In September 2011, around 20 employees at builders merchant Travis Perkins began receiving emails obstensibly from an Australian T-shirt company, asking them to click on a link to see their latest order.
Despite the fact that the company does not do business with any Australian T-shirt company, and that the text of the email referred to prices in dollars, not pounds, some of the employees clicked on the link.
Fortunately, Travis Perkins’s web filtering system, from Websense, identified the URL as a known source of malware, and blocked the site from the employees’ browsers.
Curious as to the nature of the threat, the company’s information security specialist Simon Gray followed the link on an isolated machine and, unsurprisingly, a virus was downloaded.
Interesting Links
He found that the virus attempted to connect to a remote server, apparently located in China. Most worryingly, he found that the virus was not detected by Travis Perkins’ anti-virus software. This meant that had Websense not known about the malicious URL in advance, Travis Perkins’ network would now have been comprimised.
"Had it been run in our environment, it could have potentially taken over part of our network," Gray says.
Given that the emails were sent to 20 employees of the company, Gray believes that the attack was specifically targeted at Travis Perkins. "We suspect that either we were being used as a guinea pig for testing out some new technology, or perhaps they were trying to find out more about our organisation," he explains. "We do have a sourcing site in China, so it could be that someone was trying to find out where we source materials, or financial or customer information."
This, and the fact that Travis Perkins’ anti-virus defences would have failed to pick up the attack, prompted Gray to take action.
He persuaded the board of directors that investment was required, on the grounds that a data breach in which customer records were stolen could be hugely damaging. "If we did suffer an attack like that, the amount of money we’d lose off our share price overnight would be millions and millions of pounds."
Gray already knew of FireEye, a US-based company whose technology is designed to address ‘advanced persistent threats’, as targeted attacks of this kind are known. It works by creating a virtual machine behind the firewall, in which all URLs are automatically followed and attachments opened, and the results analysed for signs of attack.
He invited the company to run a proof of concept, which showed that the September attack was not an isolated issue. "During the proof of concept, we found some other things that our other security systems weren’t picking up," Gray said. "One piece of malware had come through on to an endpoint and was trying to ‘phone home’, and only FireEye picked it up."
Earlier this year, Gray installed FireEye appliances in each of its data centres to filter web traffic and analyse email messages. Even in that time, he says, there has been a marked increase in the number of seemingly targeted attacks on the company.
Interesting Links
"We’ve seen an increase in things like the zeus botnet," he explains. "A lot of them are based on malicious URLs, so FireEye is stopping them before they get into our environment."
Now Gray is looking to extend the scope of the FireEye deployment beyond web and email security. "We have a lot of partners, and if they send us a file over FTP, I want to be able to put it into quarantine, where its subjected to anti-virus and FireEye, and then if it is malicious, it’s not let through."
"My goal is to cover any way information is coming in and out of the organisation," Gray says.
He is of the view that while traditional security software vendors are "doing a great job", the model of issuing anti-virus signatures for threats as they arise is failing to keep pace with the evolution of malware.
"Some of the AV vendors claim to be seeing tens of thousands of [malware] samples every day," he says. "I don’t think they can keep up with that.
"For every person trying to protect you, there are five or ten trying to break in."