Tip

Operation Aurora: Tips for thwarting zero-day attacks, unknown malware

In December 2009, Google and other notable companies were victims of a cyberattack believed to have originated in China. This incident, dubbed Operation

Requires Free Membership to View

Aurora, was ultimately a zero-day attack targeting a then-unpatched Internet Explorer vulnerability.

The most sobering takeaway from the Operation Aurora attacks is that even organizations with significant security resources can still be victimized. If some of the most sophisticated and potentially well-funded IT security organizations can be hacked, smaller organizations with fewer resources will have an even tougher time protecting against such attacks. However, there were some important lessons to be learned from Operation Aurora, and in this tip we'll cover what enterprises need to know about the attacks and how to best defend against similar attacks in the future.

Operation Aurora: The background
Let's review some of technical details that have been reported about the Aurora attacks and how an organization could have stopped them. Google reported that it, along with at least 20 other large companies, was targeted in the Operation Aurora attacks in mid-December 2009. Google believed the attacks, which resulted in the theft of intellectual property, were targeting Gmail accounts of Chinese human rights activists.

According to reports released after the Operation Aurora attacks, a zero-day Internet Explorer vulnerability and exploit were used along with unknown malware. These attacks were considered successful on the part of the hackers because of the high-profile nature of the targets and because of the wide reporting that followed. It was also successful because of the sophisticated techniques used alongside the more common zero-day attacks and unknown malware. The attackers, later determined to be from China, used multiple layers of encryption on network traffic to successfully hide their attacks from detection.

Operation Aurora attack vectors
While a zero-day Internet Explorer vulnerability and exploit by itself is not the most sophisticated attack, it can (and did, in Operation Aurora) allow attackers to completely take over computer systems. However, for an attacker to successfully do so, the logged-in user would need to have elevated access privileges, or the attacker would need to take advantage of an exploit to get elevated access. Some malware will infect a system when the logged-in user only has regular user access, but this makes it much more difficult to take over a system. Many organizations needlessly allow all users administrator-level privileges, which allow them to install applications, make configurations changes and otherwise operate without any restriction. Yet when an attacker finds his or her way onto a system with elevated privileges, there's nothing preventing the hacker from misusing these privileges. By giving users only the necessary access, it becomes more difficult for a successful exploit to cause widespread damage.

Never-before-seen malware is a fairly common attack vector, often used to do something that will immediately be monetized by a common criminal. In the case of the Operation Aurora attacks, hackers gained access to high-profile accounts. The immediate profit motive from the Aurora attacks is unknown, but long-term the access to sensitive data could be valuable, at the very least as a surveillance tactic.

Defending against Operation Aurora-like attacks
Although these attack methods are certainly troublesome, there are many ways to defend against them to ensure that a similar attack would not be successful. For starters, an alternative Web browser or operating system can be used to avoid Internet Explorer zero-day attacks, depending on the level of risk deemed tolerable for your environment, how many defense-in-depth security controls are implemented, and the value of the target. However, non-Microsoft software can be more complex and time-consuming (and ultimately more expensive) to manage, a significant drawback depending on the size of your environment and application patching and support infrastructure.

Another possibility is to run Internet Explorer with reduced privileges while ensuring that Data Execution Prevention (DEP) is in use, even though it was reportedly bypassed by this exploit. DEP is intended to stop attacks from executing code from non-executable memory locations, which (in theory) should make it significantly harder for attackers to succeed with attacks like Operation Aurora. Internet Explorer 8 also offers additional protections against these types of attacks.

Multiple layers of encryption or proxy servers can be used to hide the network communications of the compromised computers and the source of the communications from detection. To detect and stop the communication, network connections should be monitored, particularly those that go outside of the company network. It's possible that this monitoring could be fairly ineffective because of the variety of external connections, but monitoring specifically for a higher-than-normal volume of data going out from a computer is one way to identify a compromised computer. A sophisticated organization may also want to compartmentalize its network using firewalls to limit the risk of attackers from hopping from one part to another.

Steps that organizations need to take to ensure that an Aurora-type of attack does not happen again lead back to the basics of information security. Companies should evaluate their networks and determine where the highest risks are and then use appropriate safeguards to manage those risks. For example, in its initial announcement, Google recommended that enterprises use reputable antimalware software, patch dilligently and update Web browsers on a regular basis.

Not all of the recommendations in this article are necessary for all organizations and an organization should first get the basics in place before trying to defend against sophisticated attackers. By using a defense-in-depth strategy, an organization can minimize the impact of similar attacks by better preventing a zero-day attack from completely taking over a target computer and from effectively hiding from detection.

About the author
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.


This was first published in April 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.