Comments on Israeli Intellectual Property Theft Stories
Thanks to Jason Anderson of Lancope for making me aware of a large case of intellectual property theft in Israel. This 29 May story explains how Israeli programmer Michael Haephrati was hired to create Trojan Horses for private investigation companies. Those PI firms then deployed the programs to target companies via "email attachments." The PIs sold what they found to competitors of the targets. For more details, I recommend Richard Steinnon's blog.
I found a detail in this story very interesting:
"The Trojan sent images and documents to FTP servers in Israel, Germany and the US, court documents reveal."
Regular blog readers know what that means. Any victim company practicing Network Security Monitoring could have complete records of the FTP traffic that carried documents or files stolen by the Trojan Horses. NSM practitioners would know when the activity started, what systems were victims, and when the last outbound connection took place. Depending on the form of the FTP transfers and the capture of full content data, NSM pros might even know exactly what was stolen.
Those running a defensible network might have deployed FTP proxies that carry all outbound FTP traffic. That outbound FTP proxy would have logged all of the files that were carried outbound. Of course the file names might have nothing to do with the documents stolen from hard drives, but a record of illegal activity would still exist.
I consider watching outbound activity to be practicing extrusion detection. Supposedly stopping outbound activity is called extrusion prevention, and I already see vendors using these terms. Richard Steinnon prefers the term "intellectual property protection" (IPP). I think IPP is a form of extrusion something, but the idea of IPP assumes that what is being sent outbound has any IP value. For example, I would like to see outbound bot net command and control traffic, even if the bot net owner never touches any sensitive files on my internal victim systems.
I found a detail in this story very interesting:
"The Trojan sent images and documents to FTP servers in Israel, Germany and the US, court documents reveal."
Regular blog readers know what that means. Any victim company practicing Network Security Monitoring could have complete records of the FTP traffic that carried documents or files stolen by the Trojan Horses. NSM practitioners would know when the activity started, what systems were victims, and when the last outbound connection took place. Depending on the form of the FTP transfers and the capture of full content data, NSM pros might even know exactly what was stolen.
Those running a defensible network might have deployed FTP proxies that carry all outbound FTP traffic. That outbound FTP proxy would have logged all of the files that were carried outbound. Of course the file names might have nothing to do with the documents stolen from hard drives, but a record of illegal activity would still exist.
I consider watching outbound activity to be practicing extrusion detection. Supposedly stopping outbound activity is called extrusion prevention, and I already see vendors using these terms. Richard Steinnon prefers the term "intellectual property protection" (IPP). I think IPP is a form of extrusion something, but the idea of IPP assumes that what is being sent outbound has any IP value. For example, I would like to see outbound bot net command and control traffic, even if the bot net owner never touches any sensitive files on my internal victim systems.
Comments
Since we initially connected to the Internet, we have required authentication to pass through the firewall and even then we only allow http and https. With additional authorization we also will allow FTP.
It is truly amazing how much crap gets stopped by this. Yes, the firewall log is full of entries about crap trying to get out. We use this info to track down the worst offenders but best of all most of the adware, spyware, and other crap never leaves our network.
We haven't done anything about the root subject of your post, intellectual property being sent out, yet. The bots you refer to shouldn't be able to get out. Our worry is employees sending it out, on purpose or by accident, via email. We feel we have done more than most to keep the bad stuff from spreading to the Internet when we do get hit by welchia etc.