Operation Aurora – Post Mortem

Sophisticated, multi-vector attacks like Operation Aurora are now more pervasive and more difficult to detect than ever before, thanks in part to the emergence of Web 2.0 and the rapid growth of the internet. Already, in the weeks that have followed Operation Aurora, McAfee Labs has identified a number of derivative attacks based on publicly available Aurora exploit code.

McAfee’s ability to detect and respond to Operation Aurora before any other security vendor illuminates some very significant advantages of our security model, particularly in the area of network security.

To understand the role that network security can and should play in defense of coordinated attacks like Aurora, it makes sense to explore three common shortcomings of today’s security approach:

1) Most solutions don’t protect against threats that haven’t yet been detected.

2) Most solutions lack the levels of analysis automation and global intelligence necessary for timely identification and propagation of threat information.

3) Most solutions act in isolation, lacking the ability to collect and share threat information across security infrastructure. This situation reminds me of the federal government’s review of 9/11. Many of the pieces of information existed, but they just couldn’t put it all together and disseminate it.

‘Pre-detection’ defenses

The notion of disarming a threat before it is detected is challenging to say the least. Yet McAfee has a number of tools that do just that. The following is a short list of McAfee’s notable ‘pre-detection’ defenses:

1) Tightly controlled communications channels. Aurora, for example, used a non-RFC compliant SSL control channel for outbound communication that would have been blocked by McAfee Firewall’s SSL proxy (see McAfee Firewall Enterprise).

2) Heuristics that use a combination of real-time inputs, rules-based logic and intuitive judgments regarding whether a file, communication or site is a potential threat. McAfee TrustedSource, for example, is a behavior and reputation correlation engine that feeds into several McAfee network defense products. In the case of Aurora, McAfee engines leveraging TrustedSource technology would have prevented the attack by preventing the distribution of the malware (see Network Threat Response, McAfee Web Gateway, TrustedSource).

3) Whitelisting techniques that permit only known communications from known applications, allowing security infrastructure to block threats long before they appear on a blacklist, simply because they aren’t on the ‘guest list’ (see McAfee Application Control).

Pre-detection methods aren’t a replacement for signature-based protection against known threats, but organizations should consider heuristic and control-based security tools as being central to their security plan if they wish to disarm Aurora-like attacks at the onset.

Automated intelligence through McAfee GTI

While heuristics and reputation based security measures help fend off attacks prior to detection, the most certain way to block an attack is to know exactly what it is and how it works in order to put concrete prevention measures in place. For some time now McAfee has been the leader in threat detection and identification. It’s no coincidence –automating the collection and analysis of global threats has been the key to McAfee’s rapid and accurate detection of the latest attacks. McAfee Labs Global Threat Intelligence (GTI) is an automated cloud-based system for analyzing threat information collected by Artemis, a collection of hundreds of servers around the globe that continually captures information on potential threats from millions of sensors and end-points. By automating the process of collecting and analyzing threat information, GTI has dramatically sped the process of trending global threats in order to confirm them as legitimate attacks. The comprehensive, automated coverage McAfee has with GTI is proving to be the only way to deliver the speed and accuracy required to combat and shut down attacks like Aurora.

Security infrastructure whose sum is greater than its parts

One of the biggest differentiators in McAfee’s security model is that our solutions span the entire security infrastructure… and work together. You must have security devices working in concert to achieve maximum security effectiveness. Relying on cross-pollination of threat intelligence through GTI across multiple security mediums has allowed McAfee to do what no other vendor can match. The intelligence that allowed McAfee Network Security Platform, for example, to block Operation Aurora attacks from taking advantage of the IE vulnerability was the same intelligence used to update antivirus packages, firewalls, network threat analysis, web defenses, email security and more. Not only did GTI allow McAfee to be a first mover in the response to Operation Aurora, it allowed us to reach all possible threat entry and exit points in the organization.

Operation Aurora was one of the most visible attacks we’ve seen in years. It wasn’t the first of its kind, nor will it be the last. The sophistication levels and frequency of attacks will likely continue to increase. Fortunately, I am confident that McAfee remains in a very unique position to stay ahead of the threat landscape.

Tags: global threat intelligence, GTI, Heuristics, Operation Aurora, Pre-detection, Whitelisting