The Cyber Cold War
The above diagram is the IBM Security and Privacy Ethical Hacking Methodology from about 2000. As you look at this diagram of logical steps to performing an ethical hack, think about the Mandiant 2010 Trends report on the APT (Advanced Persistent Threat) and perhaps see the commonalities that exist.
Previously, I have written that I felt that the APT was nothing new. In fact, I still stand by this statement. Now that this report is out, and some of the facts are dribbling out about the thirty odd companies that were targeted by *cough* China, APT and BOOGA BOOGA BOOGA are on everyone’s lips and minds in the security theater.
And such theater it is!
I agree that the US is in trouble as well as many other places where cyber security is concerned. However, this battle has been going on for some time now within the networks of the defense and corporate entities. If you just look at the story of “Titan Rain” or perhaps go even go back further to “The Cuckoo’s Egg” you can see that the APT has been working on this battle space since the 90’s at the very least. Of course it is only natural to see this happening since we have become more and more connected by networked machines and the internet.
So, what is different here? It’s the scale and cohesion of the intrusions that is different. Of course, one might say that the scale and breadth factor is on account of the long time scale that the APT have been at this work. All the time honing their skills in the areas of human behavior, network flows, and subtle changes to software that outwit the two dimensional thinking that their targets have had all these years.
Here are my thoughts on the M-Trends report and the debacle we find ourselves in:
Espionage Past and Present:
What these attacks really signify is that Nation State actors have undertaken the use of “Cyber Warfare” as a means to their ends. Where in the past, in an un-networked world, HUMINT was king we now live in the brave new world of SIGINT, ELINT, and MASINT
Where one had to insert an “asset: into play at an agency or corporation before, one only has to send an email to an individual of interest and turn them into an asset without any coercion. All you really need to do is a little OSINT and use the precepts of “Social Engineering” to get what you desire. No fuss, no muss really and definitely no need for “Moscow Rules” in these cases as we had no idea what to look for technically… Until now… But that will soon change again post all this attention now won’t it?
What we have to face is this: Espionage today is different from the days of Wild Bill and the OSS. The NSA and its budget are proof of this idea. Much more of the INTEL today comes from electronic means and much less on the old school human intelligence gathering. However, HUMINT still has its place as we are finding out daily by trying to deal with Al Qaida.
Additionally, the idea of “Corporate” or “Industrial” espionage has changed over time to also include the use of these same SIGINT means to not only steal IP, but also to manipulate events to the advantage of the nation state. Much like the old spy days used to use propaganda (still do) and agent provocateurs to affect elections etc.
What has come out of the APT story is that China has been inscrutably using electronic means to gather data on the opposition to have what Sun Tzu laid out as precepts in “The Art of War” concerning espionage. By gathering the intelligence on the opposition and the terrain, they will be victorious.
In the case of the APT, I believe that a fair amount of the threat comes from China as you might have seen in other posts of mine, but, they are not the only nation state actors. Indeed, it could be that China even sells its talent out to other countries for dual operations. Working for other nation states for their ends as well as watching those same nation states to see what they are up to.
In any case though, the ability to not only exfil data but also leave behind trap doors, malware, etc also gives the adversary great advantage to control the battle space when the time comes. By using such means they could diminish or stop our C&C altogether as well as sow much confusion nationally. By pulling the plug on the power grid, or other infrastructure before or during a physical attack, the adversary could win the day.
So, on the whole, I would like to say that the emphasis on China being the main operator here should be lessened. Just because a server is in China does not mean that it isn’t being co-opted and or “allowed” to be used as an means to an end.
In conclusion, the APT equals nation state espionage. We have to get used to this idea and we have to work toward means to defend against them. We have the tools from the government and DoD areas but we need to adapt them to the private sector. We also have to enforce their use universally.
