Cyber War!

interview: amit yoran
photo of yoran

He is vice president of Managed Security Services Operations for Symantec and was director of the Vulnerability Assessment and Assistance Program (VAAP) for the U.S. Department of Defense Computer Emergency Response Team (DoD/CERT). He discusses how his Security Operations Center observed in real time the Slammer worm and its propagation around the world and he outlines its significance. He also talks about the overall level of sophisticated attacks they¼re observing, what the monitoring reveals about the threat level, and how the U.S. can create better security for its infrastructure. He says the country needs to create a culture where security is a requirement to do business. "If we create the culture and the environment where security weaknesses will not be tolerated, and it's top-down driven, and it's supported, it will be supported from the bottom up." This interview was conducted on March 19, 2003.

The Slammer attack. Why was that attack significant?

There really weren't a whole lot of aspects to Slammer which were unique or overly impressive. It was not very creative as an attack. There were a number of characteristics to it which helped it propagate itself much more rapidly than we had seen in previous worms or previous blended threats, to the extent that there was almost a mistake in how rapidly it was propagating itself. It actually caused systems to get overloaded and to get run down. Then it was much easier to detect, and to find than other perhaps more stealthy worms would have been.

There's little doubt in my mind that years from now that this will be a primary method of attack, a primary theater of operations, if you will. But I don't think we're there yet.

But why was that scary to a lot of people -- the fact that it moved as quickly as it did, propagated as quickly as it did?

Because the time from the release of a worm to the time you can expect to be hit by that worm has decreased dramatically, so whereas before you might expect months before you might be hit by a virus or weeks, or even days, certainly hours in the case of automated worms, in Slammer's case, it was something that happened very rapidly, and literally within a matter of minutes. Most people had already been poked or prodded by this thing.

What were your impressions of the event?

We've seen a number of stories of things like ATMs going down, in accessibility for systems. But the repercussions in terms of damage was really minimal. The worm itself didn't have any payload, so it didn't destroy data once it compromised a system.

What did you see here that night when it took place? Take me back to that and describe what was seen.

Sure. In the Managed Security Services Practice in the Security Operation Center here at Symantec, we monitor thousands of points in many different countries around the world, some 40-odd countries. We detected a very rapid rise in the probing. The UDP probes for this particular port, so we knew right away something out in the wild had broken loose and was attempting to attack and infect our customers. We saw a large number of unique attackers. Therefore, we thought it was an automated technique, as opposed to a particular hacker launching multiple attacks.

So what does that mean? Eventually it was an assumption that it comes from one hacker who just propagated it to many, many computer systems. Is that what we assumed?

Ultimately, the code was written by one person. But once it had been released, it spread itself using automated techniques to other computers, and then used those computers as launching platforms going after yet another set of computers. So, yes, it was initiated by a single person. But ultimately it was computer systems propagating this. It was not human interaction.

Do we know where it came from at this point? Has the post-mortem been done?

I'm unaware that we've traced and tracked it down, or that anybody has been identified as the source.

In a situation like this, with an attack like that, is it normal to be able to figure out eventually where it came from? Or how difficult would that be?

It's a fairly complex process. It takes a lot of time. We have seen the FBI and other organizations successful in cases like Love Letter and Melissa and things of that nature, tracking it down to a specific individual. Then, if they have the jurisdiction, they hold them accountable.

How much damage did it do? Bottom line on what we know at this point -- what was the damage?

There was some significant damage, again, mostly in terms of system downtime when you're talking about a transaction processing system, or ATM, or online e-commerce system. Downtime costs money. I'm unaware of what the tangible impact is in terms of financial loss.

Some people say it was a warning. What do they mean by that?

Many people look at Slammer, and some of the things that we saw before and after Slammer as really indicators of things which we can expect in the future. Certainly, some of the malicious aspects which could have been part of Slammer were not there -- things like a very destructive payload. So once Slammer had broken into your system, it could have destroyed the data, but it didn't. It could have modified certain records in your databases, but it didn't. It just simply used that system to attack other systems.

So going forward, we can reasonably expect that people will release code which has the same type of effective propagation and is potentially much more damaging.

Tell me about your control room downstairs. It's a very high tech, very impressive room. What do you guys do there? What's your role, and what's being done in that room?

Symantec's Security Operations Centers -- around the world, we monitor hundreds of companies, and thousands of monitoring points in different countries, in different industries, different types of security products and technologies. We collect all of this information, and we data mine through it, trying to help our clients identify and pinpoint the attacks that are occurring against them, and how best to respond to those attacks. What that provides us is a global view of what's happening across the security landscape, that, I don't think, any other organization can match in terms of breadth of view or depth.

