Lockheed Martin "almost missed" hacker intrusion
"We almost missed it" said Steve Adegbite, Lockheed Martin's director for cybersecurity, of May 2011's hacker attack. Adegbite was speaking at the recent Kaspersky Security Analyst Summit in San Juan, Puerto Rico and noted that at first the attack looked like a new person in the department.
In this case, the Lockheed attackers had been well prepared and had acquired the credentials of one of Lockheed's business partners; those credentials included a user's SecureID token, thwarting the two-factor authentication that protected the network. But it became apparent to Lockheed's security that the user was not performing their normal operations – they were tripping a lot of alarms going after data unrelated to the user the attackers were impersonating. Lockheed's answer to these attacks is the "Cyber Kill Chain" framework, a process which tracks users and places obstacles in the way of any attempts to extract data from the network. "No information was lost. If not for this framework, we would have had issues," said Adegbite.
Adegbite says attackers work in seven steps; reconnaissance, weaponisation, delivery, exploitation, malware installations, command/control, and exfiltration. He adds: "The goal of the Kill Chain is to make sure they don't get to step 7 and exfiltrate" using intelligence-led strategy rather than attempting to provision heavy manned defences at every entry point into the network.
The attack detailed came in the wake of the intrusion into RSA which saw the SecurID company offering replacement security tokens to customers. Adegbite was, however, careful to note that Lockheed has never said that this, or at least one other attack that took place at this time, was related to the RSA breach.