operation aurora what did google do to make amends

Performance Aurora: Tips for thwarting nix-day attacks, unknown malware

In December 2009, Google, Adobe and other companies were the victims of a damaging cyberattack called Operation Aurora. In this tip, skillful Nick Lewis outlines the lessons learned from this assault, and how companies can avert falling victim to similar attacks.

In Dec 2009, Google and other notable companies were victims of a cyberattack believed to have originated in China. This incident, dubbed Operation Aurora, was ultimately a zippo-twenty-four hours set on targeting a then-unpatched Internet Explorer vulnerability.

The most sobering takeaway from the Operation Aurora attacks is that even organizations with significant security resources can still be victimized. If some of the nigh sophisticated and potentially well-funded IT security organizations tin exist hacked, smaller organizations with fewer resources will have an even tougher time protecting against such attacks. However, there were some important lessons to exist learned from Performance Aurora, and in this tip we'll cover what enterprises need to know most the attacks and how to best defend against similar attacks in the time to come.

Operation Aurora: The background
Permit's review some of technical details that have been reported virtually the Aurora attacks and how an arrangement could take stopped them. Google reported that it, along with at to the lowest degree 20 other large companies, was targeted in the Operation Aurora attacks in mid-Dec 2009. Google believed the attacks, which resulted in the theft of intellectual property, were targeting Gmail accounts of Chinese man rights activists.

According to reports released afterward the Operation Aurora attacks, a zero-day Internet Explorer vulnerability and exploit were used along with unknown malware. These attacks were considered successful on the office of the hackers because of the loftier-contour nature of the targets and because of the wide reporting that followed. Information technology was as well successful because of the sophisticated techniques used alongside the more common zero-day attacks and unknown malware. The attackers, later determined to exist from China, used multiple layers of encryption on network traffic to successfully hide their attacks from detection.

Operation Aurora assault vectors
While a cypher-solar day Net Explorer vulnerability and exploit by itself is non the most sophisticated attack, information technology can (and did, in Performance Aurora) let attackers to completely take over calculator systems. Withal, for an attacker to successfully do so, the logged-in user would demand to have elevated access privileges, or the attacker would need to take advantage of an exploit to get elevated access. Some malware will infect a organisation when the logged-in user only has regular user admission, but this makes it much more than difficult to take over a system. Many organizations needlessly allow all users administrator-level privileges, which let them to install applications, brand configurations changes and otherwise operate without any brake. Yet when an aggressor finds his or her way onto a system with elevated privileges, there's nil preventing the hacker from misusing these privileges. Past giving users just the necessary access, it becomes more difficult for a successful exploit to cause widespread damage.

Never-earlier-seen malware is a fairly common set on vector, oft used to do something that will immediately be monetized past a common criminal. In the case of the Operation Aurora attacks, hackers gained access to loftier-profile accounts. The immediate profit motive from the Aurora attacks is unknown, but long-term the access to sensitive data could be valuable, at the very least as a surveillance tactic.

Defending against Performance Aurora-like attacks
Although these set on methods are certainly troublesome, there are many ways to defend against them to ensure that a similar attack would not be successful. For starters, an alternative Spider web browser or operating organisation can exist used to avoid Cyberspace Explorer zero-day attacks, depending on the level of risk deemed tolerable for your environment, how many defence-in-depth security controls are implemented, and the value of the target. Nonetheless, non-Microsoft software can be more complex and fourth dimension-consuming (and ultimately more expensive) to manage, a significant drawback depending on the size of your environment and application patching and support infrastructure.

Another possibility is to run Internet Explorer with reduced privileges while ensuring that Data Execution Prevention (DEP) is in use, fifty-fifty though it was reportedly bypassed by this exploit. DEP is intended to stop attacks from executing code from non-executable retentiveness locations, which (in theory) should brand it significantly harder for attackers to succeed with attacks similar Functioning Aurora. Internet Explorer 8 likewise offers additional protections against these types of attacks.

Multiple layers of encryption or proxy servers tin can be used to hide the network communications of the compromised computers and the source of the communications from detection. To notice and cease the advice, network connections should exist monitored, particularly those that go outside of the company network. It's possible that this monitoring could exist fairly ineffective because of the multifariousness of external connections, merely monitoring specifically for a higher-than-normal volume of data going out from a computer is one mode to identify a compromised computer. A sophisticated organisation may also desire to compartmentalize its network using firewalls to limit the risk of attackers from hopping from i part to another.

Steps that organizations demand to accept to ensure that an Aurora-type of assault does not happen again lead dorsum to the nuts of data security. Companies should evaluate their networks and decide where the highest risks are and then use appropriate safeguards to manage those risks. For example, in its initial announcement, Google recommended that enterprises use reputable antimalware software, patch dilligently and update Web browsers on a regular basis.

Non all of the recommendations in this article are necessary for all organizations and an organization should first become the basics in identify earlier trying to defend against sophisticated attackers. By using a defence-in-depth strategy, an organization tin can minimize the impact of similar attacks by better preventing a zero-day set on from completely taking over a target computer and from effectively hiding from detection.

Near the writer
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the run a risk management plan and likewise supports its technical PCI compliance program. Nick received his Principal of Scientific discipline in Information Assurance from Norwich Academy in 2005 and Telecommunication from Michigan State Academy in 2002. Prior to joining his electric current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric pedagogy hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He as well answers your information security threat questions.

This was final published in April 2010