The role you play for government officials, government clients as well as the private sector -- what's your slice?

At Symantec, we provide security products which many of government agencies are using. But in the managed securities services side, we do perform security monitoring for a number of government agencies. Then we also provide data. We provide information. So the government may ask us, "Are you seeing a rise in this particular type of attack?" Again, because we've got such a broad monitoring base -- and while protecting the confidentiality of our clients -- we're able to tell them, "The following types of attacks are on the rise." Or, "Attacks originating from a particular source are on the rise."

Is there a sort of overall view of the Internet? You have a good view of it. But when the government is looking for an overview of it, or when there's an attack and one really wants to get a good perspective on what might be going on, is here an existence, at this point, of an overall sort of portal into the Internet to see the true health of the system?

There's not, unfortunately. Now, there's a number of areas like Symantec, like the form of incident response support teams, like Carnegie Mellon's Computer Emergency Response Team Coordination Center. There's a couple of key points and key organizations, which seem to act as focal points during time of crisis. But there's really not a single portal, or a single view of the entire infrastructure to determine how secure or insecure its security posture is.

Is that something that might be necessary in the future?

It would be interesting. It's an interesting concept. It will be an immense undertaking because of the complexity of the network, because it crosses both public and private sector infrastructures. It crosses transnational boundaries and so many different jurisdictions. So while the concept is interesting from a technical perspective, it would be an incredible effort to undertake.

How sophisticated is the intrusion detection system that you guys have?

Historically, intrusion detection systems have been signature-based. So when we see an attack, we take a snapshot of the attack, what the crime looks like, and we develop a signature for intrusion detection systems that say, "In the future, if you see this type of activity, send out an alert, because it may be an attack."

Symantec has been doing a lot of research, and actually provides the world's leading anomaly-based intrusion detection system. Rather than defining what attacks look like, we define how protocols work. Anything that violates that protocol -- any anomaly, if you will -- could be considered malicious. It's a very interesting change, a paradigm shift. What happens is, attacks which we don't know about, we can actually detect.

You put out a report every year, Data Net Security Report. How useful is this report when it comes to analyzing the threat out there?

Symantec's Internet Security Threat Report is one useful tool. Certainly the FBI and CSI put out an important survey every year among chief security officers. "What are you detecting? What do you think is happening on your network?" There's a number of other data points.

But in terms of looking at empirical data and performing analysis on empirical data to find out what's actually happening, I believe we have the broadest coverage, the most consistent analysis and interpretation and detection capabilities, so that we can provide an unbiased view across the landscape. I believe it's the best data source for this type of analysis. But above and beyond the data sources, there are surveys and other pieces of information which should be taken into account.

How has the threat involved, increased over the years? Give me sort of the guts of the report.

Over the years, it is interesting. Over the years, we have seen some pretty dramatic rises in the level of attacks and the severity of different types of attacks. But over, really, the past six-month period, we've seen it start to level off. In fact, just this past six months we saw a decrease of about 6 percent. So it's not all bad news. There is some light at the end of the tunnel.

At the same time, we saw other factors which weren't as positive. We saw a dramatic rise in the number of new severities, the new vulnerabilities being discovered. So it's really a combination. It's not easy to say at this point whether things are getting better, or things are getting worse. I think things are just changing.

Where are we, when it comes to the level of sophisticated attacks?

The number of sophisticated attacks remains high. A vast majority of what we see is stupid in nature -- it's just automated scans looking for vulnerable systems. About 15 percent of the malicious activity is much more targeted at particular systems. That sophisticated targeting and attack technique has remained fairly high.

On average, you have multiple clients that you watch. In a week, how often are their systems sort of probed or attacked?

Almost each of our clients is probed or attacked, or looked at, almost on a daily basis. So in any given week it may be 30-some-odd probes into our customers looking for vulnerabilities. If you are relying on the Internet for your business transactions, or if you're relying on it to interact with your clients or suppliers, or for the delivery of services, you need to protect your systems. You need to take the threat very, very seriously.

What does that mean that they're being attacked, that they're being probed that often?

There's a large number of automated techniques to look for vulnerable systems. People run these sweeps, and then come back a few days later to look at what the results were. Who is not protecting their system adequately? Usually those systems are the first ones to be attacked, and to be compromised.

Then as far as significant attacks, sophisticated attacks -- how often are you seeing your clients hit by that level of attack?

The incidence of sophisticated or severe attacks is far lower. If you include all of the worms, or if you include all of the automated sweeps, the actual percentage of sophisticated attacks is extremely low; somewhere really hovering around the 1 percent range.

