We’re still waiting for details on how the hack against the health care company Anthem occurred.
But there’s a classic approach behind many of the cyberattacks that make the news: An employee in the company gets an email with an attachment … opens it … malicious software in the message injects itself into the corporate network … and bam! The hackers are in — and can remotely control your servers, exfiltrate documents and more.
Across the cybersecurity industry, startups are trying to figure out how to solve this problem — and they’re developing some very different approaches.
Here, we take three companies working on the issue in different ways. To help dramatize those differences, it might be helpful to compare each to a movie or show you may have seen on TV.
Take 1: Virtual Machines
First, the company Bromium.
“It’s become obviously too easy for the hackers,” says Rahul Kashyap, its chief security architect. “All it takes is one user in a large organization making one single mistake, and they’re in.”
Malware is like an infection. To stop it from spreading, Bromium contains it. The company builds something called a “virtual machine” at the micro level — that is, around anything and everything you might open — an email, a new tab on your Web browser, a Word document, a PDF.
Essentially, Kashyap says, “we assume that the attackers are going to attack you no matter what you do.”
The virtual machine is a protective layer — like putting thick latex gloves on doctors and nurses. “And once you’re done,” Kashyap says, “we throw them away. So that in case you got infected, you don’t have to worry about it. It’s automatically discarded.”
Right now, Kashyap says, some of the most popular software on earth doesn’t bother to contain or contains poorly. For example, Internet Explorer, he says, is “barely a glove. I don’t know — you have those gloves where your fingers are coming out. Those cycling gloves.”
Bromium’s digital hygiene approach reminds me of the hospital drama ER — like the episode when a staph infection runs rampant through the ward, knocking out patients and staff. The culprit, it turns out, was a janitor who didn’t wash his hands.
Take 2: Honeypots
But contain as you may, says Doron Kolton, founder of TopSpin Security, the good hackers will always break in. So when they do, you’ve got to trick them.
“We are setting, embedding, [a] decoy system inside the organization, and the decoy system [is] luring the attackers and the malware to get into those systems,” he says.
Kolton takes advantage of the fact that once hackers are in a network, they don’t know where to go. It’s a maze. So you can leave some fake keys around, some breadcrumbs. Lure them into fake rooms with fake data — and observe.
“I am seeing whether he wants to steal my watch, or he’s looking in the drawers for money or anything else. I am looking over his shoulder,” Kolton explains.
When you do that, you not only pinpoint where the hackers are. You also learn how they behave — their strategy — and toy with it. That sounds just like Home Alone, that old 1990 comedy with the boy hero who creates havoc for the robbers who try, and fail, to get into his house.
Take 3: Intelligence
But decoys are a response after someone has already struck. To block an attack — even predict one — you need to study who might be after you.
“You’re going out there, looking for bears, looking for pandas, who are Chinese adversaries or Russian adversaries or whomever,” says Dmitri Alperovitch, co-founder of CrowdStrike. “You’re thinking like they’re thinking.”
CrowdStrike assumes there are a handful of organized hacker groups that can cause real damage to a Fortune 500 company, that they’re backed by nation-states and that they’re persistent.
“They don’t say, ‘Oh, we’re done, we’re going to pack up and go home.’ They say, ‘We got kicked out, but we have a mission to do.’ ”
The way they accomplish that mission, Alperovitch says, will vary group to group. Take Hurricane Panda, a ring allegedly based in China. Unlike other hackers, Panda doesn’t cripple a system by throwing a bunch of malware at it. Its hackers get in quick and act like insiders.
“After that, they’re moving around, using traditional administrative tools that a true administrator would also use, making them very difficult to detect,” Alperovitch says.
CrowdStrike says it’s building stockpiles of intelligence, kind of like a superspy. Think Jason Bourne of the Bourne movie franchise, who really gets inside his enemy’s head.
This year, spending on cybersecurity will hit nearly $77 billion, according to a study by the research firm Gartner. Silicon Valley investors, much like Hollywood producers, are trying to pick the winning story line. It’s unclear if it’ll be about stopping an epidemic, catching robbers, high-end espionage — or something else.