Government Agencies Get Creative In APT Battle

Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information

SANS National Cybersecurity Conference -- BALTIMORE, MD. -- A handful of security professionals at the U.S. Department of Energys laboratories were getting weary of trying to repel advanced persistent threat (APT)-type attacks and keep up with the latest threats. So they decided to roll their own tool to automate intelligence-sharing among the agencys national labs and scores of smaller labs.
A couple of us were basically tired of losing [the race to keep up with new threat intelligence], so we decided we were going to do something about it. We were tired of getting together in little rooms to share information, said Matt Myrick, senior cybersecurity engineer at DOEs Lawrence Livermore Laboratory, in a presentation here today. So Myrick and a handful of colleagues from Sandia Labs, Los Alamos Labs, and DOEs Pantex plant wrote a Python-based tool to block malicious websites, hashes, spear-phishing attacks. The so-called Master Block List (MBL) runs on an Apache server and can be integrated with any application to share real-time threat data.
Myrick says the tool is simple -- not XML-based, like some open-source tools -- and has helped unite the various labs so they can share attack information quickly. Its nothing fancy: Its less than 300 lines of code, he says. Talking about indicators of compromise is hard, and so is parsing PDFs, Office, and XML, for most [people], he said. The goal was to make it easy for anyone to use.
Federal agencies like Lawrence Livermore Labs are attractive targets for cyberespionage attackers looking for valuable research and other intelligence. But federal budgets are tight, so amid a constant battle to fight back APTs, some agencies are opting to build out their own solutions using existing tools and resources.
Debora Plunkett, information assurance director at the National Security Agency (NSA), in a keynote address here today pointed to the recent breaches of major financial institutions as an example of how even the most security-conscious organizations are getting hit. We can all agree that all of these targeted companies are among the best at security, yet they were still vulnerable to attack, Plunkett said. Given the value of these organizations, the attacks are truly highway robbery, she said.
There is no person or business network that is immune, Plunkett said.
Some 10 DOE organizations in addition to Lawrence Livermore employ its MBL tool, which incorporates threats detected by the various agency sites, as well as from various threat intelligence sources.
There have been a couple of cases where weve been protected against attack campaigns that others have fallen victim to because they are not using the list, Myrick told
Dark Reading
. The breach suffered by Oak Ridge Laboratory last year that forced the lab to temporarily shut down Internet access originated from a convincing-looking spear-phishing email that Myrick says Lawrence Livermore had blocked later that day, after the East Coast-based Tennessee lab had gone home.
U.S. government agencies arent the only ones with tight budgets. The Australian Defence Signals Directorate (DSD) in 2011 identified some 327 different APT-type attacks, more than 200 of which were not detected by traditional security controls. As part of an effort to roll out the agencys designated top mitigation strategies (including better patching, among other things), Australias Department of Industry, Innovation, Science, Research and Terciary Education (DIISRTE) employed a combination of existing tools to whitelist applications.
We didnt have a budget for whitelisting, so we looked for existing features in our security products, said David Cottingham, who helped spearhead the project at DIISRTE. Cottingham and his team took the whitelisting feature in the agencys Symantec Endpoint Protection software and now block all new applications that arent preapproved by the agency.
Cottingham, who is now with Foresight Consulting, says a combination of the agencys now-automated patching process and whitelisting has basically stopped most APT-type attacks from escalating. We found 200 threats and passed them over to DSD, he said.
Those are the attacks that the agency sees, however. Cyberespionage attacks are often camouflaged to maintain their foothold in the victims network.
We know APTs are a danger to all organizations. And they are not actually that advanced at all: Its more like targeted, persistent threats, said David Cottingham, who helped spearhead the project at DIISRTE. If youre lucky to detect them, youll be continually battling them and cleaning them up.
Cottingham said whitelisting is the most effective tool for beating malware infections, but its often the least-adopted method. Part of the reason: Whitelisting can be a fairly manual operation, he said. But its easy to maintain once its up and running, he said.
His former agency whitelists .exe and .dll files, which are the main conduits for malicious programs, he said. The Australian agencys whitelisting system is mostly automated, with about 5 percent of it being manually verified for security reasons.
NASA Ames and U.S. Department of Health and Human Services, meanwhile, are each employing continuous monitoring to fight advanced attackers. NASA Ames, for instance, soon will offer to the open-source community a tool it built that scans and scores its servers and workstations for vulnerabilities and risks. The application, which is based on Nessus and an algorithm written by the U.S. State Department, includes a gaming theme that makes it more palatable to systems administrators who voluntarily participate in the program of regular scanning and scoring.
Matt Linton, security operations lead for NASA Ames, says the idea to offer a program for sys admins came out of internal scans and scoring his team had begun. Eighty percent of our work is incident response. So when we looked at the hosts that were compromised, wed say, Where have I seen that host before? Linton told
Dark Reading
. [The scan data] seemed to be a pretty good predictor of what hosts were hacked.
It made sense to start sharing that with the system admins, preferably in a way they would be helped and not hounded. So the team came up with a gaming-type theme (think cred like Mayor of Patchville) to go along with the scoring system results, which is presented to all of the participating sys admins. To date, about half of NASAs sys admins are using the system to gauge the security posture of their systems and remediate them as needed.
The weekly automated scans look for known software vulnerabilities, misconfigurations, weak passwords, and systems that leak information via Google searches, for instance.
Linton says upcoming features for the tool include an assess on demand button for the sys admins, where they can get a new scan and assessment once they fix the problems the initial scan found, as well as an assess on connect feature for new devices joining the network.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Government Agencies Get Creative In APT Battle