Let's go [on a] real basis. How does a worm affect a system?

Many people are familiar with viruses. You run a virus, it infects your computer, and then it goes off and tries to infect another program. Unlike viruses, worms actually propagate themselves through computer systems or networks. So once they're released, they compromise a system, they infect it, and then they move on to the next target, or they may move on to five targets simultaneously. So they're much more efficient methods of propagating malicious code.

What's a blended threat?

A blended threat is an attack technique which has characteristics or multiple ways of entering a network or a system. It may have worm-like characteristics, it may have virus-like characteristics. It may have other network-based attack characteristics. So it is looking for the easiest point of entry to your system to deploy its payload.

So it's a more sophisticated--

It's a more sophisticated attack, and it's one that's more difficult to defend against.

Everybody talks about the sophisticated attacks that are taking place, the sophisticated attacks that seem to focus on electrical power companies, water utilities. What's going on?

Certainly those are the attacks that people are focused on, because they're the ones that concern all of us. The defense of those critical infrastructures needs to be prioritized. Their electronic defense is one component of their defense. We actually see that certain infrastructures, like the utilities, like the financial services sector, do receive more attacks than, say, the healthcare industry, or the non-profits of the world. I don't know if it's a statistical anomaly, or if it's one where there are actually more attacks targeting those organizations.

Do we know who's probing the systems, or do we know the reason why they're probing the system?

It's extremely difficult to provide insight into the causality of these attacks. We look at one hop back -- where did the attack come from? But even that might be a hopping point along a series of computer systems used to get to the target. Certainly who's launching the attacks and why are more difficult questions to answer.

People have talked about this in terms of we're being targeted, that this country is being targeted for some reason; we don't quite know why. Why is it that we're not tracing it back to try to figure out who these opponents or criminals or terrorists or other countries are? Why can't we figure out indeed who is involved with it?

The technology and the expertise required to trace these things back exists, but it's an extremely intensive process. There's a limited number of these resources. So while certain key incidents and events are traced back, a vast majority of them are detected, shut off, and said, "OK, we've broken off access for this attack. We need to get on with business." It wouldn't make sense to invest these critical resources to tracking back every attack.

Some of the people have talked about these probing as being a precursor to serious attacks, look at it as the first step towards a real attack coming. How do you view what we're seeing?

Reconnaissance activity, which is how I would characterize a vast majority of the attacks that we see, is the first step before launching a more sophisticated attack. Now, what number of these reconnaissance activities are going to be followed up by actual attacks? We don't have a whole lot of hard data about that. In our experience, if vulnerabilities are not discovered on the initial pass, these attackers tend to move on to the next series of targets. So providing insight into how likely this reconnaissance activity is going to be followed up by some very significant attack is very difficult to determine with any degree of accuracy.

The bottom line, is we don't know?

We just don't know.

But it's worrisome.

It's cause for reflection. Is it worrisome? I think we could do a better job of protecting a lot of our systems, and spend our efforts and our worry on better protecting our systems from any potential malicious activity.

Symantec reports that you detected no verifiable cases of cyber terrorism during the past six months. How do we know that?

We certainly can't say with any certainty that cyber terrorism doesn't exist, and we can't say that it didn't occur. Those very well may be the case. But what we can say with certainty is that none of the attacks which we saw, and none of the systems which we monitor, appear to have been cyber terrorist related. There just didn't appear to be the right combination of compromise and source to indicate a cyber terrorist activity. So does it exist? It may. We simply weren't able to determine conclusively that we saw it.

So this is separating out the probes or whoever is doing that -- this is specifically an attack that would have been considered a terrorist attack?

Exactly. This separates out the probes. This also looks at the potential sources for attacks, potential targets for attacks, types of attacks being used. Again, in our data set, we didn't find any verifiable cases of cyber terrorism.

Has the overall view out there changed when it comes to the idea of the cyber world being used as an attack method?

It's almost like the adoption of air power. There are some very forward-thinking people that understand the capabilities and what might be able to occur down the road, but they're very few and far between. Different countries and different infrastructures have increasing or decreasing levels of vulnerability, depending on what their infrastructure looks like.

So there's little doubt in my mind that, years from now, this will be a primary method of attack, a primary theater of operations, if you will. But I don't think we're there yet.

The 1 percent or whatever that people really worry about is the real sophisticated folk. Is that sophisticated group out there something that also would come out of your radar screen, where you wouldn't see it?

No security solution is absolute. So is it possible that someone could fly below our radar screens? In theory, it's possible. I have a high degree of confidence that we have a very strong security monitoring solution. So while it's theoretically possible, I feel great confidence that it's impractical.

