White Paper

How High-Tech Companies Can Fight Cyber Attacks Bromium Offers a New Model of Security to Prevent Breaches White Paper

Executive Summary

“The high-tech industry Headline-generating breaches at companies within the high- attracts more directed and technology sector have made it clear that even the most tech-savvy tenacious criminal attention than many other industries.” industry is at risk from cyber attacks. Intellectual property is an attractive target in an industry renowned for its innovation, as is “Attacks against tech companies the data of the billions of customers served by Facebook, Google, are highly customized.” eBay and other tech firms. The industry in under attack from many fronts; in addition to cybercriminals and pranksters, nation-states are also perpetrating attacks, often using high-tech firms to gain access to government agencies, defense contractors and other national security-related organizations.

These attackers are well organized, well trained and highly motivated, employing focused and constantly evolving attacks. Cybercriminals and nation-states target endpoint devices using a variety of customized techniques; for example, the vast majority of samples are unique to a single organization and what the malware does is also distinct. Today’s cyber attacks are also updated regularly, giving them a high success rate but low detection rate. For example, the malware associated with Operation Aurora was uniquely compiled or created for each of the 30+ companies known to be compromised by that attack.

Unfortunately, the high-tech industry attracts more directed and tenacious criminal attention than many other industries. Phishing attacks against tech companies are highly customized, often targeting large numbers of employees in order to gain control of the internal network; for example, eBay acknowledged that more than 100 of its employees were involved in a data breach that compromised employee log-in credentials.

IT staff is having a hard time keeping up with the proliferation of endpoints, rapidly evolving threats and an endless workload of system remediation and patching. The only surefire way to protect users and safeguard intellectual property and customer data, both on and off the network, is to defend the endpoint itself. However, old-school detection and blocking defenses are incapable of defeating these targeted attacks.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 2 White Paper

“It’s become clear in the Bromium’s revolutionary approach using advanced isolation technology has past few years that not even been embraced by leading high-technology companies worldwide for its ability the most technologically to prevent breaches, protect data and intellectual property, and streamline savvy industry is immune from cyber attacks.” security. Bromium defends the endpoint by isolating all content for each task— including threats—through breakthrough micro-virtualization technology, “Perhaps most troubling is in which micro-virtual machines are created and destroyed automatically in that the attacks keep coming, milliseconds, discarding malware and ensuring that the system is unaffected. are increasing in sophistication and the stakes keep getting Users benefit from uninterrupted workflow, greater productivity and the ability higher; not just cybercriminals to click on anything, anytime. You benefit by eliminating endpoint breaches, and pranksters are going after greater uptime and lower operations costs thanks to reduced remediation, tech companies, but nation- reimaging and urgent security-related patching. states as well.”

The Challenge for High-Tech Companies: Everybody’s After You

It’s become clear in the past few years that not even the most technologically- savvy industry is immune from cyber attacks. One of the first big wake-up calls for high-technology companies came with Operation Aurora. This advanced persistent threat (APT) attack was launched against a wide range of tech firms— including Google, , Adobe, Juniper Networks, Rackspace, Symantec and Yahoo—covering the gamut from search, social media and online marketplaces to makers of and hardware.

More recent attacks against high-tech giants Apple and Facebook and security firms, including Kaspersky Lab, as well as major breaches of customer data at eBay, Twitter, Evernote and Living Social demonstrate that all companies are vulnerable. Perhaps most troubling is that the attacks keep coming, are increasing in sophistication and the stakes keep getting higher; not just cybercriminals and pranksters are going after tech companies, but nation- states as well.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 3 White Paper

“The technology sector is The technology sector is renowned for its innovation, which is part of what makes renowned for its innovation, it attractive to cybercriminals. Research, intellectual property and proprietary which is part of what makes technologies such as source code are key targets of attackers. Intelligence it attractive to cybercriminals. Research, intellectual property gathering is another motivator for perpetrators. Nation-states are strongly and proprietary technologies suspected of being behind major attacks like Operation Aurora and those against such as source code are key security firms. It was widely reported, for example, that counter-espionage was targets of attackers.” behind the attack on Google, and that a database was breached that contained several years’ worth of information about US surveillance targets, including “In some cases, attackers are emails belonging to diplomats, suspected spies and terrorists. using high-tech firms as a springboard to gain access In some cases, attackers are using high-tech firms as a springboard to gain access to national security-related to national security-related government agencies, military defense contractors government agencies, military and other sensitive targets. After VeriSign was breached repeatedly, concern defense contractors and other sensitive targets.” arose that .com, .net, and .gov websites could be imitated, making it easy for attackers to direct people to fake websites and to intercept email from federal employees or corporate executives using the .gov addresses.1

At the same time, breaches of customer data, including names, email addresses, physical addresses, phone numbers, birth dates and encrypted passwords, have made headlines like “eBay Database Breached, Forced Password Changes Loom”2 all too common. eBay’s data breach hit 145 million customers, while the breaches at LivingSocial, another online marketplace, and at note-taking service Evernote each affected some 50 million customers.

