Could Identity Management + DLP Have Prevented Stuxnet?

Tweet

 

This past summer was filled with news stories about the Stuxnet malware, a newly detected cyber worm with 'search and destroy' capabilities aimed at destroying real-world physical targets. Stuxnet is the stuff cyber-nightmares are made of. Here's a little blurb in wikipedia regarding Stuxnet that might keep you up at night:

Russian digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60 percent of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyberwarfare.

So the question I've been noodling for the past few weeks is: Could this have been prevented? In specific, could an IAM system have been helpful here?

  Disclaimer: This short article is simply musings and brainstorming regarding the subject, and does not pretend to present a solution to this very large, very complex problem.

Could Identity Management alone have helped?

In short, probably not much.  According to Symantec's Stuxnet Dossier (51 action-packed pages of info on Stuxnet) enters into the infrastructure through an infected USB stick and replicates through the environment by exploiting Microsoft vulnerabilities (the Stuxnet code actually has an installation segment that exits if its not a Windows machine!) and infecting other USB sticks that move from computer to computer.  Once in, it utilizes one of two escalation of privilege attacks to get Admin rights.  The rest is history.

Could Identity Management + Data Loss Prevention (DLP) have helped?

Now here is where things get interesting.  We've been writing recently about how a more holistic approach to security is emerging, and one of the ways it manifests is by having different security systems collaborate and converge. Alone, each platform does its job well. Together, they make music.  For example, IAM systems collaborate with SIEM systems to deliver "Identity Activity Monitoring", an emerging and effective control to gain unprecedented visibility into what users are actually doing, and to be able to detect threats in near real-time.  DLP is another approach that when combined with IAM delivers a powerful preventive control. Here's a little background about how it works.

DLP Background

A DLP system (whether network based or host based)  can detect and prevent the loss of critical data from your infrastructure by actually looking into the contents of that data, as well as looking at the transaction in context (where the data is going, who's sending it, data objects/file formats, etc.).  Mix that with an IAM solution, and now identity data can drive policies regarding how the DLP system works, based on the person's role within the organization.  Furthermore, suspicious activity can result in the DLP solution telling the IAM solution to suspend the user's access. Here's a simple use case to make it real:

A contractor finds some interesting Corporate IP on one of your servers in a folder labeled "Trade Secrets" (real discreet, eh?).  Understanding its sensitivity, this contractor decides to copy the valuable data onto his USB storage device and plugs it into the system.  The DLP system recognizes that this user is a Contractor, and can either send the user a warning message or prevent the USB device from mounting all together.  Assuming only a warning was passed, the user may then attempt to copy the folder to the USB key at which point the DLP can once again warn or prevent.  Finally, the user decides to email it out, or FTP it out...each time, the DLP system can prevent the activity, and potentially suspend the user's access immediately. Each attempt of the user is recorded in the DLP system, along with the actual files that were attempted at being transferred.  Talk about visibility!

So the question still remains, would this converged solution have helped against Stuxnet?  One obvious scenario is that DLP + IAM could have prevented contractors from plugging in USB keys (it is speculated that Russian contractors from Bushehr may have been involved in the initial infection).  Another scenario where it could have helped is if the DLP solution had a policy for tracking files transferred from USB drives onto the local machine for certain types or for all internal users.  In this situation, a red flag could have been raised by the same files (Stuxnet transfers the same 6 files each time) repeatedly being transferred by many contractors to various machines.

Either way, we see tremendous potential in the ongoing trend towards a more holistic security model, where organizatins will get more out of their IAM solution by integrating it with other security platforms.  We predict that these converged approaches will become mainstream as the nature of the threats and attacks continue to evolve and become more sophisticated. In a way, the evolution of this trend will once again prove that 1 + 1 > 2.