Two Dimensional Thinking:
The APT has used “our” inability to think more than two dimensionally on average against us where “Defense In Depth” is concerned. The precepts of security in many places I have seen in the private sector have mostly consisted of “We have a firewall, so we are all good” This is a real problem often times because this fallacy is compounded by the fact that the firewall is not monitored well or configured properly.
In the case of the APT attacks that have evolved, they have been using ex-filtration of data through the weak point in the networks. Most of this ex-filtration is leaving through the open pipe that is HTTP with SSL. The reason for this is simply that this is the basis of the internet. You surf pages with the open protocol of HTTP so you have to have that open through the firewall.
Of course there are mitigators like proxies and other means to track and disallow undue HTTP traffic, but, the APT have worked around such things with clever use of obfuscation within the traffic to hide their actions from the watchers. It’s really quite logical when you look at the situation. Of course I am sure that in some cases they didn’t need to have arcane means to defeat the security, but when they did, they did a good job at thinking it out.
What we are left with is this: The security paradigm has changed. We need to adapt as agilely as the APT to catch them and stop them from taking the data so freely. We have to think like they do and we have to have the will to make the effort to change how things work. If we don’t then we will jut be enabling the APT in their efforts to outwit and manipulate us.
One of the things I noticed in the M-Trends report was that there was a conspicuous absence. The missing piece was any mention of *NIX systems being compromised as a part of these efforts by the APT.
Now, I have to imagine that UNIX systems were compromised within these attacks, but, I am going to hazard a guess that many of those systems were actually not technically “hacked” but instead were accessed using credentials stolen from EU’s that were compromised by the initial attack.
Of course it is also likely that the APT did not need to do much more because they were scraping NetBIOS sessions and emails for the data they wanted. In the case of many places, I can assume that there is a lot of NFS/NetBIOS sharing going on that they could just plunder with the credentials taken. Not to mention that there is a high likelihood that many of those NFS/NetBIOS shares probably were world read/write or NULL sessions anyway.
So, you pop the monoculture *Windows* with an exploit for IE like Aurora did, and you have the access you need to start harvesting like a bandit. Now, had the EU’s been using a Linux client instead would the compromises been as many? Would a blended OS environment on the EU side maybe have minimized some of this attack methodology?
Put simply, because M$ is so prevalent for the EU community, then it is that much easier for the APT to plan and execute their attacks. Given Microsoft’s record on security in their software, it is no surprise to me how grand in scale these attacks were in success.
One of the main factors in these attacks centers on human behavior. The APT have used social engineering exploits with email (phishing or spear phishing) to gather not only intelligence on who to target, but to also exploit the EU’s.
The use of the spear phishing attack has been around for some time now and with all that the world is putting on the internet we have just made it much easier to carry out an attack. With the advent of Facebook, Twitter, LinkedIN, etc, we are socially exposing ourselves on a daily if not minute by minute basis.
There needs to be a sea change in the way we behave online and in our daily work lives where our personal and corporate persona are concerned. All too often people are putting out way too much information about themselves for someone to use against them. In the terminology that I am familiar with its an OPSEC failure of great magnitude.
It boils down to this:
- Does anyone on the internet really need to know our current GPS coordinates via our phone?
- Does anyone really need to know where we work and what our job titles are?
- Does anyone really need to know everything about us online as a general consumption, Google-able search term?
The quick answer is no. They do not. One may not really care I suppose, but that should be only about their personal life. When it comes to your business life, then perhaps you should understand the OPSEC values of what you do and who you work for.
This is something that companies on the whole must also learn about. Often times they are the ones serving out much of the data that an attacker would use. So a real re-think needs to happen on what we put out there personally and professionally.
Additionally, companies and individuals must also learn about the precepts of security in this day and age. Information security is often seen as a dry and painful subject for folks. Infosec often means that they have to remember passwords and other annoying things in their daily lives.
This paradigm has to change too. Companies must inform their employees better about security and why it is necessary in their work and personal lives. Without this enlightenment, then users will continue to click on just about any email that comes in whether it looks wonky or not.