Unfortunately, having to change passwords isn’t the only negative impact on customers whose sensitive information was stolen. The millions of people whose email addresses were compromised can become the targets for phishing attacks of various kinds as well as identity theft. In addition, attackers can create automated tools that enter breached username and password combinations into popular online services in an attempt to compromise accounts on those sites as well.3 Companies that experience customer data breaches also suffer repercussions, including hits to their brand and a loss of trust by customers that can hurt revenues.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 4 White Paper

A New Generation of Cyber Attacks

“Over the past half-decade, Cybercrime is big business today and cyber attacks are constantly evolving. we have witnessed a paradigm Attackers are well organized, well trained, and highly motivated. And, in many shift in the way attackers cases, they’re extremely well funded. For example, Kaspersky estimates that penetrate organizations’ networks. Rather than targeting the attack that hit the company, which they labeled Duqu 2.0, cost $50 million servers of interest directly, to build. Kaspersky describes Duqu 2.0 as a highly sophisticated, stealthy attack they have shifted to attacking platform that exploited several zero-day vulnerabilities and featured unique primarily capabilities previously unseen.4 endpoint devices.” High-tech companies face a constant barrage of rapidly multiplying and morphing “The only surefire way to APTs and stealthy advanced evasion techniques. Over the past half-decade, we safeguard intellectual property have witnessed a paradigm shift in the way attackers penetrate organizations’ and customer data both on and networks. Rather than targeting servers of interest directly, they have shifted off the network is to defend the to attacking primarily Microsoft Windows endpoint devices. Once a worker’s endpoint itself.” PC or laptop is compromised, these devices can serve as a launch pad for APT campaigns, enabling attackers to spread laterally through the network until servers of interest are identified and exploited and targeted data is exfiltrated.

The only surefire way to safeguard intellectual property and customer data both on and off the network is to defend the endpoint itself. Old-school detection and blocking defenses are incapable of defeating these targeted attacks—detection rates for antivirus, for example, range from only 25% to 50%.5

Today, attackers target endpoint devices using a variety of highly targeted and customized techniques, including: • Spear phishing • Whaling • Water holing • Baiting • Drive-by downloads

High-tech companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats. Let’s explore the reasons why.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 5 White Paper

Why Current Cybersecurity Efforts Fail

“According to Verizon, 70% to No matter how much money high-tech organizations invest in security, the bad 90% of malware samples are guys always seem to find a way in. Unfortunately, malware is extremely difficult unique to a single organization, to detect. For example, during a four-month long cyber attack by Chinese and what the malware does is cybercriminals on the New York Times, the company’s missed also distinct. Attacks against 6 high-tech organizations are 44 of the 45 pieces of malware installed on the network. highly customized and are High-tech companies will continue to be challenged by the speed of technological updated regularly, which gives them an alarmingly high change and the increasingly sophisticated nature of threats. Let’s explore the success rate but a relatively reasons why. low detection rate.” Threats are highly customized Unlike your everyday viruses, Trojans and worms—which are intended to infect large numbers of organizations—modern threats are highly customized for each attack. All cybercriminals need to do to bypass most signature-based defenses (for example, intrusion prevention systems, antivirus and secure gateways) is change a single byte of code. Doing so alters the threat’s fingerprint. And until signature-based defenses are updated, they don’t stand a chance at catching them.

According to Verizon, 70% to 90% of malware samples are unique to a single organization, and what the malware does is also distinct.7 As recent attacks have shown, attacks against high-tech organizations are highly customized and are updated regularly, which gives them an alarmingly high success rate but a relatively low detection rate. For example, researchers who analyzed the malware associated with Operation Aurora say it was uniquely compiled or created for each of the several dozen companies that were known to be compromised.

