Expert Opinion: The Stuxnet legacy

03 Oct 2012

Every company can learn important IT security lessons from this highly sophisticated attack and its successors, says Harry Sverdlove, CTO at Bit9.

When Stuxnet attacked Iran's nuclear infrastructure just over two years ago, alarm bells started ringing over this new type of cyber threat. Nation-state sponsored attacks had happened before, but what made Stuxnet unique was its ability to cause physical damage to an infrastructure.

The worm was specifically designed to target an air-gapped network (a set of computers disconnected from the Internet) and used the largest set of unknown vulnerabilities (zero-days) ever seen in a single attack. Stuxnet was quickly and aptly dubbed a cyber ‘superweapon’. And its appearance may well have marked the beginning of a new era of cyberwarfare.

Since the highly sophisticated worm’s discovery in June 2010, there has been a significant increase in awareness and exposure to complex and targeted cyber attacks. Earlier in 2010, Google publicly disclosed details about an advanced cyber-espionage campaign dubbed Operation Aurora, which Google said originated within China. The attack targeted dozens of companies including Google, Adobe, Juniper Networks and Dow Chemical. The disclosure by a renowned public company, coupled with attribution to a nation-state, immediately sent shockwaves around the world. The message was clear: cyber espionage is real and no nation or company is too big or too small to be a victim.

Whether it is intellectual property and proprietary information used for economic and social gain, or intelligence used for political or military advantage, every computer system is a prospective target. And traditional computer security is ineffective at stopping the myriad threats.

Stuxnet was followed by Duqu, then Flame was discovered, and, most recently, came Gauss. In the last couple of years, we have seen dozens of high-profile cyber-espionage attacks – targeting companies in almost every vertical market, large and small, both private and public, and across every major country. Some companies have been targeted solely to get to their customers or contacts.

What’s more, in the world of cyber espionage, copying other people’s work requires just a browser and search engine, so we’ve also seen copycat attacks like the recent Shamoon. While ordinary malware – password-stealing software, botnets, viruses – still accounts for the majority of overall attacks, targeted and increasingly complex malware now represents the most serious threat because it leads to loss of data, reputation damage and high remediation costs.

So what can companies learn from Stuxnet? They should learn they must put a new strategy in place to defend their information and electronic borders. Many organisations have started investing in their own security operations centres (SOCs) to track and respond to unidentified threats. They recognise that, given the rise and success of targeted attacks, the enemy is likely already within their borders. Knowing if your company is already under attack is as important as defending against future attacks. Sadly, too many companies have been slow to respond, perhaps ignoring the obvious fact that they might well be the next victim.

Advanced Persistent Threats (APTs) cannot be ignored. The reality is that every company is now on the cyber battlefield. The question is, are you an armed combatant or a reluctant participant?