Going back to the Slammer event. One of the things that was happening the night we were here, when Slammer was released, is so many people said that there had, in fact, been a significant increase in activity, but it wasn't related to Slammer. It was actually that since Slammer was sort of getting all the focus, people were trying to slip it under the radar screen.

When you see a worm, or see a tremendous volume of attack, you of course have to divert your time and attention to that attack, to those vulnerabilities to protect yourself. And if you aren't paying attention, it's quite possible that all that noise being made is actually just a diversion. So while we certainly focus our resources around these key vulnerability points, and around areas where there's a lot of activity, we also tune up our sensitivity to what else might be going on.

So what happened on the night that Slammer hit, in regards to this?

There's a little bit of lawlessness. The police were on the other side of town responding to a situation, and there's an opportunity to create mischief elsewhere. So I think people were just trying to take advantage of that window of opportunity.

How much real damage could be done to infrastructures through these systems? How worried are clients out there that not only somebody is going to paint a mustache on the president's face on their Internet site, but that real damage, physical damage, could be the goal of some of the people coming through the--

It's difficult to provide a whole lot of conjecture about what people's motives are, how difficult it could be. But certainly any system which is electronic in nature, which is connected to the Internet or connected to systems connected to the Internet, or phone networks, for that matter, might be susceptible to attack.

Now, it might be compromised. They could do all sorts of things once they have access to the system. But people take it seriously; certainly in the financial services community. There's focus on it in the power and utility industry, and other critical infrastructures. There's a lot of discussion, and in some cases, a lot of resources being spent to protect our infrastructures.

Where are we, though? How far has the pendulum swung? Do people get it out there? Do people in the private sector who really control 90 percent of the critical infrastructure of this country -- you are dealing with companies all the time -- does it seem to you in recent times, post-9/11, people are getting it and understand their position?

I think the concept of security and the concepts of critical infrastructures have raised their visibility to the point where our chief executives and boards now want to understand what their risk is, what their exposure is. They want to appropriately protect their assets; they're part of the infrastructure. So there's greater awareness, and I think people are being more proactive in protecting themselves.

They're not, though?

It's a risk mitigation business decision. You know, what are the assets? What does the threat environment look like? How many resources should we dedicate to the protection of those assets?

Why are the vulnerabilities 81 percent higher than the year before? What does that mean, the fact that we found that many more vulnerabilities?

We found a lot more vulnerabilities in software, because software's increasingly complex. A lot of code is being developed that doesn't have a security assurance process as part of its development. There's an increased focus on finding vulnerabilities by security companies, by clients, and by hackers, and there's an increased reporting of vulnerabilities once they're discovered. So the word is getting out there.

Explain to me some terms. A lot of people talk about the immense amount of vulnerabilities, and the millions and millions of lines of code within systems. What is a vulnerability, and why is it something we need to talk about?

Vulnerabilities are either flaws in computer software, like a bug, or flaws in the design. It was written properly, but it was designed poorly, so that someone can use the software or the computer in a way that it was not intended for use. They may be able to take control of the computer. They may be able to get access to resources they were not supposed to have access to. All sorts of unintended consequences can occur.

Why does this happen? There's such a thing, I guess, as code review?

The code review process and the entire software development process does not have an appropriate level of emphasis on security. The consumers and clients of most software companies are so demanding of new features and capabilities that those features take priority over better software development practices and techniques. Our demand for new features essentially fuels the fire of increased vulnerabilities in software.

How does this put us at risk?

If you're operating software that has vulnerabilities in it, there's a likelihood that someone else can take advantage of those vulnerabilities to gain access to the system to do any sort of activity they want.

The trick is, I guess, to hit as many systems as you can when these hackers are out there trying to do this. How do software vulnerabilities play into this?

Certainly, hackers or people on the attack want to touch a large number of systems, if all they're doing is looking for a vulnerability. On the other hand, if they're more targeted against a particular client, or against a particular company, then they'll want to use whichever vulnerabilities exist on that particular system to go after the company, even if it isn't a particularly easy one to discover.

The greater number of vulnerabilities which people know about, which hackers know about, the greater the likelihood they'll find a flaw, or a vulnerability on your particular computer, or computer network. So it's almost like finding new doors or new windows on a house long after you thought you had already protected it.

New doors or windows that the owner doesn't know about?

That the owner doesn't know about, and that the owner hasn't protected against.

How do you safeguard malicious code from being inserted in software?

There's a number of techniques to make sure malicious code doesn't get inserted into your software. There's code-tampering tools. There's code protection tools. Our belief in Symantec is that you really have to have a layered approach. You can't rely on any one particular solution to protect you. It has to be a combination of network-based tools of specific computer system-based tools, and also application-level tools, which work hand-in-hand to provide a multi-layered approach to security.

