Dmitri Alperovitch, co-founder of the cybersecurity startup CrowdStrike, says his company is building stockpiles of intelligence about potential hacking groups.

Dmitri Alperovitch, co-founder of the cybersecurity startup CrowdStrike, says his company is building stockpiles of intelligence about potential hacking groups.

Keith Bedford/Reuters/Landov

We're still waiting for details on how the hack against the health care company Anthem occurred.

But there's a classic approach behind many of the cyberattacks that make the news: An employee in the company gets an email with an attachment ... opens it ... malicious software in the message injects itself into the corporate network ... and bam! The hackers are in — and can remotely control your servers, exfiltrate documents and more.

Across the cybersecurity industry, startups are trying to figure out how to solve this problem — and they're developing some very different approaches.

Here, we take three companies working on the issue in different ways. To help dramatize those differences, it might be helpful to compare each to a movie or show you may have seen on TV.

Take 1: Virtual Machines

First, the company Bromium.

"It's become obviously too easy for the hackers," says Rahul Kashyap, its chief security architect. "All it takes is one user in a large organization making one single mistake, and they're in."

Malware is like an infection. To stop it from spreading, Bromium contains it. The company builds something called a "virtual machine" at the micro level — that is, around anything and everything you might open — an email, a new tab on your Web browser, a Word document, a PDF.

Essentially, Kashyap says, "we assume that the attackers are going to attack you no matter what you do."

The virtual machine is a protective layer — like putting thick latex gloves on doctors and nurses. "And once you're done," Kashyap says, "we throw them away. So that in case you got infected, you don't have to worry about it. It's automatically discarded."

Right now, Kashyap says, some of the most popular software on earth doesn't bother to contain or contains poorly. For example, Internet Explorer, he says, is "barely a glove. I don't know — you have those gloves where your fingers are coming out. Those cycling gloves."

Bromium's digital hygiene approach reminds me of the hospital drama ERlike the episode when a staph infection runs rampant through the ward, knocking out patients and staff. The culprit, it turns out, was a janitor who didn't wash his hands.

Take 2: Honeypots

But contain as you may, says Doron Kolton, founder of TopSpin Security, the good hackers will always break in. So when they do, you've got to trick them.

"We are setting, embedding, [a] decoy system inside the organization, and the decoy system [is] luring the attackers and the malware to get into those systems," he says.

Kolton takes advantage of the fact that once hackers are in a network, they don't know where to go. It's a maze. So you can leave some fake keys around, some breadcrumbs. Lure them into fake rooms with fake data — and observe.

"I am seeing whether he wants to steal my watch, or he's looking in the drawers for money or anything else. I am looking over his shoulder," Kolton explains.

When you do that, you not only pinpoint where the hackers are. You also learn how they behave — their strategy — and toy with it. That sounds just like Home Alone, that old 1990 comedy with the boy hero who creates havoc for the robbers who try, and fail, to get into his house.

Take 3: Intelligence

But decoys are a response after someone has already struck. To block an attack — even predict one — you need to study who might be after you.

"You're going out there, looking for bears, looking for pandas, who are Chinese adversaries or Russian adversaries or whomever," says Dmitri Alperovitch, co-founder of CrowdStrike. "You're thinking like they're thinking."

CrowdStrike assumes there are a handful of organized hacker groups that can cause real damage to a Fortune 500 company, that they're backed by nation-states and that they're persistent.

"They don't say, 'Oh, we're done, we're going to pack up and go home.' They say, 'We got kicked out, but we have a mission to do.' "

The way they accomplish that mission, Alperovitch says, will vary group to group. Take Hurricane Panda, a ring allegedly based in China. Unlike other hackers, Panda doesn't cripple a system by throwing a bunch of malware at it. Its hackers get in quick and act like insiders.

"After that, they're moving around, using traditional administrative tools that a true administrator would also use, making them very difficult to detect," Alperovitch says.

CrowdStrike says it's building stockpiles of intelligence, kind of like a superspy. Think Jason Bourne of the Bourne movie franchise, who really gets inside his enemy's head.

This year, spending on cybersecurity will hit nearly $77 billion, according to a study by the research firm Gartner. Silicon Valley investors, much like Hollywood producers, are trying to pick the winning story line. It's unclear if it'll be about stopping an epidemic, catching robbers, high-end espionage — or something else.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

KELLY MCEVERS, HOST:

Now to All Tech Considered, and we start with cybersecurity. The Russian security firm Kaspersky says a computer hacking ring has stolen up to a billion dollars from banks around the world.

AUDIE CORNISH, HOST:

That just adds to an ever-growing list of massive corporate security breaches. The health care company Anthem is now offering identity theft protection to its customers after hackers gained access to their records in recent weeks. That hack exposed the Social Security numbers and other personal information for some 80 million people.

MCEVERS: We've heard about other security breaches - Sony, Target, Home Depot - so how does this happen?

CORNISH: In most cyberattacks, an employee in the company gets an email with an attachment and opens it. Malicious software in the message enters the corporate network and - bam - the hackers are in.

