Tuesday, September 20, 2011

7 Lessons: Surviving A Zero-Day Attack

Via Information Week -

When Pacific Northwest National Laboratory detected a cyber attack--actually two of them--against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. PNNL then did something few other cyber attack victims have been willing to do. It decided to talk openly about what happened.

The lab's CIO, Jerry Johnson, last week provided a detailed accounting of the cyber attacks. Speaking at the IW500 Conference in Dana Point, Calif., Johnson described how intruders took advantage of a vulnerability in one of the lab's public-facing web servers to plant a "drive-by" exploit on the PCs of site visitors, lab employees among them. For weeks, the hackers then surreptitiously scouted PNNL's network from the compromised workstations.

Simultaneously, a spear-phishing attack hit one of the lab's major business partners, with which it shared network resources. This second group of hackers was able to obtain a privileged account and compromise a root domain controller that was shared by the lab and its partner. When the intruders tried to recreate and elevate account privileges, this action triggered an alarm, alerting the lab's cybersecurity team.

Within hours, the lab made the decision to disconnect its network in order to sever the hackers' communications paths and contain any further damage.

[...]

Johnson agreed to talk about it as a way of helping other organizations bolster their defenses. For that, he deserves a tremendous amount of credit. Secrecy is the norm in the wake of a cyber attack, but openness will lead to better preparedness.

----------------------------------------------------------

In case you need some background on the attack...
http://djtechnocrat.blogspot.com/search?q=PNNL

As Johnson outlines, the attackers didn't put all their eggs in one basket.

The attacker planted zero-day exploits on their public web servers (in hopes of catching some visiting employees) while simultaneously conducting spear-phishing attacks against business partners with network access to PNNL.

No comments:

Post a Comment