Could you have used Qosmos to detect the Operation Aurora cyber attack?

The short answer is: yes!

Let me explain.

A lot has been written about Operation Aurora, so as a reminder, let me just point you to the summary posted on Wikipedia: “Operation Aurora was a cyber attack, conducted in mid-December 2009 and originating in China, against Google and more than 20 other companies, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical”

How to protect sensitive assets against cyber threats

Governments and companies who have sensitive assets all use commercial off-the-shelf (COTS) solutions such as for anti-virus, anti-spyware, and intrusion detection systems. These systems provide effective protection against known vulnerabilities, but are not so good at protecting against new, unknown threats: so-called zero-day attacks. And Operation Aurora is a perfect illustration of this.

My experience shows that organizations who need advanced cyber protection must use two layers of defense:
-    The first layer is built by COTS products and its main purpose is to filter out known threats
-    The second layer of defense is a custom-built solution, developed by trusted cyber security teams to identify advanced, Aurora-type of threats. Qosmos technology plays a key role by feeding this solution with full visibility over network traffic.


How Qosmos technology could have been used to detect and mitigate Aurora

On the McAfee Labs Blog, I found a good description of the custom backdoor protocol used during Operation Aurora. Technically, the principle of the attack was simple: 1) a malware was installed on a PC by a Trojan exploiting a vulnerability in Internet Explorer, and 2) a covert connection was made on port 443 using a custom encrypted protocol, instead of the standard the HTTPS protocol encrypted with SSL.

In this case, a custom development based on Qosmos could have detected that abnormal traffic was flowing through port 443 and the system could have instructed to block the traffic, which would have stopped the attack.


Jerome