MCEVERS: NPR tech reporter Aarti Shahani will have several reports on cybersecurity in the coming days. She starts by telling us how cybersecurity startups are trying to solve that classic hack.

AARTI SHAHANI, BYLINE: Let's look at three startups. Each one handles the problem differently, and to dramatize those differences, let's compare each to a movie or show that you may have seen on TV. We'll start with the company Bromium.

RAHUL KASHYAP: It's become, obviously, too easy for the hackers.

SHAHANI: That's Rahul Kashyap, chief security architect.

KASHYAP: All it takes is, you know, one user in a large organization making one single mistake and they are in.

SHAHANI: Malware is like an infection. To stop it from spreading, Bromium contains it. They built something called a virtual machine around anything and everything you might open - an email, a new tab on your web browser, a Word document, a PDF.

KASHYAP: We assume that the hackers are going to attack you no matter what you do.

SHAHANI: The virtual machine is a protective layer - like putting thick latex gloves on doctors and nurses.

KASHYAP: And once you're done, we throw them away. So that in case you got infected, you don't have to worry about it. It's automatically discarded. You (unintelligible) self-remediate.

SHAHANI: The Bromium approach - it's all about digital hygiene - it reminds me of that hospital show "ER" - like the episode when a staph infection runs rampant through the ward, knocking out patients and staff. And the problem was a janitor who didn't wash his hands.

(SOUNDBITE OF TELEVISION SHOW, "ER")

ABRAHAM BENRUBI: (As Jerry Markovic) Ah, this is ridiculous. I do not need handwashing lessons.

HARRY LENNIX: (As Dr. Greg Fischer) Scrub hard, Jerry, to scrape off the bacteria.

GLORIA REUBEN: (As Jeanie Boulet) But the most important thing is to wash your hands after you go to the bathroom.

BENRUBI: (As Jerry Markovic) What, every time?

SHAHANI: But contain as you may, Doron Kolton, founder of Topspin Security, says the good hackers will always break in. So when they do, you've got to trick them.

DORON KOLTON: We are setting, embedding decoy system inside the organization. And the decoy system are luring the attackers and the malware to get into those systems.

SHAHANI: Kolton takes advantage of the fact that once hackers are in a network, they don't know where to go. It's a maze. So leave some fake keys around, some breadcrumbs. Lure them into fake rooms with fake data - and observe.

KOLTON: I'm seeing whether he wants to steal my watch, or he's looking in the drawers for money or anything else. I'm looking over his shoulder.

SHAHANI: When you do that, you not only pinpoint where the hackers are, you also learn how they behave - their strategy - and toy with it.

This sounds just like "Home Alone," that old 90s comedy where the boy hero creates havoc for the robbers who try, and fail, to break into his house.

(SOUNDBITE OF FILM, "HOME ALONE")

DANIEL STERN: (As Marv Merchants) I'm gonna kill this kid.

SHAHANI: But decoys are a response after someone has already struck. To block an attack - even predict one - you need to study who might be after you.

DMITRI ALPEROVITCH: You're going out there, looking for bears, looking for pandas, who are Chinese adversaries or Russian adversaries or whomever...

SHAHANI: Dmitri Alperovitch with CrowdStrike.

ALPEROVITCH: ...Trying to find them because you're thinking like they're thinking.

SHAHANI: CrowdStrike assumes there are a handful of organized hacker groups that can cause real damage to a Fortune 500 company, they're backed by nation-states and they're persistent.

ALPEROVITCH: They don't say, oh, we're done, we're going to pack up and go home. They say, we got kicked out, but we still have a mission to do.

SHAHANI: And he says the way they accomplish that mission will vary group to group. Take Hurricane Panda, a ring allegedly based in China. Unlike other hackers, Panda doesn't cripple a system by throwing a bunch of malware at it. They get in quick and act like insiders.

ALPEROVITCH: And after that, they're moving around, using traditional administrative tools that a true administrator within that network would also use, making them very, very difficult to detect.

SHAHANI: CrowdStrike says it's building stockpiles of intelligence, kind of like a superspy.

(SOUNDBITE OF FILM, "THE BOURNE ULTIMATUM")

MATT DAMON: (As Jason Bourne) They can't stop me.

SHAHANI: Think Jason Bourne, who really gets inside his enemy's head.

(SOUNDBITE OF FILM, "THE BOURNE ULTIMATUM")

DAVID STRATHAIRN: (As Noah Vosen) I'm sitting in my office.

DAMON: (As Jason Bourne) I doubt that.

STRATHAIRN: (As Noah Vosen) Why would you doubt that?

DAMON: (As Jason Bourne) If you were in your office right now we'd be having this conversation face to face.

SHAHANI: This year, spending on cybersecurity will hit $77 billion, according to a study by Gartner. That's bigger than Hollywood. Silicon Valley investors, much like Hollywood producers, are trying to pick the winning story line. It's not clear if it'll be about stopping an epidemic, catching robbers, high-end espionage - or something else. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate