Two Dimensional Thinking on APT Matters
by Richard Bejtlich at Taosecurity
I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan’s tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says:
He is intelligent, but not experienced. His pattern indicates two-dimensional thinking.
I though this quote could describe many of the advanced persistent threat critics, particularly those who claim “it’s just espionage” or “there’s nothing new about this.” Consider this one last argument to change your mind. (Ha, like that will happen. For everyone else, this is how I arrive at my conclusions.)
I think the problem is APT critics are thinking in one or two dimensions at most, when really this issue has at least five. When you only consider one or two dimensions, of course the problem looks like nothing new. When you take a more complete look, it’s new.
- Offender. We know who the attacker is, and like many of you, I know this is not their first activity against foreign targets. I visited the country as an active duty Air Force intelligence officer in 1999. I got all the briefings, etc. etc. This is not the first time I’ve seen network activity from them. Wonderful
- Defender. We know the offender has targeted national governments and militaries, like any nation-state might. What’s different about APT is the breadth of their target base. Some criticize the Mandiant report for saying:The APT isn’t just a government problem; it isn’t just a defense contractor problem. The APT is everyone’s problem. No target is too small, or too obscure, or too well-defended. No organization is too large, two well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.The phrasing here may be misleading (i.e., APT is not attacking my dry cleaner) but the point is valid. Looking over the APT target list, the victims cover a broad sweep of organizations. This is certainly new.
- Means. Let’s talk espionage for a moment. Not everyone has the means to be a spy. You probably heard how effective the idiots who tried bugging Senator Landrieu’s office were. With computer network exploitation (at the very least), those with sufficient knowledge and connectivity can operate at nearly the same level as a professional spy. You don’t have to spend nearly as much time teaching tradecraft for CNE, compared to spycraft. You can often hire someone with private experience as a red teamer/pen tester and then just introduce them to your SOPs. Try hiring someone who has privately learned national-level spycraft.
- Motive. Besides “offender,” this is the second of the two dimensions that APT critics tend to fixate upon. Yes, bad people have tried to spy on other people for thousands of years. However, in some respects even this is new, because the offender has his hands in so many aspects of the victim’s centers of power. APT doesn’t only want military secrets; it wants diplomatic, AND economic, AND cultural, AND…
- Opportunity. Connectivity creates opportunity in the digital realm. Again, contrast the digital world with the analog world of espionage. It takes a decent amount of work to prepare, insert, handle, and remove human spies. The digital equivalent is unfortunately still trivial in comparison.
To summarize, I think a lot of APT critics are focused on offender and motive, and ignore defender, means, and opportunity. When you expand beyond two-dimensional thinking, you’ll see that APT is indeed new, without even considering technical aspects.
Actually, I disagree with Richard in a few ways. Mostly though, I think that the idea of the APT attacks on anything other than just military contractors as being new is a fallacy. This is especially true when you take into account the latest reports on the oil companies being hacked into years ago and only now being reported on or found.
You see you have to look at the “Thousand Grains of Sand” approach that China has taken and see it for what it is. This is not just military because “everything” affects everything else and the Chinese see this. After all, they invented “Go” So they think much more than two dimensionally from the start.
So, the reality is that this is not new. It’s only new to the masses because the mainstream media has picked up on this as well as the government and private companies.
Now, lets twist this another way.
Not only China has these capabilities. How about the avowed interest of Russia post Putin’s speech that pretty much outlines a program like that the PRC has. Surely too you cannot count the Israeli’s out of this game as they really were the biggest industrial espionage group for a while back in the 80’s. Of course they were using more HUMINT than anything else back then, but the paradigms change don’t they? You evolve to survive.
I respect Richard quite a bit, but here we differ. I am one of those saying that this is nothing new. I see it all over the news and hear it in the halls of power now post Google.
“OMG OMG OMG what will we do?”
How about this. We shore up our defenses by making smart choices in the personal and private spaces on information security. We teach our people more about the “loose lips sink ships” mentality from WWII and make them aware of their responsibilities.
Most of this attack happened through Facebook and social engineering exploits teamed up with good digital surveillance and data-mining. The social behaviors of individuals led to the clicking of the links or the lowering of defenses that allowed these attacks to occur.
We need to change the way we think in American business. The military already gets it with OPSEC etc, but that is a foreign word to most people in the work force at the fortune 500. The same rules apply but the playing field has changed and that is all.
We used to tell people to watch for folks without badges, some place still do. We try to educate them to not let people piggyback through the front door. It still happens. We lecture on physical security issues but human nature is strong and we generally want to be helpful. It is in this trait we fail in security awareness.
So, nowadays its not so much meeting someone at a bar and getting into trouble with a swallow. It’s
“Hey I’m your friend! Add me!” Or “Hey, I need that password again can you txt it to me?”
After that the “asset” is no longer needed. That is the paradigm change and no, its not so new.
What can we do? How about we start with some real rules on infosec for the masses. We already have SOX, how about we actually have some real audits with real implications on failure? Whatever happened to HIPAA? It still has no tooth and every day it seems I am seeing more stories on lost patient or user data? Wouldn’t a little hard drive encryption go along way? Or maybe some more tutorials on how NOT to lose your laptop in the back of a car.. In the open.
It’s simply this. Until we change the way we think and act, this type of attack will be used against us and succeed.