By Geoff Fein
While many of the cyber defense systems available today look to block intrusions from getting into networks, Raytheon [RTN] is developing new technologies to keep hackers and others who manage to work around defense systems, from leaving with valuable data.
“No matter how good your defenses are, one way or another, through social [networks] or e-mail attachments or whatever, there is going to be some way for something to get into your system,” Steven Hawkins, vice president information security solutions, told Defense Daily recently.
“The real question is, when it gets in there does it find a place to bury itself and cause harm without being detected? And for how long can it stay in your network to do that,” he said.
Raytheon has been using these new efforts to battle Advanced Persistent Threat on its own internal networks, Hawkins noted.
When company officials first started looking at intrusions that made it into the company’s networks, they noticed the intruder would be in there for days, Hawkins said.
So one of the metrics the company began to monitor was the dwell time of an intruder into Raytheon’s network.
“There is not a lot of commercially available technology that will go out there and hunt around your network at data at rest or look for activities within your networks, assuming something has already gotten in,” Hawkins said. “That’s an area we have specialized in some technology that we have created to be able to do that.”
Hawkins acknowledges commercially available technologies will always be improving. What Raytheon is trying to do with its technology is to close the gap between what is available commercially and what is the threat.
“What we do is monitor several things. We look at data at rest, for things that have gotten [into networks], and malware characteristics. And that’s after you have done all the defense techniques you know,” he said.
The other thing Raytheon has done is try to detect the command and control link of the malware already in a network, Hawkins explained.
“It doesn’t do any good to get [into the network] if someone isn’t trying to control [the malware] in some way to get data out or intellectual property out,” he said. “By seeing the command and control link you can eradicate it out of your system. What we always do is block the outbound channel.”
If an intruder is trying to get into a company’s network to access and remove data, Hawkins said don’t disrupt and try to protect [the network] from what is coming in. “Look at what is going out of your network and what makes sense and have tools and techniques available to detect that…and basically block it going out so you are not losing anything.”
It might also be an easier method, Hawkins noted, because cyber attacks are not as sophisticated going out as they are coming in.
“We think we have been quite effective in doing that and disrupting the command and control channel,” he said.
While Raytheon’s information technology (IT) group has been implementing these techniques across the company and consulting with a lot of other people on this effort, Hawkins would also like to make a proposal to the government.
If Raytheon can do that kind of detection and identify what Internet Protocol (IP) addresses are a problem, and if the company were to provide that data to the Department of Homeland Security, for example, who could in turn provide it to network router companies, it might be possible to block those particular IP addresses for everybody, Hawkins said.
“It might be a very efficient way for protecting medium- and small-sized businesses that can’t afford to have all the protection technologies a company our size can have,” he added. “We’d like to [take] the next step so that those [technologies] are available to others, so they know that is a bad [IP] address and they should block it too.”