Obviously there has been a lot of discussion in the news, on blog posts, even tweets, on the issue of the Aurora attacks and what they mean. This is certainly not a new threat. Evidence of this threat can be seen back to at least 2008 if not earlier (if you consider Titan Rain or other operations), but until now no one wanted to talk about it publicly. But in the background work has been in progress to discover techniques to stop the threat.

Enter the 20 Critical Controls…

In 2009 the Consensus Audit Guidelines / 20 Critical Controls were released to prioritize the information security controls that need to be implemented in order to combat known attacks (ie. think Aurora or APT). US federal government and commercial systems were being compromised by this threat and others and something had to change. But what was the tipping point? Why were these controls introduced in 2009? The tipping points were these advanced, directed attacks against US federal systems by foreign entities. That’s what tipped the scales and precipitated the release of these controls.

So let me say what a lot of us have been dancing around for the last two years – there are dedicated, focused, well-funded attackers who are successfully breaking into government and commercial network systems and the 20 Critical Controls were introduced to stop this threat. It’s real, many of us have seen it first hand, and it’s hard to get out of your systems. Call it APT, Aurora, whatever, the 20 Critical Controls were put in place to stop these hacks.

Sales pitch time – so why should you care about the 20 Critical Controls? Why should you learn more? Because this is a real threat and it seems to be getting worse. The controls are meant to prioritize your resources and encourage you to automate an effective response. They’re more than just a list of good things to do, the purpose behind the controls is to change our way of thinking about how we protect our systems. One great place to start the education is here:


There have been a lot of good people commenting and posting information on the topic as well. If you aren’t following this information already, here are a couple other sources you might look into as you’re learning more about these attacks:

Mandiant M-Trends & Blog (http://blog.mandiant.com/)
Enclave Security Blogs (http://enclavesecurity.com/blogs/)
TaoSecurity Blogs (http://taosecurity.blogspot.com/)

But my biggest complaint however, and I’m sure I’ll rant more about this later, is that we are simply not sharing enough information as a community on this subject. We have to share more. We all have reasons why we’re not sharing the attack signatures we’ve seen – some reasons are commercial, some are because of fear of retribution, some are due to contractual restraints. I get it. But if we’re going to be successful at combating this threat, we have to share signatures and methodologies. But I’ll leave the rest of this rant for another day…

Some people are already sharing, here are two of the few postings I’ve found publicly on the subject. Take advantage of these when you find them, there aren’t many people sharing. Or if you are sharing signatures or indicators of compromise, drop me a note at james.tarala (a) enclavesecurity.com and I’d be happy to link to you as well. Here are a couple:

Mandiant Blogs (http://blog.mandiant.com/archives/730)
McAfee (http://www.mcafee.com/us/local_content/reports/how_can_u_tell_v5.pdf) (Old Link Removed)

More to come…