These customized attacks often target large numbers of employees with the goal of gaining control of sensitive information, such as administrative credentials. For example, it’s been reported that more than 100 eBay employees were unknowingly involved in the company’s data breach,8 and eBay officials acknowledged that attackers compromised a number of employee log-in credentials, allowing unauthorized access to the corporate network.9

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 6 White Paper

“According to Verizon, a It’s suspected that phishing was behind the eBay breach.10 Phishing is on the rise, campaign of just 10 emails and often incorporates installation of malware as the second stage of the attack, yields a greater than 90% according to Verizon. Their research has found that a campaign of just 10 emails chance that at least one person will bite, and nearly yields a greater than 90% chance that at least one person will bite, and nearly 50% of users open emails 50% of users open emails and click on phishing links within the first hour.11 In many and click on phishing links cases, the user interaction is not about eliciting information, but for attackers to within the first hour.” establish persistence on user devices and gain access to the network. Phishing attacks have become quite sophisticated, interwoven in email as well as other “Phishing is hard to control channels such as social media and mobile app stores. because it often involves social engineering of human In the case of Operation Aurora, for example, the initial attack occurred when behavior.” company employees visited a malicious website, which researchers believe occurred either as a result of employees receiving a URL in an email or instant message or through some other method, such as Facebook or other social networking sites. Once the user visited the malicious site, the Microsoft Internet Explorer browser was exploited to download an array of malware to their computer. Another method attackers used to gain access to some of the dozens of breached companies was to send email to targeted employees that carried malicious PDF attachments, exploiting Adobe Reader and Acrobat to download an array of malware to users’ computers.12

The attacks on Kaspersky, Evernote and RSA have also been tied to phishing. Kaspersky believes the initial attack against it began when an employee in one of its smaller offices was snagged by spear-phishing emails. According to the company, phishing is strongly suspected because “one of the patients zero we identified had their mailbox and Web browser history wiped to hide traces of the attack.”13

In RSA’s case, the attacker reportedly sent two different phishing emails over a two-day period to two small groups of employees. The email subject line read “2011 Recruitment Plan” and had an attached Microsoft Excel spreadsheet file that contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.14

Phishing is hard to control because it often involves social engineering of human behavior. For example, an attacker might initially use email to make contact with an employee and then follow up with a phone call to persuade the employee to click on the link, which installs malware.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 7 White Paper

“BYOD and other new Water holing, another common attack method, involves infecting legitimate technologies and trends are websites used by employees at the target company. In addition to being one dissolving network perimeters— attack method used in Operation Aurora, water holing was also used to target and IT control, creating new security concerns.” Apple, Facebook and Twitter. The companies were attacked through malicious websites that exploited a security flaw in Java, which resulted in malicious code infecting the computers of people who visited those sites. At least one website related to iPhone app development was compromised, reinforcing the fact that even well-known sites can be susceptible to attack. Both Apple and Facebook said several employees’ computers were infected, while Twitter acknowledged the attack resulted in a data breach affecting some 250,000 user accounts.15 BYOD is risky business Perhaps even more than other industries, high-tech organizations are embracing the efficiencies and cost savings of the cloud, mobility and BYOD. This is no surprise; high-tech companies are often fond of saying they “eat their own dog food,” so it’s natural for many companies to use the technologies they helped invent and commercialize.

Unfortunately, BYOD and other new technologies and trends are dissolving network perimeters—and IT control, creating new security concerns.

IT can’t keep up Remaining competitive in a dynamic industry like high-tech makes security a challenge. One area that IT organizations often can’t keep up with is system patching. For example, a recent data breach at security firm Bitdefender, in which a small number of customer usernames and passwords were compromised, was reportedly caused by human error and outdated software.16

Regardless of how sophisticated and targeted the cyber attack, it’s destined to fail if the vulnerability on the host it’s targeting has been patched. When patching occurs infrequently, it opens the door to attackers who design malware to exploit recently disclosed vulnerabilities. A full 99.9% of exploited vulnerabilities were compromised more than a year after the associated Common Vulnerabilities and Exposures (CVE) data was made public.17

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 8 White Paper

Bromium—a Revolutionary Approach to Prevent Data Breaches

“More than 70% of breaches Given how vulnerable high-tech companies are, how targeted and which expose data and IP start sophisticated cyber attacks are today, and how traditional security defenses at the endpoint.” don’t do an adequate detection job, there has to be a better way to defend endpoints and networks. What if there was a way to render threats harmless “Bromium has a revolutionary approach to security. Bromium and make them irrelevant? prevents data breaches, There is. Enter the revolutionary isolation approach from Bromium® which protects data and IP, enables prevents data breaches. Bromium protects data and IP, enables users to click users to click on anything, anywhere without risk, and on anything, anywhere without risk, and streamlines security by eliminating streamlines security.” false alerts, urgent patching and costly remediation. Protect data and IP High-tech companies have substantial intellectual property, including source code, proprietary technologies, product specifications and patent applications, as well as other highly confidential information. In addition, many tech companies, including Google, eBay and Facebook, maintain sensitive personal information about their users, such as email addresses and phone numbers. Safeguarding all of this IP and data is paramount.