It sounds like a very complicated way to protect a system. Why is it so complex?

The defensive computer systems is complex, because we are constantly discovering new vulnerabilities and software that we thought was secure. So it's a constant game of cat and mouse, where hackers are finding new vulnerabilities, and then security professionals are trying to make sure that either patches are available, or that the systems are protected using some other technique. That's why these layered types of approaches seem to offer enough protection: If there is a flaw discovered, there's enough other layers to protect you.

Could the software developers do a better job? Or is this just part of how this has to take place because of the complexity?

Clearly, software developers need to emphasize, or need to place greater emphasis on the security of the code they develop. But the market has to force them in that direction. Instead of constantly pulling them down the new features road -- as we've been accustomed to, as consumers, as we continue to demand new features, new capabilities -- by voting with our dollars, we don't emphasize security.

The last aspect of that is you've heard a lot of open source applications were trojanized with back doors last year for future attacks. Why did this happen?

There's a number of instances where sites which offer software for download were compromised. Hackers were able to remove the software which the developers provided, and were able to put trojanized software with back doors. They did other sorts of malicious things, and users would download that instead of the actual source code, the intended source code.

We're talking to a lot of people about SCADA systems. You protect a lot of companies, but there's an aspect of some companies, an infrastructure, which is their SCADA systems. Are you involved in the overseeing and the protection of systems like that?

We are involved in both the assessment of the security of SCADA systems, as well as trying to help improve their security, and monitor their security.

Tell me the special vulnerabilities that come into play when one is dealing with SCADA systems, or control systems.

SCADA systems have migrated over time. There was a point where most of these networks were considered to be stand-alone, where the protocols and the applications that they used were considered to be proprietary. What's happened over the last 20 years is a migration of stand-alone proprietary systems to interconnected systems which now cannot rely on their stand-alone nature to protect them. Even if they're running proprietary applications, they have vulnerabilities in them. If they're not running proprietary applications, in many cases, they have well-known and well-publicized vulnerabilities in them.

So it is an area where, again, we have to invest the appropriate level of resources to protect these assets.

Why is it a special problem? I mean, why more so than other operations, offices and such?

SCADA systems are a cause for a concern, because of the sensitivity of their operation. They control power, creation, distribution, any number of different infrastructures. So, again, an appropriate level of protection needs to be provided to these networks.

Is there enough protection being provided at this point? Or can it, technically, because of the systems themselves, really be protected to the level that one believes it should be?

I believe good risk mitigation decisions can be made for SCADA systems. I think an appropriate level of protection can be applied.

People out there are saying, "These systems are so vulnerable that they could be taken down. I think someone could take down a grid in America." From your point of view here, does something like that seem in the realm of belief?

I don't know that a catastrophic system-wide type of event can occur. Certainly, there are areas of vulnerability in the infrastructure. So can the entire system be brought down or destroyed? I wouldn't have insight into that. But I believe there are key vulnerability points, but it may be more limited than some people would imply.

Lastly, where do we go from here, in terms of security? Where do you see the next few years going in this direction?

I think we have to simplify security. We know that software is going to have flaws. It's not a problem that we're going to be able to solve in the next year, or probably even in the next 10 years. So how do we live, and how do we design solutions which work successfully in an environment that has a large number of potentially unknown vulnerabilities?

It's through a number of things, like anomaly-based intrusion detection systems, we can find attacks that we don't even know exist, things like integrated security. Simplifying how easy it is to manage and monitor your security infrastructure today requires far too much expertise. It needs to be simplified, and it needs to be something that organizations can do more effectively.

To make more secure infrastructures, if there's one thing that you would stand up and shout about, what would it be?

I think that the emphasis for better security really comes from creating a culture. It's not a technical solution. I believe creating a culture where security is a requirement to do business would probably do more for us than any one piece of technology innovation. If we create the culture and the environment where security weaknesses will not be tolerated, and it's top-down driven, and it's supported, it will be supported from the bottom up. And we will be more successful.

Why is that called for in this post-9/11 world?

I think we've seen -- not through cyber attack -- but we've seen how devastating an attack can be on our infrastructure. We've seen what the ramifications of these types of attacks are, and we're being proactive in applying some of the lessons learned to the cyber realm.

Are we living in a dangerous world?

The Internet is an extremely hostile environment.

What does that mean? What should we do about it?

That means we should apply the appropriate level of protections for our computer systems -- the same way we do on our streets, and around our buildings, or we do at home.



home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright WGBH educational foundation