24 January 2015

"Active Defense - in Cyberspace, too"


Exclusive: Amir Rapaport visited the cyber warfare operations center of the Lockheed Martin Corporation in Maryland and spoke with the chief cyber analyst of the giant corporation about cyber defense in the new era
The first thing that catches the eye, once the appropriate passwords have been entered and the large metal doors at the entrance to Lockheed Martin’s cyber warfare operations center have opened, is the massive array of display screens mounted on the walls. 

The screens display an endless sequence of green code lines, in a never-ending cybernetic motion. 
Only after a few long seconds of initial wonder, one begins to note the other details: the operations center is arranged as a single, endless open space. Dozens of cyber warfare specialists, both “good guys” and “bad guys” fill the space, along with figures that represent the “bad guys” in the cybernetic war: large, fully dressed dummies, just like comic book characters. The screens constantly display examples of deceptions and information about particularly threatening malwares. 

The operations center, located at Lockheed Martin’s IT HQ in Gaithersburg, Maryland, is very close to the Capital, Washington DC. From here, Lockheed Martin defends itself, first and foremost. A similar operations center operates in Denver, Colorado. 

According to various reports, Lockheed Martin is one of the prime targets for cyber warfare attacks from all around the world. In the last decade, Chinese hackers stole blueprints associated with the development of the F-35 future fighter from the Company. Today, Lockheed Martin is a major supplier of integrated cyber warfare solutions. 

The rare visit to Lockheed Martin’s cyber operations center was held in late 2014 with Eric Hutchins, the analyst who heads the cyber defense effort of the giant corporation, considered the largest IT company in the US defense and government sector and one of the largest global corporations with operations in Israel. 

According to Eric Hutchins, the cybernetic world has changed dramatically in recent years. Cyber defense is no longer what it used to be. It has become much more active, in view of the threats that continue to develop. 

“What we have found is that traditional cyber defense in no longer suitable for organizations in the present era,” says Eric Hutchins. “If you persist with it, the bad guys will win and that’s frustrating. For years, security has focused on a list of missions, a check list, and if you change the approach, defense will become much more effective and economical. In order to do it, you must, first and foremost, understand the nature of the threat. This understanding is based on intelligence, and on the knowledge that in cyberspace you can be anywhere.” 

How do you define cyber? 

“For us, cyber is Information Technology, IT, a world of Big Data with not less than 2 million incidents every day.” 

Short Cycles 

Lockheed Martin’s concept is based on short cycles between the identification of the threat and the response, with mixed teams of analysts dealing with the various disciplines of the cyber world, and on the breaking down of the “Cyber Kill Chain” into seven elements, from the stage of collecting the E-Mail addresses and data of the attacking party, to the actual attack. 

Intervention and countermeasures may be initiated during any stage of the chain. The defense effort does not consist of stationary defenses deployed at the gateways to the organization’s computers. 

Does the active defense approach include counterattacks against the party attacking the organization? 

“No. Active defense, as far as we are concerned, is identifying the attacker in the most thorough manner possible, but we do not strike back. If necessary, we will submit the relevant information we collected to the enforcement authorities. Generally, we are less interested in the people standing behind the attacks against the organization, namely – what they look like and what their names are. We focus on the question of how they operate and where from.” 

According to Lockheed Martin’s chief cyber analyst, “The most important and least known stage in the Cyber Attack Kill Chain is understanding how the attacker builds the malware he uses. It is very simple to develop a malware and it normally operates automatically. I always try to not only understand where the malware had been launched from, but also how it had been assembled. 

“So, every time you identify an incident, you have to understand it from the very beginning. If we blocked a certain attack, it does not mean that we will be able to block it the next time, but every such blocking is an opportunity to learn many things about the attacker, so as to better prepare for the next attack. Intelligence and understanding of the manner in which the malware had been built are very important at this stage.” 

Is this approach equally suitable for both large and small organizations? 

“Yes. That’s how Facebook and other organizations of all sizes and types are currently defended. Cyber defense has changed fundamentally.”  

Eric Hutchins is a Lockheed Martin Fellow and the Chief Intelligence Analyst for the LM Computer Incident Response Team (LM-CIRT)

No comments: