Blog Post

Stopping threats like Operation Shady RAT

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Earlier this week, McAfee (s mfe) published information about a new cyber security threat it dubbed Operation Shady RAT. Operation Shady RAT, and others like it that have emerged over the past months, represent a new kind of cyber crime called advanced persistent threats. These threats are a step up in computer crime: They are massive, they target specific high-value data and they lie dormant, undetected within computer systems, until remotely activated. These threats target specific high-value data, not just credit cards and customer account data but often records, in the form of email, legal contracts, design schematics and operational plans and images, pertaining to IP and trade secrets.

In the specific case of Shady RAT, spear fishing emails were sent to the target containing links to a web page that, when clicked on, automatically loaded a malicious remote access tool (RAT) program on the computer, thus gaining access to the network and the high-value information.

The new security threats

In the “old” days, it was fairly straightforward to imagine boundaries around your business data. Today, it’s fair to say, with the rapid adoption of cloud and mobile computing and the overall consumerization of IT, traditional boundaries have become fluid and, in most cases, nonexistent. In today’s world, hackers have figured out how to target the data when it is most exposed, whether it’s on a corporate server, an iPhone or in the cloud.

In this new IT world without boundaries, the traditional “layered” approach to enterprise data security becomes ineffective. Instead of assuming that data perimeter protection (protecting the networks and data “containers”) will keep data safe, we need to assume the bad guys are smart enough to not care about the containers and to instead attack the data. As the continued severity of data breaches show, bad guys are interested in the data itself, whenever it might be, and whenever they decide the time is right to strike.

What do we do in this new world? How do we protect data so that it is locked down and unusable by the bad guys while it is still accessible to those who need to use it for business purposes? While we can’t ignore the old approaches and steps for data protection, such as protecting IT infrastructure and putting in place effective monitoring approaches, we need a new step. Encryption, and not the traditional public key encryption, is the only way to keep sensitive data protected while at the same time keeping it usable.

Secure the data, not the perimeter

Protecting private and sensitive data in a cloud/mobile world is difficult, expensive and increasingly mandatory to comply with federal and state regulations as well as to protect brand and business reputations. Thus, we need to think about data protection from a data-centric point of view, where the data itself is protected. When you start thinking about how to protect your data in a world without boundaries, think about these four things:

  • Monitoring matters. Monitoring is an essential component of your overall security; network monitoring and database monitoring solutions help identify the kinds of attacks that are all around, such as script kiddies. They are also very useful for identifying internal threats such as unauthorized access to the database. These approaches give you a lot of information about what has happened, but they don’t actually stop an attacker from getting high-value data.
  • Keep data safe when it’s on the move. Of course not all encryption is created equal. Many encryption solutions are like bank vaults — they protect the money, but as soon as the money is moved, or thieves break in and steal the money, the money is out in the open and can be used. So now, many banks use dye protection packs, which make the cash useless if it is stolen, and as soon the cash is removed from the vault the dye packs explode, making it clear the cash has been stolen. A data-centric encryption approach renders stolen data useless to the attacker.
  • Protect your keys. Encryption and other types of protection mean there are keys or tables involved that can give you access to the original data. These must be protected too. The best security solutions have keys that are never stored, so they can’t be stolen. The keys are computed only as needed. The recent RSA SecureID breach illustrates that hackers are getting more sophisticated and are going after keys.
  • Make yourself less of a target. The price for credit card data has dropped from $500 per “gold” card to less than $50, driving attackers to plan and execute more-sophisticated attacks designed to pull out more valuable data. This includes trade secrets, legal documents, more complete customer records than can be mined for high-net-worth individuals, etc. Hackers look for the highest reward, profits or publicity, with the lowest protections in place. If they hack you and all they get is encrypted data, they will move on.

We can win

We can beat the bad guys. We have the technology to stop these new advanced persistent threats. Data-centric protection focuses on encrypting the digital assets, emails, documents, database records, in a way that they remain encrypted wherever they go. If they are stolen, those assets cannot be used, credit cards will not validate, emails will show up garbled and documents will not reveal their contents.

Format Preserving Encryption (FPE/FFX), which is the encryption technology underlying data-centric encryption, is being standardized by NIST and is backed by several solution providers like Voltage, Verifone (s pay) and Ingenico. With Shady RAT, data-centric encryption would not have stopped the programs from taking the data, but they would prevent the attackers from using it. Data–centric encryption turns gold into straw, making the data useless.

Matt Pauker is the co-founder of Voltage Security.

4 Responses to “Stopping threats like Operation Shady RAT”

  1. Hi Matt, great article – timely at that! Been a while since we last caught up. There are some great points here you mention – thanks from our community. As information is traveling in and out of the network more often, securing data at the file-level has become crucial to protecting assets. Along with encryption, knowing where your files are traveling and who is accessing them can become a big help in preventing sensitive information from falling into the wrong hands. This allows for immediate action should a file be accessed by an unauthorized or malicious user and addresses the new threats mentioned in your piece. Question remains, what if the “bad guy” turns out to be a good guy that has legitimate access to that encrypted file, then takes a snapshot of the secret file and posts it to WikiLeaks or PasteBin via The answer to that would be to track the actual information no matter where it goes. Give me a call – we can chat on how we solve that in an automated, transparent way! Keep up the great work at Voltage, and together we the ISV community will make the Internet a much safer and secure environment to confidently conduct business.

  2. The war on hackers and the front lines of cyber security is like the war on drugs, you really can’t look at it in a win/lose sense. It’s a constant arms race in which the ones who put the most time into research and creativity will be rewarded. Unfortunately when the attacker is 16 and lives with his/her parents they have all the time in the world to try and poke into your systems.

    look at Comex. Young guy, a ton of time and he hacked the iphone. 3+ times. and released it to the public. The really crazy part is he wasn’t doing it for gain, he was just having fun.

  3. Not that encryption will solve everything (or even most things) but why isn’t it the base-line? Why does HTTP even exist anymore? We have the bandwidth, let’s ditch the open channel and force them to work that much harder for the data.