Nine Years After: From Aurora to Zero Trust
2019-02-20
How the first documented nation-state cyberattack is changing security today.
It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.
Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.
No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.
Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.
Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.
Target: Domain Admins Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.
All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.
We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.
When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.
Lessons Learned It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.
Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.
We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.
Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.
This post was originally published at Dark Reading.
It's January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn't stop with Google — they targeted at least 20 different organizations across the globe, in an attack that would later become known as Operation Aurora.
Operation Aurora was a shock for many organizations because it made everyone face a new kind of threat, one that previously was only whispered about around the watercooler. A government-backed adversary, with near-unlimited resources and time, had struck the world's largest Internet company — and almost got away with it.
No one wanted to be the first to call Operation Aurora a nation-state attack. The possibility was certainly there, but the fear was that by rushing to attribution and getting it wrong could mean the first person to speak would be viewed as Chicken Little for the rest of his or her career.
Later, leaked diplomatic cables would show this attack was "part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government." With confirmation from several sources all reaching the same conclusion — that Aurora was in fact government sanctioned and sponsored — our beliefs about what constituted reasonable choices for the state of security within the enterprise would never be the same.
Here at Akamai, one of the companies targeted by Aurora, the attacks became a primary driver for change.
Target: Domain Admins Akamai was affected by the Aurora attacks because a domain administrator account was compromised. From there, the attackers were able to enter any system they wanted, including the system they targeted. Fortunately, while systems were compromised, the specific data the attackers were seeking didn't exist. So, in a way, Akamai was lucky. Still, there was an incident, and the underlying hazards needed to be addressed.
All across the industry, we talk about trust, but the systems and processes used to establish trust have been broken or abused time and time again. Our journey for addressing this trust challenge began by examining how Akamai managed systems administration.
We started by replacing accounts that could log in to anything with narrow, tailored accounts that were not the principal account for the user. Doing this created a situation where a single error couldn't lead to the fall of the company, but rather a situation where a series of errors and failures would be required before that can happen.
When people think of blocking and tackling of security, getting domain administration right and implementing the right tools and policies are where you start. But — while not minimizing this task and sweeping change — this was only the beginning. Over the next several years, we migrated further and further away from passwords to point authentication. This was essentially an in-house SSO, but even that was altered to focus on X509 certificates and, later still, push-based authentication.
Lessons Learned It's been a nine-year journey. Nine years since Aurora, and we're still not done changing. We went from a place to where, if you were on the network, you had access to everything to now, when you're not even on the network. Today, services and applications are only available to those who need access to them. It's no longer about trusting where you are; it's about trusting that you're you. So when you're compromised, the adversary can access only the tools and services available to you, and nothing else.
Over the last decade, a new concept has started to take hold in the security industry. We call it a number of things — zero trust, BeyondCorp, nano-segmentation, micro-segmentation — but the goal of this idea is to move away from location-based trust on the network. We followed a parallel path, breaking new ground along the way.
We got it right in a lot of places, but there were plenty of lessons to learn. Don't be afraid to realize that you've chased down the wrong path. 802.1x for our corporate network, in the grand scheme of things, was the wrong path. We learned a lot by doing it, and if we hadn't done that, we'd be in a worse place today. But we're going to basically throw out all of that hard work in the next few years as we move to an ISP-like model for our physical buildings, and that's OK.
Change is a constant in the security industry, and being willing to change as needed is one of the key growth factors in any business — large or small. It's taken nine years to figure out what we wanted and to get to where we are. And we've taken this journey so that others can do it more seamlessly going forward.
This post was originally published at Dark Reading.