat, Aziz claims. Nearly all of the organisations that were targeted have since become customers, he says.

He adds, though, that the belief that an organisation will only suffer this kind of attack if it has been explicitly targeted is a misconception. In fact, this attack pattern is often used more opportunistically, with the malware launching a full attack once it successfully penetrates any organisation.

FireEye’s technology offers a glimpse of how virtualisation is poised to reshape security infrastructure, as it has already done for so many segments of the IT architecture.

Aziz, whose previous company was a virtualisation management start-up that he sold to Sun Microsystems, says that the likes of VMware have a point when they argue that the virtual layer is a good place to monitor the infrastructure for signs of security breaches.

However, he also warns that no software system is invulnerable. “Look at Java, which used to be seen as this secure runtime environment that was virus proof,” he says. “But this recent spate of attacks actually targets the Java runtime environment.”

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Cyber Security