Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for February 10th, 2012

APT: What It Is and What It’s Not

leave a comment »

What APT is as defined by DoD

  • Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging and HUMINT capabilities. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from “less advanced” threats.
  • Nation State or Exceedingly Coherent and Supported Actors: APT usually means that they are Nation State actors (i.e. spies/proxies for nations seeking to infiltrate and steal data or to manipulate data/supply chains etc) This can also be non nation state actors hired by corporations or even in some cases, movements or groups who have hired out for specific operational goals.
  • Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator’s goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
  • Threat APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

Above from Wikipedia with changes by me.

I had a conversation on Twitter today that surprised me. The talk was about APT and what it really “meant” as well as how one determines if it is indeed APT that you are dealing with. First off, I was taken aback somewhat at the confusion by some in the security field, but then I thought about it and many have not come from the DoD space or perhaps corporate areas that have had direct exposure to APT activities. Secondly, I was amazed and the varying focal points people focused on as the “meaning” of APT.

So, I decided to put this little post together and put it out there.

Yeah.. I know.. It’s been said a zillion times huh? So, why are people still confused? Well, there are some operational details that are not really in the public space so there is that, and the DoD tend to like to make all kinds of silly acronyms… But it basically boils down to what you see above here. The definition came from Wikipedia (I know some are rolling their eyes now! Tough!) I have edited the entry with other information that was not there before and highlighted the important bits with italics and color.

Once you have read the above again… Move on to what APT is not below…

Go on… Re read the above please…

What APT Has Become In The Media and Marketing Maelstrom of Stupid

APT, the bugaboo sales buzzword that has been a wet dream for marketers of all kinds of software and appliances in security these past few years. The short and sweet of here is that APT is not the following;

  1. Phishing attacks
  2. Anonymous
  3. Common hackers looking for credit cards
  4. Your average pimple faced hacker (going with the media perception) in their mom’s basement with a commodore 64
  5. The Chinese
  6. A technical ghost in the machine that cannot be caught unless you buy my product!
  7. Able to be caught with just a SIEM solution that I am offering to you for (insert number here)

APT was in fact the acronym for state actors like China (who happen to be really really active lo these last 5 years or more) and Russia or Israel or France, who were hacking and using a full range of intelligence techniques to not only steal data but to interfere with supply chains or otherwise manipulate corporations and other nation states to their own ends.

THAT is APT.

Of course the acronym has jumped the shark as it is now a buzzword, but, the DoD types still use it as a moniker for the actors that they and others within the space see every day attempting to ex-filtrate data, mess with command and control, and otherwise (mostly silently) mess with us all. They use numerous tactics that interlock and have many teams working toward multiple goals and multiple levels of attack and operational security.

They can use the most elegant of solutions and nimbly change their tactics, they can, on the fly create/edit code to defeat the defenders tactics, and they also use the most simplistic of attacks all in the effort to gain the access they require and to not only further it but to KEEP it as long as possible to succeed in their own ends.

There you have it. It’s not a binary.. It’s a layered approach to espionage and information warfare (IW)

… And your not going to stop them with something like Symantec’s SEP solution..

Thus endeth the lecture.
K.

Written by Krypt3ia

2012/02/10 at 21:21

Posted in APT

BYOD Bring Your Own Device: One of the most STUPID Gartner/Forrester/Executive Ideas EVER!

with 15 comments

God Damned Executives On A Plane

Last night a lively debate broke out on Twitter between Rafal Los, myself and Hrbrmstr about the wonders of BYOD (Bring Your Own Device) A movement brought to you undoubtedly by some moron of a CIO/CTO/CEO and your pal’s at Gartner. Now, if you haven’t run into the concept of BYOD yourself, just go and Google it to understand. Suffice to say that my theory on how this all came to pass is the following scenario…

  • C level executive A was on a plane one day and reached into the pocket in front of him. He pulled out the “In Flight” magazine and starts perusing it when low and behold he see’s an article about how YOU TOO CAN SAVE LOTS AND LOTS OF MONEY if you let your employees BUY THEIR OWN PHONES AND LAPTOPS to use at work!
  • C level exec then gets an EXTREME hard on for the idea envisioning his bonus growing exponentially as he foists the cost of phones to the employee as well as most of the cost of the service plan! GENIUS!
  • Contentedly the rest of the flight C level exec sits pondering just what fancy addition to his yacht he will be able to buy with the savings from this master plan.
  • C level exec immediately upon return drafts an email to the other C level execs with the master plan.. They all see bonuses and shiny things they can buy once their bottom line has been altered by pushing the costs to the employees by making them pay to work (remember the days of company stores and housing? Yeah, its kinda like that again)
The C level conclave concludes and they all decide this is a capital idea! Lets do it!.. Of course, they have not talked to the CSO or CISO and if the CSO is capable, they will raise the question over security and legal/privacy concerns. If they have a CSO/CISO at all.

Alas… They still will forge ahead… Dollar signs in their eyes like cartoon characters.

But.. It Will Make Our Workers SO HAPPY and SAVE US MONEY!

And on it goes, the steamroller of BYOD begins its descent, picking up velocity where it finally makes it to the security folks (if the company has any) and someone will undoubtedly say;

“WHOA, what about the security issues here?

What about the PRIVACY issues?

