Raytheon's cyberchief describes 'Come to Jesus' moment

A rash of attacks following missile sales to Taiwan prompted a major cybersecurity review

After Raytheon began selling missiles to Taiwan in 2006, the defense company's computer network came under a torrent of cyberattacks.

"We truly had the 'come to Jesus moment' five years ago because we decided ... to sell missiles to Taiwan," said Vincent Blake, head of cyber security at Raytheon U.K., during a panel session at the RSA security conference in London on Wednesday.

"For some reason, a country next door to Taiwan didn't really like that so they got very interested in our IPR [intellectual property rights]," he said. "We've had to very, very rapidly catch up with our own internal networks."

Blake described a "huge leap in attacks" that prompted the company to make cybersecurity one of its top five priorities, and eye security companies for acquisition. Since that time, Raytheon has continued to be an attractive target for hackers, given its breadth of defense technologies that supply militaries around the world.

Now, the company sees an incredible 1.2 billion -- that's billion -- attacks on its network per day, Blake said. About 4 million spam messages target Raytheon's users, and the company sees some 30,000 samples per day of so-called Advanced Persistent Threats, or stealthy malware that seeks to stay long-term on infected computers and slowly withdraw sensitive information.

"We are the most targeted industry in the world," Blake said.

So how does Raytheon defend itself?

Raytheon uses sophisticated analysis engines that can sort through network alerts, Blake said. Some decisions are automated, while other alerts are assigned to a dedicated analyst for investigation.

Zero-day exploits, or attacks actively being used on the Internet against vulnerabilities that do not have a patch, are a big problem, said Blake, speaking to the IDG News Service after the panel. Last year, Raytheon detected 138 zero-day attacks against some 5,000 employees, he said.

The zero-day attacks were detected through RShield, a Raytheon product that examines e-mail attachments and embedded URLs. If an e-mail attachment comes through Raytheon's system, it is first scanned through commercial antivirus software and then through RShield, which scans the attachment in a hypervisor, Blake said.

The hypervisor is custom-built and not VMware, Blake said. Many hackers engineer their malware to not execute within VMware. The behavior of the attachment is observed, and if it does something suspicious, it is blocked. Blake said it's the only way these days to detect advanced malware.

"That's where the future is," Blake said. "If you haven't seen it [the malware] before, you're not going to find it."

Last week, Blake said Raytheon saw its first cloud-based attack on its network: 20 Raytheon employees received a targeted e-mail with a link to an application hosted with a cloud service provider. The style of attack -- a malicious email -- is a typical social engineering technique known as spear phishing that can give hackers an easy foothold in an organization. Unfortunately, two people clicked on the link, Blake said.

Blake said his team was able to detect the attack once the affected Raytheon computers started "beaconing" to the cloud service provider, or trying to make a network connection.

Raytheon only lets an attacker sit on its network for two hours or less, a response time that Blake said the company hope to cut down to 10 minutes.

"You will be attacked," Blake said. "You will be exploited. It's not a matter of whether something will get in your system, but more how long you will continue to have them in your system."

In March, Blake said Raytheon mounted a "companywide response" when RSA revealed that part of its SecurID system had been compromised in March. Passwords were changed. Raytheon still uses SecurID but has since added other layers of security in their authentication systems.

Due to the breach, "we had to significantly change our attitude to not being so reliant on RSA," he said.

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags securityraytheonrsa

More about etworkIDGIPRRaytheon AustraliaRSAVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place