Wahlin, who has worked in security in both the public and private sectors, told iTWire that while there is a widespread threat from organised groups with purely financial goals (credit card theft, etc), the growth in specific attacks points to a different set of players.
Pointing to attacks on Google, RSA and Lockheed Martin, he asked "what's the motivation?" These companies were not the ultimate targets, he suggested, but merely stepping stones to reach another goal.
"We're starting to figure out what the end games are," he said, suggesting that it involves supply chains. Is it easier to attack the US government directly, or via its suppliers, he asked.
Wahlin pondered that the attack on RSA may have been a stepping stone to reach Lockheed Martin, echoing similar suggestions from other quarters. And there have been other reports that an attempted hack attack on US Department of Defense contractor L-3 Communications involved the use of RSA tokens.
Page 2: zero-day vulnerability + social engineering = advanced persistent threat.
"A lot of the cold war guys are very good at [social engineering]," he said, and suggested that a general lack of awareness of security matters among employees hindered attempts to guard against such attacks.
One trick is to assemble snippets of information from multiple sources and then piecing them together. Wahlin said McAfee was aware that its employees had been approached for information in a variety of situations, including after attending church services, and in bars and car parks. The question can seem innocuous, along the lines of "who should I talk to at your company about X?"
While there is a good awareness of security matters in the government sector and stringent processes to gain clearances, but in the commercial world people are "largely numb" to such issues.
He believes we are getting to the point where people are going to be blackmailed in order to obtain information or to coerce them to carry out some action contrary to their employers' interest.
The line between the digital and physical worlds has now been crossed when it comes to information security matters, Wahlin said.
"The signs are all there, I'm just hoping I'm reading them wrong," he told iTWire.
How might you guard against such stealthy attacks? See page 3.
This would mean processing a lot of data (which would have to be automated to make it affordable) and it would raise privacy concerns, "but the bad guys are already doing it [profiling people]." By avoiding being judgemental about what's recorded and simply using it to detect changes would allow corporate IT staff to spot many issues.
IT security staff would still be needed to handle matters such as data loss prevention, Wahlin said, but spotting anomalies "is how you detect unknown threats."