Northrop Grumman Fends Off Advanced Attacks

Northrop Grumman says it has been repelling advanced threats seeking sensitive data for several years

Organised hackers have been attempting to breach aerospace and defense company Northrop Grumman for years to steal sensitive information, according to a senior executive at the Gartner security summit.

The advanced persistent threats are designed to infiltrate networks at companies and government agencies to steal intellectual property or other sensitive information. As one of the largest defense contractors in the country, Northrop Grumman is a lucrative target.

Advanced attacks

“These advanced attacks have been going on for several years,” Timothy McKnight, vice-president and chief information security officer at Northrop Grumman, during a panel discussion on APTs at the Gartner Security and Risk Management Summit in Washington, DC on 21 June.

Northrop Grumman has created profiles of about a dozen distinct groups constantly battering the company based on the information collected by its monitoring, detection and prevention systems, McKnight said. The cyber-intelligence group keeps tabs on the attackers, including attack procedures used and the kind of malware designed.

A typical attack method involves using zero-day vulnerabilities to compromise end-user machines, according to McKnight. About 300 zero-day attack attempts were recorded last year, and the pace has ramped up enormously to several exploits coming in throughout the day.

“Every attack, in order to succeed, needs to exploit a vulnerability,” John Pescatore, a Gartner distinguished analyst, said during a separate discussion at the summit.

However, APTs don’t always target zero-days, but may exploit an existing vulnerability that an organisation might not think was applicable, Pescatore said. APTs simply compromise an organisation’s security defense by taking advantage of a threat they are not monitoring for, over an extended period of time, while stealing data or causing some other type of damage, he said. For example, an attack that was previously used to steal money may be redirected to target non-financial operations.

Attackers tend to do a lot of research on the targeted company to be able to identify beforehand the kind of intellectual property they are interested in, and the employees that may have access to it, Northrop Grumman’s McKnight said.

Evolution

Security threats tend to evolve about every five years or so as technology changes, Pescatore said. The current crop of attacks is different from previous attacks in that they are usually financially motivated and supported by large organisations. The organisations in question may be organised criminal rings or nation-states, according to Pescatore.

Even though nation-states may be behind APTs, these threats aren’t symptoms of systematic industrial espionage or state-to-state cyber-warfare yet, said Pescatore, and likely won’t be for at least the next four years or so. Nation-states will still opt to bribe or blackmail key government personnel into causing “cyber-damage” to another nation-state, rather than launch long-lived cyber-attacks, Pescatore said.

Organisations should exercise due diligence, including proper vulnerability, patch, configuration management, intrusion prevention systems, and managing access privileges to detect APTs, Pescatore recommended. Completely preventing an APT is at best theoretical, he said.

IT departments should also harden networks and databases, such as using application whitelists and network access control. Finally, organisations should increase their use of sandboxing, situational awareness and forensics capabilities, Pescatore said.

Northrop Grumman shut down its network in May shortly after fellow contractor Lockheed Martin detected attempts on its network. The Lockheed Martin breach has since been linked to the RSA Security breach in March in that attackers used the information stolen from the earlier incident to create cloned tokens used in the later attack.

Even though Northrop Grumman was hit around the same time, no such link has yet been announced.