More than 70% of breaches which expose data and IP start at the endpoint. Bromium eliminates this attack surface, ensuring your data, IP and brand are protected. Bromium’s approach far exceeds the capabilities of detection and blocking technologies like antivirus, whitelisting, Web gateways and sandboxes. Bromium defends the endpoint by isolating all content for each task—including threats such as advanced malware, APTs, spear phishing and zero-day exploits— through breakthrough micro-virtualization technology that leverages CPU hardware technology. Our unique isolation technology creates a lightweight, disposable micro-virtual machine for vulnerable operations, like Web browsing and opening untrusted documents. These operations are isolated from the host , eliminating the need for any type of detection or behavioral analysis—or the possibility of compromise.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 9 White Paper

“Bromium’s unique isolation Even if malware finds its way into a micro-virtual machine, the system still technology creates a lightweight, protects the enterprise network, the endpoint and the user. Micro-virtual disposable micro-virtual machines are created and destroyed in milliseconds, discarding malware and machine for vulnerable operations, like Web browsing ensuring that the system is unaffected. All of this occurs automatically, with and opening untrusted minimal impact on the user experience. documents. These operations are isolated from the host Click on anything operating system, eliminating the Users in the high-tech industry want the flexibility to use the latest available need for any type of detection tools, freely access the Web, and work anywhere, whether at home, branch or behavioral analysis—or the offices, hotels or airports. Restrictive policies and security solutions can get in possibility of compromise.” their way and slow them down. With Bromium, you can give users the freedom to do their jobs anywhere and access anything—websites, downloads, email attachments, even USB drives—without ever worrying about the security of intellectual property or the privacy of customer records. They can click on anything, anywhere without risk of compromise.

Streamline security Even in the most tech-savvy companies, IT professionals face a constant flood of alerts from every system. It’s a challenge to find the critical threats in a sea of false alerts or insignificant events. Bromium’s isolation approach reduces and even eliminates compromises on endpoints and streamlines security by eliminating false alerts, urgent patching and remediation.

Users benefit from uninterrupted workflow and greater productivity. You benefit from greater uptime for the business and lower operations expenses, saving on costly remediation, reimaging and deployment of spare systems, as well as the need for urgent security-related patching. Rather than waste time and effort sorting through the noise of security alerts and chasing false positives, IT can direct its resources to more mission-critical activities.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 10 White Paper

“The new cyber-attack Why Bromium and why now? landscape requires a new way Traditional network and endpoint security solutions are only as good as their of thinking. Consider investing threat signatures. But with tens of thousands of new threats emerging every in solutions that make attackers and their exploits irrelevant, day, traditional security defenses simply can’t keep up. Newer threat emulation solutions that stop advanced solutions, such as sandboxing, help detect threats at the perimeter that bypass threats by eliminating the traditional defenses, but they’re not foolproof, and they only protect hosts while attack surface they’re designed they’re connected to the network. If a tech employee takes their laptop to the to exploit, and prevent data café down the street, their laptop and your organization are no longer protected. breaches at your organization.” The new cyber-attack landscape requires a new way of thinking. Trying to keep up with the bad guys is an exercise in futility. Instead of focusing on detecting and blocking threats, consider investing in solutions that make attackers and their exploits irrelevant, solutions that stop advanced threats by eliminating the attack surface they’re designed to exploit, and prevent data breaches at your organization.

Bromium pays for itself in just a matter of months. Its powerful and effective endpoint security technology helps you virtually eliminate the risk of a data breach and the losses associated with such an event. With Bromium users can click on anything, anywhere without risk of compromise. Bromium streamlines security by eliminating false alerts, urgent patching and remediation.

Conclusion

We now live in a world where the question is no longer if your network or endpoints will be compromised, but when. We know from research studies that the most common and effective way for cybercriminals to target intellectual property, customer records and other sensitive resources is to compromise vulnerable endpoints and use them as launch pads as part of an advanced threat campaign.