It seems that rather quickly between 2007-2008 the APT became more driven and adept and complex network intrusions. So much so that the adversary was in essence running the systems as the sysadmins.
The APT were in control of systems and networks to the point of having dominance inside to know minute details of operations within companies. Calendars were used to determine schedules, time keeping systems compromised to know who is working when, etc.
Such amounts of control the APT has had that the old joke about the APT running the network better than the sysadmins is almost true. All of this control was carried out subtly and with deft. THIS is the most worrying of all the findings to those in the know.
The APT were becoming innovative and began to actually create/edit proprietary code for systems particular to each entity that they had invaded. Coming up with new ways to exfiltrate data and gain more control.
Additionally, the APT began to ignore the efforts of the defenders, knowing that they could likely just ignore them and still have their ends met. The net effect became clear to the defenders that there was not much they could do and that the nation state actors were serious about their intrusions. Spending more time and money to obtain their goals.
Once again, it is the scope of the incursions that is wholly new, including the technical details.
The technical aspects of this wave of attacks was touched upon above, but, it bears some more attention. How are we to protect against such attacks if the behavior of the network is so subtly manipulated and or just used as an authorized means to get data out of a network?
The APT have tooled their attacks to use low bandwith and hide within the regular data streams. The have been agile in changing their modus operandi when they have been spotted, and they generally have been doing “just enough” to keep their foothold in the networks.
I guess the key factor here is that they change their behaviors and their tech to keep just below the capabilities of detection on the part of the defenders. They are also paying enough attention to their foothold to know when they have been discovered and to change their vectors enough to once again hide their tactics.
So, how are we to stop them? Can we stop them? It’s a perfect storm and we need a better rain coat.
Well, now that the APT cat is out of the bag now what? Given the blogosphere, and the news cycle on this I am seeing more chicken little than “git r done”. What scares me is that the signal to noise here has too many people focused on the OMG OMG than the “What can we do about this in an informed way”
This is where the security theater comes in. I can foresee more companies stepping up with technologies to fix problems that really should not only be about a software or hardware package. This threat cannot be taken care of by one cure all in a box and unfortunately too many movers and shakers can only wrap their heads around a “single solution” being sold to them.
The M-Trends report is interesting and I am sure does not tell us everything about the vectors of the APT. Much more I am sure is out there and cannot be talked about because of DoD and OPSEC anyway. So, we are seeing only a portion of the real picture on these events.
What we need is a more informed approach, not so much a sales pitch. I implore the government also to get their act together on this and lead for a change. I know we have a new Tsar, but, the time is now.
The Paradigm Shift Post M-Trends:
Post the publishing of this paper and all the ballyhoo one must stop and think a bit laterally. Now that the digital cats out of the bag, don’t you think that the adversary will change their methods?
Look at it from the perspective of preventing terrorism on planes. We take away liquids from passengers and force them to remove their shoes and the terrorists then move to underwear laced with PETN and RDX. Naturally, the APT will be changing their methods post all these findings.
So what do we do now? We are going to have to think like them and try to counter their next moves. Are we working on that? Are you reader? Your company? Your security vendor?
We have to be proactive…. I hope we will be.
Well what now? Our vulnerabilities lie in our behaviors and our patterns of thought. How will we move forward and do the proactive thing? Will we all be hiring Mandiant to scan our networks to see “if” we are compromised? Or will we be told that we have been because an ancillary investigation by the FBI comes and tells us that the data has been taken?
I am sure there will be a boom in NSM, HIDS, NIDS products out there post all of this. Will those solutions really help? Sure, they will if they are configured properly and monitored well. However, the attacks that have happened were deliberately created in a way to avoid those mitigators.
So what do we do?
THIS should be the zeitgeist of our next steps. How to defend against these exploits more efficiently and drag the whole of our infrastructure into a better security posture.
Can it happen?