Laying traps a better way to nab hackers

Youkyung Lee
Associated Press

Seoul, South Korea — Ever since the Internet blossomed in the 1990s, cybersecurity was built on the idea that computers could be protected by a digital quarantine. Now, as hackers routinely overwhelm such defenses, experts say cybersecurity is beyond due an overhaul.

Their message: Neutralize attackers once they’re inside networks rather than fixating on trying to keep them out.

First they need to convince a conservative business world to gamble on a different approach. And having sold generations of defensive systems that consistently lagged the capabilities of the most advanced hackers, the industry itself must overcome skepticism it’s flogging another illusion of security.

According to U.S. cybersecurity company FireEye, 229 days is the median length of time attackers lurk inside their victim’s computers before being detected or revealing themselves, underscoring the weakness of conventional tools in identifying sophisticated intruders.

The traditional defenses must “have a description of the bad guys before they can help you find them,” said Dave Merkel, chief technology officer at FireEye Inc. “That’s just old and outmoded. And just doesn’t work anymore,” he said.

“There’s no way to guarantee that you never are the victim of cyberattack.”

Merkel said in the worst case he knows of, attackers hid themselves for years.

Experts aren’t recommending organizations stop deploying perimeter defenses such as antivirus software or firewalls that weed out vanilla threats. But they say a strategy that could be likened to laying traps is needed to counter the sophisticated hacks that can cause huge losses.

The weakness of relying on a firewall is that it’s like building a fence around a housing complex but not hiring a guard to patrol the interior streets, said Ed Amoroso, chief security officer at AT&T.

The hackers who targeted Anthem, the second biggest U.S. health insurer, and accessed personal information of 80 million customers, may have been inside its system for more than a month before being detected, according to the company.

Kwon Seok-chul, CEO at South Korean computer security firm Cuvepia Inc., said it has been tough to convince executives that it’s more effective to catch bad guys after they’ve infiltrated a network instead of trying to keep them out, which he believes is impossible anyway.

Kwon said his company’s latest monitoring product keeps a log of all activity, dividing it into authorized users and possible attackers. When certain conditions are met, the program sounds an alarm. A response team, he said, can sit back and watch what hackers copy and respond before damage is done. The security team can cut the hacker’s connection or trick the intruder into stealing empty files.

In one case, the security team at one of Kwon’s clients “enjoyed” watching for about an hour as a hacker scanned its network and installed tools to unlock passwords and counter antivirus programs.

Eventually, the security team severed the hacker’s connection to the victim’s computer based on the unique ID of the program that Cuvepia’s software showed the hacker was using.