To stand a chance of defeating highly sophisticated and well-funded cybercriminals and even nation-states, high-tech firms have to think differently. It’s apparent that traditional network and endpoint security defenses simply can’t keep up with today’s sophisticated threats.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 11 White Paper

Bromium offers a fresh new approach to tackling a very serious dilemma facing IT security teams. That’s why many of the world’s leading high-tech companies have deployed Bromium’s endpoint solution. These customers have been able to protect vulnerable devices such as executives’ laptops and targeted employees such as developers, researchers and finance personnel, reducing disruptions to the daily workflow and the need for regular endpoint reimaging.

By eradicating the vulnerabilities that advanced threats are designed to exploit after each Internet-facing computing task is completed, Bromium is effectively eliminating the attack surface of endpoints, which are almost always the initial target of APT attacks and other advanced threat campaigns. You benefit from fewer breaches, greater uptime and lower opex.

For more information For more information on Bromium vSentry® and Bromium Live Attack Visualization and Analysis (LAVA™) security solutions, contact your Bromium sales representative or Bromium channel partner. Visit us at www.bromium.com.

ABOUT BROMIUM Bromium has transformed endpoint security with its revolutionary isolation technology to defeat cyber attacks. Unlike antivirus or other detection-based defenses, which can’t stop modern attacks, Bromium uses micro-virtualization to keep users secure while delivering significant cost savings by reducing and even eliminating false alerts, urgent patching, and remediation—transforming the traditional security life cycle.

HOW HIGH-TECH COMPANIES CAN FIGHT CYBER ATTACKS 12 White Paper

1 DataBreaches.net. http://www.databreaches.net/ 2 Donohue, Brian, “eBay Database Breached, Forced Password Changes Loom”, Kaspersky Lab Daily, May 21, 2014. https://blog.kaspersky.com/ebay-data-breach-exposes-passwords/4824 3 Donohue, Brian, “eBay Database Breached, Forced Password Changes Loom”, Kaspersky Lab Daily, May 21, 2014. https://blog.kaspersky.com/ebay-data-breach-exposes-passwords/4824 4 Kaspersky Lab, “Duqu 2.0: Frequently Asked Questions”. http://media.kaspersky.com/en/Duqu-2-0-Frequently- Asked-Questions.pdf 5 Kirda, Engin, “Most Antivirus Software Is Lousy At Detecting Advanced Malware”, Forbes, May 21, 2014. http://www.forbes.com/sites/ciocentral/2014/05/21/duck-test-antivirus-software-wont-detect-advanced-malware/ 6 Goldman, David, “Your antivirus software probably won’t prevent a cyberattack”, CNN Money, January 31, 2013. http://money.cnn.com/2013/01/31/technology/security/antivirus/ 7 Verizon, “2015 Data Breach Investigations Report”, 2015. 8 Coty, Stephen, “The eBay breach explained”, SC Magazine, July 17, 2014. http://www.scmagazine.com/the- ebay-breach-explained/article/360998/ 9 Donohue, Brian, “eBay Database Breached, Forced Password Changes Loom”, Kaspersky Lab Daily, May 21, 2014. https://blog.kaspersky.com/ebay-data-breach-exposes-passwords/4824 10 Coty, Stephen, “The eBay breach explained”, SC Magazine, July 17, 2014. http://www.scmagazine.com/the- ebay-breach-explained/article/360998/ 11 Verizon, “2015 Data Breach Investigations Report”, 2015. 12 Zetter, Kim, “Google Hack Was Ultra Sophisticated, New Details Show”, January 14, 2010. http://www.wired.com/2010/01/operation-aurora/ 13 Kaspersky, “The Duqu 2.0 Technical Details”, June 11, 2015. https://securelist.com/files/2015/06/The_Mystery_ of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf 14 Leyden, John, “RSA explains how attackers breached its systems”, The Register, April 4, 2011. http://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/ 15 Newman, Jared, “Apple and Other Tech Companies Hacked: Here’s What You Need to Know”, Time, February 20, 2013. http://techland.time.com/2013/02/20/apple-and-other-tech-companies-hacked-heres- what-you-need-to-know/ 16 Marquette Poremba, Sue, “Even Security Companies Get Breached”, IT Business Edge, August 10, 2015. http://www.itbusinessedge.com/blogs/data-security/even-security-companies-get-breached.html 17 Verizon, “2015 Data Breach Investigations Report”, 2015.

Bromium, Inc. Bromium UK Ltd. For more information go to www.bromium.com 20813 Stevens Creek Blvd Lockton House or contact [email protected] Cupertino, CA 95014 2nd Floor, Clarendon Road [email protected] Cambridge CB2 8FH Copyright ©2015 Bromium, Inc. All rights reserved. +1.408.213.5668 +44.1223.314914 WP.High-Tech.US-EN.1510 13