Hacking Google: Lessons From the Security Team, Part One
Cybersecurity is a battle that all organizations must fight, and there is really no point in doing it alone. Sharing information – the latest attack vectors, shifts in tactics, new-found defenses – helps everyone. Increasing interconnectedness and the expanding software supply chain means an attack stopped in one location will prevent an attack spreading to a lot of other companies.
Google is taking that step with its Hacking Google series. The multi-episode series takes a deep dive into different security areas: The Threat Analysis Group (TAG), Detection and Response, Red Team, Bug Hunters and Project Zero. The first episode covers Operation Aurora, a series of APTs coming from China. First revealed by Google in early 2010, Operation Aurora took place in 2009 and targeted a number of major technology, finance and defense companies.
During a recent webinar, members of the Hacking Google team shared their insights about what they’ve learned about cybersecurity, how to improve the approach and how to tackle the threats facing organizations today.
Operation Aurora
After Operation Aurora was discovered, its disclosure by Google was a big deal. It was a simpler time in 2009, at least in terms of cybersecurity, and this was one of the first prominent nation-state attacks against private industry. That Google was willing to talk about it was a major show of transparency.
“I think what we did by coming forward and being public, being open, we allowed [other companies that would also suffer major attacks] to come forward,” said Heather Adkins, VP, security engineering with Google. It was important to show that breaches like this weren’t ordinary but [were] serious attacks by nation-state adversaries.
Another lesson learned, according to Adkins, is that we need to think about security as a long-term solution, rather than a quick fix. In Google’s case, the Google Security Team came to fruition after Operation Aurora as a way to solve problems by building a collaborative foundation.
The Changing Threat Landscape
Shane Huntley, senior director of TAG, said he doesn’t think the threat landscape is changing fast enough—and that’s not a take you hear every day.
“I’m disappointed that some threats are still around, like people getting phished,” said Huntley.
But there are changes; sometimes subtle. Like in the threat coming from nation-state attacks. China and Russia are the big players out there, but their successes have empowered smaller countries to launch their own attacks. These smaller nation-states add to the proliferation of threat actors out there and, currently, TAG is tracking more than 270 government-backed groups.
The other big change in the threat landscape is the evolution of cybercrime. There is a shift occurring, moving away from using cybercrime for just financial gain. We must pay closer attention to the risk to the critical infrastructure and health care systems coming from commercial cybercrime groups, he said.
The State of Spyware
One of the biggest spyware companies, NSO Group, is in turmoil. It declared bankruptcy and is blacklisted in the U.S. While that’s good news for the journalists, activists and other citizens who are regularly tracked via spyware, there are other companies out there eager to take NSO’s place.
Pegasus, NSO’s software used to hack mobile phones, is still active, Huntley said, “but it warms my heart to see them under such pressure.”
But you can’t ignore the entire spyware industry just because its top player has fallen. Threat actors don’t simply stop operations when they face a setback. Instead, they move on to new endeavors, work with other cybercrime rings, build new platforms. As long as they can make money, they will find a way to exist, the Google team said.
In part two, we’ll learn more about what the Google Security Team has learned about the future of passwords and recovering from cyberattacks.
