Could NAC Have Stopped Operation Aurora Attacks On Google?

In January 2010, Google disclosed that sophisticated cyber attacks on its computer systems had resulted in the theft of Google intellectual property. According to sources such as NetworkWorld, the attack, referred to as “Operation Aurora”, originated in China and was directed at some 100 companies or entities.

The attackers entered via Instant Messenger (IM) and leveraged a vulnerability in Internet Explorer to upload a malicious payload. The malware was then used to try to steal intellectual property and gain access to customer data.

It may seem, at first, that corporations looking to protect themselves from an attack of this type have limited options. Experts such as Gartner, as well as some vendors, have gone as far as to recommend disruptive measures such as uninstalling Internet Explorer company-wide or the use of application white listing. While these approaches may solve the problem, they come at a great cost. Application white listing in particular is disruptive to business productivity.

Could an integrated security appliance which includes network access control (NAC), network threat protection and endpoint security enforcement stop such an attack? It is quite possible.

In a New York Times article, “Cyberattack on Google Said to Hit Password System,” John Markoff explains how the Google attack started with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program. By clicking on a link, the employee unintentionally provided access to his personal computer and then to Google’s network.

Some NAC products available today allow a corporation to gain control of its endpoints and enforce security policies – and can prevent the use of IM and Peer-to-Peer applications. If Google had a corporate policy against external instant messaging – and a way to enforce it — perhaps the threat would have never penetrated their network.

If the attack did not enter via IM but came in another way, could NAC have stopped it? As many have pointed out, in persistent threats such as Operation Aurora, the sole purpose is to get around firewalls, antivirus software, intrusion detection systems and other controls.

Before this can happen, an attack such as this must gather information about potential vulnerability and configuration information through scanning and probing the network. Some NAC products are designed to detect attackers’ reconnaissance and respond to them with counterfeit information. If an intruder attempts to use this information to attack the network, he has proven his malicious intent and can be blocked before the network is compromised.

The details surrounding the attack and theft of the software from Google have been a closely guarded secret by the company. It is difficult to tell if a solution like NAC could have protected the network without more specifics on the attack. We do know, however, that sophisticated threats such as this are becoming more common.

Traditional network security solutions, which are designed to protect against external attack, have become insufficient. Integrated security appliances which include network access control (NAC), network threat protection and endpoint security enforcement offer a number of ways to protect an organisation’s internal network without disrupting business productivity.

Jack Marsal, Director of Marketing at ForeScout, has 20 years of marketing experience in IT security and enterprise infrastructure. Prior to joining ForeScout in 2009, he was Director of Marketing for McAfee where he introduced a new marketing strategy to broaden the portfolio of security products, helping to generate over $300 million in annual revenue. Previously, Jack held senior marketing positions at Trend Micro, Lotus Development, and CenterBeam. Jack holds an MBA from Freeman School of Business and a Bachelor degree in Engineering from Tulane University.