Throwing cold water on 'Red October'

The infosec media machine is running hot over Kaspersky's report on the Red October cyberespionage network. It's time to take a breath.

The infosec news machine is going nuts over the report Kaspersky Lab’s Global Research & Analysis Team released yesterday on what it calls Red October -- a cyberespionage network that's been stealing confidential data from private industry and government and research organizations in Eastern Europe, former Soviet republics and Central Asian countries for the last five years.

[See also: Chinese cyberespionage threatens U.S. economy, DoD says]

It is indeed an impressive bit of research. Here's some description from the story we posted last night:

The cyberespionage network compromised systems of hundreds of victims across 69 companies. Like cascading dominoes, computer systems fell as information stolen from one was used to penetrate another. For example, stolen credentials were compiled in a list and then used to guess passwords or phrases to gain access to additional systems.

The attackers created more than 60 domain names and several server-hosting locations in different countries, with the majority in Germany and Russia. The majority of servers were used as proxies, in order to hide the command-and-control server at the core of the operation. The stolen data had a wide variety of extensions. One extension not seen as a target before was "acid," which appears to be documents encrypted with classified software called "Acid Cryptofiler." The European Union and the North Atlantic Treaty Organization use the software.

Thing is, this is not some new attack that suddenly materialized in the skies above us. It's been going on for half a decade.

In 2007, around the time Red October started, I was writing a lot about Titan Rain, an intrusion into American computer systems that had already been in progress for a few years. Back then it looked like a scary new era to me, though it was probably already old hat to more experienced infosec pros at that point. Today, I look at the Red October research and get that old-hat feeling.

[See also: 20 FREE security tools to help you fight cyberespionage and other attacks]

This might mean I'm jaded. Or just desensitized.

We do need to stay aware of the threats around us, because one of these days we're likely going to face a significant attack on the systems running critical infrastructure. But we need to be calm and steady about it.

When vendors release these reports with sensationalized press releases, the media in turn run blazing headlines that make every new scrap of research look like a sudden surprise attack. That doesn't help, because the CSOs and other practitioners in the trenches have heard it all before. So have their bosses.

This is not a dig at Kaspersky or a specific media outlet.

It's simply a suggestion that vendors and the media need a more reasoned approach to delivering their findings.

That applies to my reporting as well.

Point-counterpoint (sort of):

--FUD Watch | Good and Bad in the 'Security Researcher Circus'

--Cybersecurity expert argues FUD can be effective

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline