Northrop Grumman constantly under attack by cyber-gangs

NATIONAL HARBOR, Md. -- About a dozen separate legions of organized hackers have been diligently attempting for years to break into aerospace and defense company Northrop Grumman to steal sensitive information, the company's chief information security officer (CISO) said at a Gartner security conference here.

"These advanced attacks have been going on for several years," said Timothy McKnight, vice president and CISO at Northrop Grumman, during a panel discussion on the topic of the "Advanced Persistent Threat," (APT) the term often used to describe attacks by hackers determined to break into companies and government agencies with the goal of stealing intellectual property or other sensitive information.

BACKGROUND: Lockheed Martin acknowledges 'significant' cyberattack

Northrop Grumman's monitoring, detection and prevention systems see so many traces of well-organized and determined hacker groups that the aerospace giant has actually managed to keep track of distinct profiles of about a dozen separate groups constantly trying their tricks to break in over the years.

The cyber-intelligence group at Northrop Grumman keeps a tally of forensics on attacks emanating from the groups that each work as a team "waking up each day to get into Northrop Grumman," McKnight said. "We can tell what their attack procedures are, how they write the malware."

The typical attack methods are attempts to compromise user machines through zero-day vulnerabilities. While about 300 zero-day attack attempts were recorded last year, the pace has ramped up enormously where it's not uncommon to see zero-day exploits coming in at 11-minute intervals.

Attackers will do as much background investigation on a company as they can to be able to pinpoint the intellectual property they want, and what employees are closest to it, McKnight said.

RSA, which organized the panel discussion, knows about the problem itself all too well.

In March, RSA acknowledged it was hit by an APT attack that resulted in the theft of undisclosed information about its SecurID product. The problems only seemed to grow. Lockheed Martin recently disclosed that it was hit by an attempted APT that in part made use of this stolen information related to RSA SecurID tokens. Lockheed does not believe that the attackers managed to steal sensitive information, however.

After the attack on Lockheed Martin linked in part to SecurID, RSA offered existing customers a free swap to new RSA SecurID tokens. Gartner analyst John Pescatore said his firm is advising clients to definitely take the swap-out if they use SecurID for authentication of any external, Web-facing purpose, though it's viewed as less imperative for internal use. Alternatively, they can move to a new token vendor, he said.

As for preventative measures, David Walter, senior director of products at RSA, said there's a need for companies to "get serious about user training" of employees to resist attack methods such as social engineering. RSA has divulged that the APT strike on it started with someone opening a malware-filled attachment.

However, Amit Yoran, senior vice president at RSA, formerly CEO of NetWitness, the threat-monitoring product vendor recently acquired by RSA, expressed a more pessimistic view about people somehow being able to learn defensive practices.

"People are pretty much useless or worse," he said, "working against you all the time. There's probably not an executive on the planet that wouldn't get spear-phished by a well-crafted attack." He added you could probably say the same thing about security staffs.

But the discussion about APT needs to go on in the enterprise, all on the panel agreed.

RSA this month created the new position of chief security officer, and Eddie Schwartz, that newly named RSA CSO (formerly CSO at NetWitness), yesterday said that was done in part because the RSA corporate security had been handled primarily by parent company EMC, and in the aftermath of the breach it was felt it would be better having certain responsibilities directly at the RSA division level.

While Schwartz said he couldn't discuss the specifics about the breach that hit RSA, he said, "Any organization that has valuable information is under constant attack from nation-states and cybercriminals. You've got to believe you're constantly under attack." He said RSA does intend to offer "additional revelations" in the future about the breach.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Northrop GrummanGartnersecuritylegallockheed martincybercrime

More about APTEMC CorporationGartnerISOLANLockheed MartinNorthrop GrummanRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place