At the end of September, President Obama announced that China and the United States had reached an agreement: neither country would support or participate in cyberespionage that results in the loss of intellectual property. While the effectiveness of the agreement between the U.S. and China is still in question (James Clapper, director of national intelligence, said he is “inherently skeptical”), it’s essential that the cybersecurity community continues to secure computer networks from the tactics that were successfully used by nation-state actors, such as spear phishing. Research and advancements within technology are showing that fully homomorphic encryption can substantially limit the infiltration of secure networks, combat the offensive techniques used by nation-states and usher in a new generation of cloud computing technologies.
The style of cyberattacks
Numerous nation-state groups are leading cyberattacks linked to various types of espionage, including economic espionage. These activities are discussed in depth in a report from Mandiant, which calls these groups and their attacks advanced persistent threats (APTs). The organizations leading these attacks are made up of real individuals rather than automated programs, and they employ relatively simple tactics to infiltrate networks and exfiltrate terabytes of sensitive data. For example, the Mandiant report describes a group “stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period.”
Spear phishing is the most common technique used by the APTs, which is a process where an email is sent to a recipient with access to a targeted computer network. A malicious file is usually embedded within an attachment or a hyperlink, and the recipient is baited into clicking on the link or opening an attachment because the sender is using names the recipient would recognize.
Many of the spear phishing attacks described by Mandiant resulted in someone downloading a malicious zip drive and installing a custom backdoor into the network. After the intruder created a backdoor, they began the process of obtaining legitimate credentials to move around the network and steal the data. So how were these attacks not noticed, especially since terabytes of data were taken over a long period of time?
The challenges of encrypted data monitoring
When it comes to the APT-style attacks, risks of malware infiltration and data exfiltration, among the more broadly defensible aspects, are particularly relevant. In order to defend against these attacks, monitoring and encryption are essential to secure today’s computer networks against malware infiltrating a network. However, monitoring requires visibility of data, while encryption restricts visibility. Without visibility, the security analyst wouldn’t be able to monitor the data to protect against a breach.
The easy solution is to decrypt the data so the analyst could target the malicious signatures entering a network. However, an important feature of APT defenses is that the signatures of malware that should be prevented from entering a cloud and the signatures or data that should be protected from exfiltration may be sensitive. Releasing these signatures on a possibly compromised host could leak information to an adversary.
Fully homomorphic encryption
Up to now, there have been few feasible methods to monitor and detect infiltration or exfiltration without releasing sensitive signatures, permitting the visibility of data, or preventing secure monitoring for sensitive signatures in host-based systems. An approach to address these challenges of monitoring encrypted sensitive network traffic, while still using sensitive signatures, is based on recent advances in practical fully homomorphic encryption (FHE) in a practical encrypted data guard. FHE would allow computations to be run on encrypted data. The success of this technology would enable broader use of cloud computing technologies, and it would make existing host-based monitoring capabilities more effective by permitting the secure use of sensitive signatures.
Our approach uses homomorphic encryption to compare encrypted data flowing across a guard against encrypted signatures in text files and more complicated signals such as audio files. Initial results show the feasibility of testing encrypted text data in under a minute. This run-time enables practical application for usable email and file transfer systems. We are proposing to research and design novel FHE signature evaluation algorithms, cloud data guard architectures and system integration issues to maximize quality of service.
Fully homomorphic encryption would leverage sensitive signatures in a host-based system. Our research would enable networks to operate as an advanced data guard to monitor flows of encrypted data, which could greatly reduce the need to decrypt sensitive data before it can be permitted to enter or leave an information domain, such as a cloud-computing environment. FHE enables the more secure use of cloud technologies to host sensitive government data and reduce the risk of malware infiltration into the cloud.
This article is published as part of the IDG Contributor Network. Want to Join?