Legal issues?

To which they will be told it’s all good and not to worry.. Just do it. This even after being told by a smart security person that there are many moving parts here that present major problems that could in fact cost more money in the long run to do right AND that if they don’t do it right, they could be more easily compromised or have big legal issues.

“Do not worry about that.. It will save us money and it will make the employees happy” says the C level… Just do it.

The poor security person is left with the pile of shit idea in the paper bag from then on.. Just waiting for it to be lit on fire for them to stamp out with their new Nike shoes.

The Magic Fucking Quadrant of STUPID (Now With Added Unicorn Spit!)

Soon the security team and the exectives/managers are on the phone with Gartner or Forrester having meetings about how BYOD is the SHIZ and how magic it is in the quadrant and just what companies are offering the newest WHIZ BANG products that will help you “secure” the personal devices for you!

For just 50 thousand dollars YOU can have this solution!!!

*eye rolls all around*

But the executives… They are eating this shit up! They are fully drinking the kool aide and have the purple lips to show it! I mean, its Gartner! How could they EVER be wrong!!

The unicorns have won the day and you, you poor security sod, are stuck with the new task of ultimately making your life more miserable and creating new and silly problems to make your environment and job more complex. Welcome to BYOD.. Bring Your Own Doom. Be sure to buy more Maalox and other products to sooth your nerves and G.I. tract. Your life as you know it is about to change for the worse and when the shit goes down, undoubtedly, you will be asked why you didn’t tell them that this was a bad idea! YOU FAILED TO TELL US!

Remember to be the squeaky wheel… and to save all your emails warning that this… is indeed a bad idea.. Unicorn spit or no.

Technical Problems

But seriously folks.. There are some major issues technically with this idea. Of course the same issues crop up with any smart phone or device that you need to secure but, you are adding complexity to the mix because you need to secure the device AND keep it real loose because its a PERSONAL DEVICE, it isn’t the companies asset! This means that the guy who paid for it wants to USE it the way THEY want. So if you secure it properly, well, then they CAN’T USE IT the way THEY WANT TO!

And this leads to unhappy end users.

So here are just some of the technical problems..

  • Differing OS’ require different solutions for security in some cases
  • Android… OMFG Android rooted by the EU is bad. How many botnets are there out there now for Android? Google also has a real lack of quality control here (nightmare)
  • Adding layers of protection to “sandbox” applications
  • Adding a layer of auditing and tracking to protect the asset (not the companies once again) to protect your IP and infrastructure if said “asset” attaches to your network at all
  • Insuring that CRYPTO is working and or used to protect that IP again
  • Insuring that the system has AV on there and it is up to date
  • Insuring that the user just can’t install anything they want on their asset to prevent compromise of CORP data (due diligence)
And the list goes on.. So here you have it, you are adding layers of complexity to a device that naturally the end user, who PAYS FOR IT does not really want because its THEIR TOY! Its a PERSONAL DEVICE! They bought it! They want to play with it and use it for their amusement. This is a key point here that most of these guys advocating this fail to understand.. Or is it they really don’t care? Suffice to say though that in the end you are forced to add software and hardware solutions to secure the personal assets in your BYOD program that will cost you money. Money to buy, and money to keep updated and licensed.
So, where is the cost benefit analysis here on this? Are you really saving all that much money in the end?
Never mind the legal aspects that you also must engage counsel for….

LEGAL Problems

Legal problems.. Oh yeah, there are many legal issues here with the whole BYOD thing. It seems to easily escape the faculties of the C levels who are all hot for these programs though.  When you bring up these issues, even in the clearest of ways, they still seem to be all for the BYOD which confuses me personally. Oh well, they have lawyers on retainer right? They will just dump it on them and they will work out the details. Details like the following;

  • E-Discovery issues with personal assets and corporate information (the company does not own the device and unless the owner signs a document saying they will give up the phone/laptop/hardware for discovery, you’re F’d)
  • PRIVACY, if you are auditing all that goes on on the device (say a phone) then you can see everything they are doing with their personal/corporate-tized/asset In short, no privacy really
  • The vagaries of corporate IP on personal assets and the legalities of who owns what when and where
These three bullets cover a HUGE amount of the problem with BYOD and people need to realize this as they go ahead thinking about this as a solution to their bottom lines.. AND this is all it really is, its not really about making end users happy. Never let yourselves be deluded into this belief that by doing all of this you will be making a more happy and productive work force. Eventually, those users will come to their senses and realize that they are being used in so many ways and that there are many grey areas.
… And if you have not gotten them to sign iron clad agreements.. You Mr. C level are gonna be in trouble eventually.

Bad BYOD Rising

Nope, this is a bad idea from all angles as I have seen. Yet, people are going for this model more and more as a way to save money and “make workers happy with new toys like iPhones” I only see the technical and legal issues as well as the potential for paranoia and bad blood on the part of the users/owners of their now corporate assets… that are theirs.. sorta… It’s just a nightmare really, but Gartner says its GREAT!

*facepalm*

Please, for the love of sanity think this stuff through before you even think about this model for your orgs!

Savings to the business my ass.. You’re only adding a slow poison to your company and your carcass will be rotting soon enough.

K.

Written by Krypt3ia

2012/02/10 at 12:01

Posted in The Stupid It Burns!