What SMBs Can Learn from Operation Shady RAT

Paul Mah
Slide Show

Top 10 Cyber Security Threats of 2011 and Beyond

The next decade portends new threats that surpass those of years past in both intensity and impact.

You may have read about Operation Shady RAT, which was initially reported at the beginning of the month in an article published on Vanity Fair as well as covered in detail in a McAfee blog here. Operation Shady RAT is a big deal, says McAfee, pointing out how the sole Command & Control (C&C) server that it gained access to has been used to pilfer sensitive data, email messages, government or trade secrets from more than 70 victims spread across 14 countries.


Of course, not all security vendors agreed with the severity of the problem. Kaspersky Lab, for example, sought to downplay McAfee's discovery on the grounds that the techniques employed in Shady RAT weren't novel or even sophisticated. In a strongly worded blog, Eugene Kaspersky, CEO and co-founder of Kaspersky Lab wrote:

First of all I'd like to say straight out that we do not share the concerns surrounding the intrusion described in the report ... We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information.

Despite the disagreement from the experts on the severity of the problem, what are some lessons that SMBs can learn from what we know about Operation Shady RAT?


Hacking is no longer "hit and run"


There is little doubt in my mind that cyber crime has evolved and is no longer the hit-and-run (or should I say "hack-and-deface") affair that it once was. Instead, black hats are working tirelessly to infiltrate organizations with a long-term view of deep penetration, or building gargantuan botnets formed by highly sophisticated and elusive malware that resides undetected in your computer.


Mind your email inbox


While it is true that practically all exploits rely on unpatched vulnerabilities, recent cases of hackers using zero-day vulnerabilities underscored the importance of not launching booby-trapped email attachments or visiting malware-laden URLs in the first place. On this front, Operation Shady RAT is a reaffirmation of how spear-pushing has become the standard procedure for targeted intrusion. In that vein, it makes sense to be doubly vigilant against phishing or social engineering attempts emanating from the email inbox.


Build defense in depth


Alarmist or not, a glance at the list of affected organizations leaves no doubt that large enterprises, government organizations and even outfits dealing with computer security are not immune to penetration attempts. Clearly, SMBs must position their defenses with the pragmatic view that any security cordon can and will break, and employ a strategy of defense in depth accordingly. This may range from the use of data encryption, VPN for remote workers, judicious use of anti-malware software, spam gateways, firewalls, IPS and IDS.


While implementing additional defense may be a costly matter in the long haul, SMBs must realize that they can no longer afford to be stingy in their budgeting for IT security. Ironically, I found the most sobering remark not made by McAfee, but by Kaspersky. In his rebuttal about the severity of the problem that Shady RAT revealed, Kaspersky wrote:

Most commercially-available anti-virus software is capable of preventing infection by the malware involved in Operation Shady RAT; most doesn't require a special update to do so either, capable of detecting the malware generically.

The question is: So why weren't the affected organizations even using basic, updated anti-malware software?

Add Comment      Leave a comment on this blog post
Sep 2, 2011 3:23 AM Dennis Dennis  says:

The question is: So why weren't the affected organizations even using basic, updated anti-malware software?

There is no proof these organisations has been compromised. The logs only say the botnet tried to penetrate into these networks. Kaspersky believes even the Stage1 malware didn't succeeded and they saw no infections


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.