Chain of Attacks: From Nations to Hackers

Monday, September 26, 2011 @ 11:09 AM gHale

Adobe via the fact the company’s software runs the user spectrum in terms of business and consumer systems has a big target on its back from attackers who search out and find bugs in Reader, Flash and Acrobat.

The catch is it is not just the every day bad guys making Adobe a priority, it is also nation states, the company’s top security official said.

BEAST on Loose; Google gets Ready
SCADA Alert: Fixes in Works
Mitsubishi Heavy Hack: Nuclear Info
Attention Botnet Shoppers

Adobe, like many other large software companies, has contacts in the big defense contractors, government agencies and other organizations that are targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product.

Since the company began its software security program several years ago, the sophistication level of the people finding and exploiting new bugs in Flash or Reader has gone up significantly.

It is now at a point where the company’s main adversaries are state-sponsored actors, said Brad Arkin, senior director of product security and privacy at Adobe.

“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in his keynote speech at the United Security Summit in San Francisco, CA, last week. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”

When a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations, Arkin said. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit.

It’s the well-funded and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it’s a very different cost.”

Leave a Reply

You must be logged in to post a comment.