The good news is that all of the anti-virus companies either are including, or have already included, Flame detection in their systems – and BitDefender has produced a free removal tool for what its chief security researcher, Catalin Cosoi, calls “the scariest cyber espionage tool we’ve yet seen.” So, if the anti-virus companies have already got it covered, what is all the fuss?
The ‘fuss’ is down to two things in particular. Firstly, there is the almost unanimous belief that this malware is produced by a nation state. That means it is a government-backed cyberweapon. And if one nation is doing it, we can confidently expect that other nations are also doing it.
The second issue is that last week we knew nothing about Flame (although Iran certainly knew about it since the beginning of May). The general consensus, however, is that Flame (or Flamer or Skywiper) has been around for at least two years and possibly for seven or eight. It is when you put these two things together that you see how Flame should change our attitude towards security: other governments are likely to have similar ‘products’; and they can go undetected for years. In short, any one of us could right now be infected with sophisticated nation-state malware that we know nothing about (not likely, perhaps, but certainly possible); and we need to consider that in our security response. “The Worst Hack?” asks ICSA’s Roger Thompson. “Remember, the worst hack is the one you don’t know about.”
Clearly, anti-malware isn’t enough; and the anti-malware industry doesn’t suggest it should be. But don’t dismiss anti-malware – it remains our best shot at getting rid of malware if we do get infected. Bit-9 and other whitelist companies believe we should reverse the traditional barrier defense: only allow the known good rather than attempt to stop the known bad. But there is no guarantee that this will prevent infection either. Indeed, most security experts believe that it is best to assume we are already infected with something. “While most now recognize that breaches are a matter of when and not if,” comments James Todd of FireEye, “what they don’t realize is that the ‘when’ might have already happened, as evidenced by the failure to discover Flame until now.”
Adam Bosnian, EVP at Cyber-Ark, believes we need to change our mindset – to detect the existing infection rather than simply prevent a future infection. “Organizations need to quickly change their mindset and focus on protection from the inside out,” he says. “Security has to start with the assumption that the attackers are already on the inside.” It’s like the traditional High Street shop. We lock the door at night to keep burglars out (perimeter defense); but we are advised to keep some lights on so that if anyone does get in, they are clearly visible. That needs to be the new security stance – shining a light on the burglars that have already got into the shop.
Ross Brewer, MD and VP at LogRhythm, believes that advanced log management can shine that light. “The continuous monitoring and advanced correlation of IT log data,” he suggests, “can offer the insight required to piece together seemingly isolated events, ultimately facilitating deep forensic analysis into increasingly sophisticated cyber attacks.” This is the territory of SIM and SIEM and data analytics. BAE Systems Detica offers such products, but its technical director Henry Harrison believes that Flame may be just the tip of the iceberg. “Targeted data-stealing attacks are a common phenomenon,” he says, “but in most cases they don't get reported. That's either because the companies affected didn't report the attacks, for fear of reputational damage, or – most of the time – because the attacks are so successful that the targets don't even realize that their data has been stolen. What is newsworthy here is not so much the attack, but the very fact that it has been reported.”
So, going back to the original question (what does Flame mean for the rest of us?), it means that the security threat is far more complex than we thought; it means that we need to stop relying on barrier defenses alone and put in pace the means to discover the infection we already have.